Fwd: Re: Announcing a new DNS server implementation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


	Salve a tutti, sfrutto la mail per il buon anno a tutti; stamane ho ricevuto 
un mail dalla mailing list del djbdns e devo ammettere che sono rimasto 
sconcertato da quello che ho letto... Non vorrei che la gente inizi ad avere 
dei problemi di onnipotenza! voi cosa ne dite?
	Sara' meglio BIND o djbdns? 
	
	Bind esce da una lunga via crucis del bug
	djbdns non e' molto utilizzato... 

Ho installato il dnsserver di djb e credo sia sicuro e veloce ma la 
configurazione e' una bella rogna, bind e' abbastanza semplice da 
configurare, ma fino all'8 dovevi stare attento giornalmente agli announces :)

Mi farebbe piacere avere una risposta generale sui due sistemi ( naturalmente 
non ho molta esperienza come la maggior parte di voi )

- ----------  Forwarded Message  ----------
Subject: Re: Announcing a new DNS server implementation
Date: 10 Jan 2002 04:05:05 -0000
From: "D. J. Bernstein" <djb@cr.yp.to>
To: bugtraq@securityfocus.com


bugtraq@artemas.reachin.com writes:
> First of all, BIND 9 is a complete rewrite of BIND, which, so far, has
> not had one security problem reported with it.

I have two questions. First, why has ISC reported all the crash-BIND-8
bugs on its ``BIND security'' page and in CERT advisories, but none of
the crash-BIND-9 bugs?

(The primary ``security'' mechanism in BIND 9 is a fragility mechanism:
BIND 9 commits suicide if it gets confused, or if you poke it sharply,
or if you simply think bad thoughts in its general direction. The BIND 9
change log is full of reports of easily triggered crashes.)

Second, how much money do I get from ISC if I look at the BIND 9 code
and find, for example, a bug letting attackers take over the server?

> This release has gone under months of testing by a volunteer crew, and
> I belive that we have most of the bugs ironed out.

I have three questions. First, what exactly do you mean by ``found some
security problems'' in your change log for 0.8.99? Why doesn't the
change log explain exactly what the problem is and what its impact is?

Second, how much money do I get from you if I look at your code and
find, for example, a bug letting attackers take over the server?

Third, bottom line: How serious are you about security? I don't just
mean chroot and stralloc. I don't just mean ``strive to be secure.'' And
I certainly don't mean Microsoft's ``we'll try but we guarantee you that
we'll fail.'' _Will_ your software be secure?

- ---Dan

P.S. I also have a question for the bugtraq moderators. You regularly
accept BIND 9 advertisements from the BIND authors, and you've accepted
this MaraDNS advertisement from the MaraDNS author. Why did you reject
http://cr.yp.to/djbdns/bugtraq/20010201072942-22539-qmail@cr-yp-to,
specifically the final paragraph about djbdns, as ``marketing''?

- -------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8PV/i9BYpVPGXyvQRAkVmAJ463fpaiqNaBC4pO5XtpEU0QmRt4gCfchqY
y6LZx2oFbN1OSbLKfj2J/FQ=
=kMy5
-----END PGP SIGNATURE-----

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List