Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 15 May 2001 12:48:25 +0200
From:      Brad Knowles <brad.knowles@skynet.be>
To:        Kris Kennaway <kris@obsecurity.org>, Ted Mittelstaedt <tedm@toybox.placo.com>
Cc:        chat@FreeBSD.ORG
Subject:   Re: onitoring named
Message-ID:  <p0510031fb726b8fba3e5@[194.78.241.123]>
In-Reply-To: <20010514223516.B95997@xor.obsecurity.org>
References:  <20010514222845.C95631@xor.obsecurity.org> <00a401c0dd00$647372c0$1401a8c0@tedm.placo.com> <20010514223516.B95997@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

At 10:35 PM -0700 5/14/01, Kris Kennaway wrote:

>>  :-) No, they will just find yet another hole then and the merry go
>>  round will start all over again.  What man can lock, man can unlock.
>
>  Perhaps.  That doesn't affect the logic of the argument I presented to
>  you.

	The advantage of using BIND version 9 is that the playing field 
has been completely changed.  BINDv9 is much more paranoid about 
checking all of its inputs at every possible stage, and if they 
aren't what it would expect, then it dies and errors out.  This puts 
a great deal of pressure on the programmers to make sure that they 
properly sanitize everything and eliminate all possible ways to make 
the code insecure, because they don't want copies of BIND crashing 
all over the world and bringing down DNS for the entire Internet.

	This makes it much, much more difficult to subvert BINDv9 than 
earlier versions, and with the problems of malloc() having been 
located in BIND 9.1 by Rick Jones, improvements are underway with 9.2 
that should make it as fast or faster than any other nameserver on 
the planet (on the same hardware).  Moreover, it should also be as 
secure or more secure than any other nameserver on the planet, and 
that should pretty much end the discussion on this topic.

-- 
Brad Knowles, <brad.knowles@skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root@ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p0510031fb726b8fba3e5>