Re: BIND

[Florian Weimer <fw@deneb.enyo.de>]

Ludovic Brenta <ludovic.brenta@insalien.org> writes:

> Bugs in BIND that nobody cares to fix because of design problems or
> source code that is too difficult to read and debug.

The BIND 9 source code isn't too bad, actaully.

> Common knowledge that BIND is so insecure that nobody but the most
> inexperienced sysadmins will run it outside a chroot jail.

BIND 9 is quite okay.  Keep in mind that so far, no buffer overflow
bug has been discovered in the BIND 9 proper.  Compare that to the
GNAT run-time library. 8-/

> Concerns with the long-term security threats posed by BIND's
> inherent problems, as well as the monoculture associated with BIND.

There isn't quite a monoculture, BIND 8 and 9 are very different
beasts.  However, you really shouldn't run BIND 8.

You can use RIPE nsd for authoritative servers, if you want.  It's
also much smaller and aims at bug-for-bug compatibility with BIND 8.

BIND 9 on full resolvers is very hard to replace with anything else,
though.

> Heck, I don't even _need_ a reason why I should write a program, if
> it's free software and if I do it on my spare time.  My reason is:
> Just to have fun, okay?

Writing a BIND replacement is not fun.  Maybe writing a DNS server,
but certainly not a BIND replacement.

> 60 kSLOC is not large, and it can be done by a single person (BIND was
> indeed written mostly by a single person)

Which one of the BINDs?  BIND 9 had a team of several developers
working full time on it, IIRC.

I'd rather see a industry-strength Ada implementation of TLS and
X.509.  Right now, the OpenSSL monoculture worries me far more than
BIND.

-- 
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, di-ve.com, netscape.net,
postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr.