Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 13 Apr 2001 02:24:46 +0200
From:      "Karsten W. Rohrbach" <karsten@rohrbach.de>
To:        Dag-Erling Smorgrav <des@thinksec.com>
Cc:        sthaug@nethelp.no, Mark.Andrews@nominum.com, freebsd-security@freebsd.org
Subject:   Re: bind hack?
Message-ID:  <20010413022446.B18721@mail.webmonster.de>
In-Reply-To: <xzpofu2890j.fsf@aes.thinksec.com>; from des@thinksec.com on Thu, Apr 12, 2001 at 04:53:16PM %2B0200
References:  <20010412145353.E90025@mail.webmonster.de> <3894.987080227@verdi.nethelp.no> <20010412151456.H90025@mail.webmonster.de> <xzpofu2890j.fsf@aes.thinksec.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling Smorgrav(des@thinksec.com)@2001.04.12 16:53:16 +0000:
> "Karsten W. Rohrbach" <karsten@rohrbach.de> writes:
> > sthaug@nethelp.no(sthaug@nethelp.no)@2001.04.12 14:57:07 +0000:
> > > Telling *Mark Andrews* to "upgrade to djbdns"? That's one of the best laughs
> > > I've had this Easter...
> > [...] if it runs, don't touch it. if it screws all the time, try to
> > upgrade to a newer version. if newer versions suck all time, replace
> > subsystem with a different one. the "then write one yourself"
> > section is ommited here [...]
> 
> Oh, but you *shouldn't* omit the "then write one yourself" section.
> That's what Mark does.  He writes BIND 9.  Happy Easter!
the "then write one yourself" section is meant totally reflexive.
as i said, due to the "standardization process" for dns, the related
rfcs as documentation and therefor basis for design it is a shitload
of work to get a running (in means of operational _and_ interoperable)
dns server software developed, tested and finally deployed.

i got no problem at all with people designing their daemon stuff the way
they think it would become a stable and useable piece of software that
fits for heavy duty server systems. but as there are more and more
alternatives to bind, every administrator has the choice. the design
behind bind is very complex and so is the software. the more complex you
get, the more likely become all the little bugs in there. that's the way
i think about software design in general. i like lightweight
implementations which are easily extendable - that's all.

i must admit that i did not have the time to look into the sources
of 9.x, but 8.younameit is a pretty pain to read and understand.
therefor this is not a prank - or how you call it - against bind9.
i already read some of the papers and reports about 9.x and it sounds
promising.

to get one thing straight - my post was a bit harsh, but buffer
overflows and other flora and fauna a sysadmin has to cope with all day
also originate from a distribution-centric monoculture of preinstalled
and bundled software. it is not much different from the microsoft
security dilemma since this monoculture defines the standard. this does
not mean that deviation from standards is good or bad, but with more
variety in server software implementations in general the internet will
just be a little bit happier. different design approaches lead to a
phase where people try and gather experience. these experiences could be
and most times actually _are_ thrown together to build a better piece of
software, more stable, more secure. and this is the point that
differentiates the open source community from big os companies.
one thing i can not understand about the opensource os community is, why
there are tight bindings between several packages and a distribution.
why not let the users/admins choose (well some admins do, i hope) before
or while installing/upgrading what server subsytems to install? why is
sendmail the standard mta on *bsd, why is bind the standard dns server
on *bsd, why are they in the main distribution? they could be packages.
the part of bind that is needed for operation of a simple unix box is
the resolver. email-wise ther could be a dumbfire local delivery mta. in
my opinion an os distribution should be a solid basis to deploy server
subsystems on, be it a bind or djbdns, be it sendmail or qmail or even
smail, be it a fully blown apache server or just a boa or publicfile
httpd. the choice should be the one of the admin installing the box, and
i think that it is a bad thing to remove the remnants of the software
installed by default to get rid od suid binaries or rogue dotfiles and
so on.

one last word concerning djb... he might lack social competence and he
might act strange sometimes, but what he has to say is often true. i can
not understand why many of his concerns are not taken seriously since
they could be taken as valuable input to improve existent
implementations of server software. (no i do not want to start a djb 
thread out of this now, these are just my $.02).

further discussion via pm. i would not like this thread to become a
dennis@etinc.com one.

happy easter
/k

-- 
> What do you want to re-install today?
KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010413022446.B18721>