From owner-freebsd-chat  Sun Feb  4  7:15:16 2001
Delivered-To: freebsd-chat@freebsd.org
Received: from lariat.org (lariat.org [12.23.109.2])
	by hub.freebsd.org (Postfix) with ESMTP id 15E7F37B401
	for <freebsd-chat@FreeBSD.ORG>; Sun,  4 Feb 2001 07:14:58 -0800 (PST)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id IAA01543;
	Sun, 4 Feb 2001 08:14:43 -0700 (MST)
Message-Id: <4.3.2.7.2.20010204080917.049ecca0@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Sun, 04 Feb 2001 08:14:38 -0700
To: Rahul Siddharthan <rsidd@physics.iisc.ernet.in>
From: Brett Glass <brett@lariat.org>
Subject: Re: UNIX-like approach to software and system architecture
  (Was: D J Bernstein)
Cc: freebsd-chat@FreeBSD.ORG
In-Reply-To: <4.3.2.7.2.20010203110403.048e78e0@localhost>
References: <20010203135902.M94275@lpt.ens.fr>
 <200102022245.PAA15968@usr08.primenet.com>
 <20010202140505.B91552@dogma.freebsd-uk.eu.org>
 <200102022245.PAA15968@usr08.primenet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-chat@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Interestingly, Theo De Raadt also seems to agree that djb's approach to 
DNS daemons is more sensible and secure than ISC's. In his own words:

>ISC has been building a "one shoe fits all" DNS server, designed for 
>everything from small servers to root servers with the .com hierarchy on 
>them. Good security software has well constrained behaviours and small 
>subcomponents, so that unexpected results are minimized. BIND is not 
>written that way, and has hundreds of little features. It can be very 
>difficult to assure the quality of software designed to run in a wide 
>assortment of ways. None of the BIND implimentations has any of the 
>basic principles we see in great security software, and when we add in 
>the uniquitous and mono-cultured nature of it's deployment, the 
>discovery of a really nasty bug could hit really hard. Say, 
>I-LOVE-YOU.in-addr.arpa?
>
>We need more DNS server choices.

For the article in which he was quoted, see

http://securityportal.com/articles/chargingforsecurity20010201.html

--Brett




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message