From owner-freebsd-security Wed Jan 31 18: 3:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 82F0837B69E for ; Wed, 31 Jan 2001 18:03:39 -0800 (PST) Received: (qmail 1146 invoked by uid 1000); 1 Feb 2001 02:03:38 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Feb 2001 02:03:38 -0000 Date: Wed, 31 Jan 2001 20:03:38 -0600 (CST) From: Mike Silbersack To: Matt Dillon Cc: Chris Johnson , Przemyslaw Frasunek , Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: <200102010154.f111sYE23275@earth.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 31 Jan 2001, Matt Dillon wrote: > :Yes! Why work around BIND limitiations and do all this sandboxing to try to > :limit the damage it can do to you, when there's a better alternative? > : > :Chris > > Yah, that's the ticket... kinda like wu-ftpd was created because existing > ftpd's weren't up to snuff, except wu-ftpd turned out to have literally > dozens of rootable exploits. > > Just because BIND's loopholes are advertised doesn't mean that other > DNS servers don't have loopholes. While I agree that some of the newer > ones almost certainly have *fewer* rootable loopholes, maybe, I don't > see them as improving my risk factors much. > > -Matt Heh, that's what I said to myself after 8.2.2-P5 came out, so I stopped using djbdns and switched back to bind. After the recent batch of BIND bugs, I've learned my lesson. I guess I should give BIND 9 a chance, though. After all, all the important holes in BIND have been parts of the dnssec code, not parts of the core BIND functionality. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message