Firewall Wizards mailing list archives
RE: Does blocking TCP DNS packets keep your Bind safe?
From: Todd <todd () unm edu>
Date: Thu, 15 Mar 2001 21:39:46 -0700 (MST)
rip, all, bind9 just isn't secure. i'm sorry, but it isn't. i appreciate the sentiment that comes with "we shipped junk for years but now we've really fixed it" sentiment, but bind version 9 has already had more than one security vulnerability. see, for example: http://www.sans.org/newlook/digests/SAC/tool.htm http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26mid%3D161399 http://cr.yp.to/djbdns/ad/unbind.html there are also several significant security problems noted in the bind9 CHANGES file, indicating that bind is not the solution to all problems. in particular, bind9 has had instances of crashing when port scanned and overwriting existing zone files by mistake. while i agree that bind9 is an improvement, it's obivously not a solution for the incoming traffic problem. i would agree with darren: C is a hard language to code securely in. i would disagree with darren, though, that djbdns is somehow lacking in functionality. the "richness" that he cites is part of the problem. i'm not afraid of sendmail.cf, either--i'm afraid of any MTA that has to implement its own rewrite language just to function. if we want secure programs we need small, single function programs that are auditable, simple and cleanly written. i simply don't understand why 'richness' is an advantage in implementations of relatively simple network protocols that absolutely *have* to be secure. djbdns is one example of software that is simple, fast and secure. dan bernstein writes software in small, understandable bundles. i would agree that they are sometimes tough to migrate to (especially when you've gotten used to 'rich' software that does everything under the sun and just happens to crash often or give up root to remote users occassionally). comments about features and feature flexibility from security professionals concerns me. i certainly can't write secure code in C. it's obvious that most people can't. Dan Bernstein seems to be able to. i think we should take his software more seriously. todd. On Thu, 15 Mar 2001, Loomis, Rip wrote:
Date: Thu, 15 Mar 2001 18:37:33 -0500 From: "Loomis, Rip" <GILBERT.R.LOOMIS () saic com> To: firewall-wizards () nfr net Cc: todd () unm edu Subject: RE: [fw-wiz] Does blocking TCP DNS packets keep your Bind safe? Ladies and Gentlemen: ISC has *not* "proven that they are incapable of secure coding". BIND 8.latest and *all* versions of BIND prior to BIND 9 are a conglomeration of contributed code which just kept adding problems onto an original graduate student weekend hack. I respect Paul Vixie and the folks who have kept BIND going up to this point a *lot*, but the bottom line is that the code has...issues. Most of the recent BIND vulnerabilities have been related to the proof-of-concept DNSSEC code that was added into BIND 8, which perhaps didn't get enough review before its inclusion. The fix, however, is in general *not* to run djb's latest DNS server which implements only those standards which he personally believes in, any more than sendmail was made obsolete by qmail. qmail is a great solution for a lot of people, but I personally use postfix or postfix-tls on all of our systems...because djb makes decisions based on his knowledge and experience which are *not* correct in my environment. postfix on the other hand allows me to migrate from sendmail to something which is flexible yet supports certain essential security functions, and for which I have much higher confidence in the codebase (with due respect to Eric Allman and the sendmail crew). So what's the fix for DNS? Run BIND 9. The only reason it's still called BIND is because the organizations that funded the development had agreed to fund "the next version of BIND"...but BIND 9 is a complete rewrite from scratch to match the existing RFCs and APIs...including programming by contract, regression testing, and good software engineering. I'm sure that there will be issues and bugs with BIND 9 as there are with any large and capable piece of software, but tarring BIND 9 with the "BIND is insecure" brush is unfair and implies that people haven't done their homework. Meanwhile, djbdns or whatever it's called today doesn't support DNSSEC and doesn't look likely to...and I don't agree with djb's opinion that DNSSEC is pointless. I will therefore continue to test and field BIND 9. And yes, we're going to field it chroot'd and running as a non-root user. Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Does blocking TCP DNS packets keep your Bind safe?, (continued)
- Re: Does blocking TCP DNS packets keep your Bind safe? Luca Berra (Mar 13)
- RE: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 13)
- Re: Does blocking TCP DNS packets keep your Bind safe? Darren Reed (Mar 14)
- Re: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 14)
- Re: Does blocking TCP DNS packets keep your Bind safe? Darren Reed (Mar 14)
- RE: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 16)