Subject: Re: BIND
To: NetBSD Networking Technical Discussion List <tech-net@NetBSD.ORG>
From: Patrick Welche <prlw1@newn.cam.ac.uk>
List: tech-net
Date: 11/13/2002 15:36:55
On Tue, Nov 12, 2002 at 05:56:13PM -0500, Greg A. Woods wrote:
> [ On Tuesday, November 12, 2002 at 13:59:25 (-0800), Jon Buller wrote: ]
> > Subject: BIND
> >
> > After seeing the new BIND vulnerabilities, I curious to know if
> > there is a reason our in-tree version is 8 and hasn't been upgraded
> > to 9.
> >
> > Are we still waiting for all the bugs to be shook out of the new
> > BIND codebase? Is there some other upgrade problem or difficulty?
> > Or is it just lack of volunteer time/effort?
>
> I don't know about BIND-9 vs. NetBSD, but I do know that BIND-9 isn't
> quite up to par with BIND-8 for the very purposes it's being suggested
> (i.e. to run as a recursive caching server). It lacks a range of
> related features that I find critical in a production environment. I'll
> probably soon put it into production on some auth-only non-recursive
> nameservers though.
The other thing being that /etc/rc.d/named makes it trivially easy to run
named in a chroot cage as named:named, which colours the risk "It is then
possible to execute code with the privileges of named".
Cheers,
Patrick