DNS Security (was: RE: [SunRescue] hosts file And DNS files??)

Loomis, Rip rescue at sunhelp.org
Fri May 25 16:08:13 CDT 2001


I think this horse is almost dead but I can't leave
well enough alone...

> 	2. as of BIND-8 ("vixie-bind") there have been relatively few
>            vulnerabilities of any kind

Agree with this statement.

Before anyone argues strenuously about this, please
note that almost every BIND vulnerability since 8.1.2
has been due to flaws in the DNSSEC code--which was
a bolted-on proof-of-concept, and which Paul Vixie
has stated will be removed in 8.3.  Even if you *want*
(or need) DNSSEC, the 8.x implementation is incomplete
and/or wrong in several places--the only thing that
appears to work "correctly" is TSIG.  BIND 9 is where
it's at for DNSSEC.

> 
> 	3. since BIND-8 there's been no excuse for running named as root
>            and therefore all system compromises as a result 
> of BIND are
>            in fact the likely responsibility of the vendor and/or the
>            local and ignorant administrator
The only exception/comment is if you have interfaces that
go up and down--with root privs BIND can attach (bind) to
the new interfaces on its own as it sees them, but without
root privs you need to stop and restart BIND.

Note that few root/TLD servers run BIND with root privileges
for this reason...but many home users (esp. Linux/Solaris)
have dynamic IPs and may still choose to run it as root...
or better yet put something in the ppp-up/ppp-down scripts
to restart it.  (If I ever get a chance I'm going to
submit a patch to Debian to fix this--last time I checked
all their BIND packages still ran as root...)

> 
> 	4. BIND-9 doesn't have a line of Vixie's code in it (well that
>            may be a slight exaggeration, but it's not far 
> from the truth)
Actually it's completely true to the best of my knowledge.
The developers (now Nominum) did pick Paul's brain, but he
didn't write any of the code.

> 
> 	5. BIND-9 is not, IMHO, yet ready for production use
Yep...it's getting there, though.  Subject to completion of
about another month's worth of tests, I expect at least one
TLD to transition over to 9.1.x sometime around August.
(was that vague enough?)

--
Rip Loomis
Brainbench MVP for Internet Security
http://www.brainbench.com (Transcript 1923411)



More information about the rescue mailing list