About DNS (BIND) with Database

Len Conrad LConrad at Go2France.com
Thu Nov 20 09:30:48 PST 2003


>My apologies if this thread has hit a nerve, I wasn't picking at anyone. I'm
>just giving my point of view.

And I was giving you mine on your FUD.

>The history may be old in terms of computing, but I won't how many
>vulnerable systems are still out there?

but at this point, running a vulnerable BIND 2 or 3+ years old is not 
really BIND's fault, nor a reason to recommend against running current 
BIND8, and esp BIND9 which has NO history of (exploited) vulnerabilities,

>System admins that may not even know how to upgrade or even know that the 
>vulns exist.

Then they aren't "sys admins", but jerks.

>Plus http://www.isc.org/products/BIND/bind-security.html isn't a very good
>track record is it?

The charter of ISC is to implement the ALL of RFCs for DNS in BIND8 and 9, 
so as the RFCs move along, so does BIND, with inevitable bugs. Fixing of 
the infrequent problems has been extremely fast over the past 3 years.

Other DNS software can cherry pick the DNS features they want to (or can) 
implement and blow off the rest, or push some political agenda.

>If people want to use bind or any other package, they do so at their choice.
>I'm just saying in my opinion I think there are better alternative.

nothing wrong with that, but your reason against choosing BIND, an old 
security record, was wrong.

>If you're happy using bind, use bind. If you're happy with windows 95, use
>it.

thanks, great advice, the list is grateful.

And, if you're happy recommending _against_ something, do it accurately. 
Trotting out 3+ year old CERT/SANS advisories as reasons for not using 
current software is BS.

Len


_____________________________________________________________________
http://MenAndMice.com/DNS-training: Atlanta; Orlando; San Jose
IMGate.MEIway.com: anti-spam gateway, effective on 1000's of sites, free



More information about the freebsd-isp mailing list