RE: Does blocking TCP DNS packets keep your Bind safe?

[Todd <todd () unm edu>]

rip, all,

bind9 just isn't secure.  i'm sorry, but it isn't.  i appreciate the
sentiment that comes with "we shipped junk for years but now we've really
fixed it" sentiment, but bind version 9 has already had more than one
security vulnerability.  see, for example:

http://www.sans.org/newlook/digests/SAC/tool.htm
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26mid%3D161399
http://cr.yp.to/djbdns/ad/unbind.html

there are also several significant security problems noted in the bind9
CHANGES file, indicating that bind is not the solution to all problems.
in particular, bind9 has had instances of crashing when port scanned and
overwriting existing zone files by mistake.

while i agree that bind9 is an improvement, it's obivously not a solution
for the incoming traffic problem.

i would agree with darren:  C is a hard language to code securely in.
i would disagree with darren, though, that djbdns is somehow lacking in
functionality. the "richness" that he cites is part of the problem.  i'm
not afraid of sendmail.cf, either--i'm afraid of any MTA that has to
implement its own rewrite language just to function.  if we want secure
programs we need small, single function programs that are auditable,
simple and cleanly written.  i simply don't understand why 'richness' is
an advantage in implementations of relatively simple network protocols
that absolutely *have* to be secure.

djbdns is one example of software that is simple, fast and secure.  dan
bernstein writes software in small, understandable bundles.  i would agree
that they are sometimes tough to migrate to (especially when you've gotten
used to 'rich' software that does everything under the sun and just
happens to crash often or give up root to remote users occassionally).

comments about features and feature flexibility from security
professionals concerns me.

i certainly can't write secure code in C.  it's obvious that most people
can't.  Dan Bernstein seems to be able to.  i think we should take his
software more seriously.

todd.

On Thu, 15 Mar 2001, Loomis, Rip wrote:

> Date: Thu, 15 Mar 2001 18:37:33 -0500
> From: "Loomis, Rip" <GILBERT.R.LOOMIS () saic com>
> To: firewall-wizards () nfr net
> Cc: todd () unm edu
> Subject: RE: [fw-wiz] Does blocking TCP DNS packets keep your Bind safe?
>
> Ladies and Gentlemen:
> ISC has *not* "proven that they are incapable
> of secure coding".  BIND 8.latest and *all*
> versions of BIND prior to BIND 9 are a conglomeration
> of contributed code which just kept adding problems
> onto an original graduate student weekend hack.
> I respect Paul Vixie and the folks who have kept
> BIND going up to this point a *lot*, but the bottom
> line is that the code has...issues.  Most of the
> recent BIND vulnerabilities have been related to
> the proof-of-concept DNSSEC code that was added
> into BIND 8, which perhaps didn't get enough review
> before its inclusion.
>
> The fix, however, is in general *not* to run djb's latest
> DNS server which implements only those standards which
> he personally believes in, any more than sendmail was
> made obsolete by qmail.  qmail is a great solution
> for a lot of people, but I personally use postfix
> or postfix-tls on all of our systems...because djb
> makes decisions based on his knowledge and experience
> which are *not* correct in my environment.  postfix
> on the other hand allows me to migrate from sendmail
> to something which is flexible yet supports certain
> essential security functions, and for which I have
> much higher confidence in the codebase (with due
> respect to Eric Allman and the sendmail crew).
>
> So what's the fix for DNS?  Run BIND 9.  The only
> reason it's still called BIND is because the organizations
> that funded the development had agreed to fund "the
> next version of BIND"...but BIND 9 is a complete
> rewrite from scratch to match the existing RFCs
> and APIs...including programming by contract, regression
> testing, and good software engineering.  I'm sure
> that there will be issues and bugs with BIND 9 as
> there are with any large and capable piece of software,
> but tarring BIND 9 with the "BIND is insecure" brush
> is unfair and implies that people haven't done their
> homework.  Meanwhile, djbdns or whatever it's called
> today doesn't support DNSSEC and doesn't look likely
> to...and I don't agree with djb's opinion that DNSSEC
> is pointless.  I will therefore continue to test and
> field BIND 9.
>
> And yes, we're going to field it chroot'd and running
> as a non-root user.
>
> Rip Loomis            Voice Number: (410) 953-6874
> --------------------------------------------------------
> Senior Security Engineer
> Center for Information Security Technology
> Science Applications International Corporation
> http://www.cist.saic.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards