Re: Curing the BIND pain

["Nathan J. Mehl" <memory-nanog () blank org>]

In the immortal words of Michael.Dillon () radianz com (Michael.Dillon () radianz com):
> I suggest that an appropriate technique would be for the BIND server to 
> originate traffic on it's local subnet that would look suspicious and 
> possibly trigger intrusion alarms. 

Good lord.

I'm a little stuck for a proper analogy for this.  A car that
"helpfully" starts emitting noxious smoke to let you know that it's
time for a tune-up?  A refridgerator that drips bleach into your
vegetable drawers to remind you to replace the coolant?  An answering
machine that replaces the outgoing message with a stream of
profanities to alert callers that the incoming message tape is full?

If people are so concerned about BIND's security that they're willing
to seriously consider implementing ideas like this, why are they not
willing to either consider replacing BIND with DNS software that is
secure by design (*cough* *cough*), or paying the ISC to produce a
properly secured BIND?  

The solution to the Ford Pinto problem was not to recommend that
people duct-tape sofa cushions and homemade warning lights to the back
bumper.

-n

------------------------------------------------------------<memory () blank org>
"Thus do `Snuff Movies' take their place with `Political-Correctness,' `Sex 
Addiction,' and `Postmodernism' as Godzillas of bogus moral panic, always 
threatening to crush the nation in their jaws, but never quite willing to take 
the final step of biting down.                                (--www.suck.com)
<http://blank.org/memory/>----------------------------------------------------