From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,ddb34e4ee5e28db0 X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2004-04-25 14:43:10 PST Path: archiver1.google.com!news1.google.com!news.glorb.com!newsfeed00.sul.t-online.de!newsfeed01.sul.t-online.de!t-online.de!news.belwue.de!news.uni-stuttgart.de!news.enyo.de!not-for-mail From: Florian Weimer Newsgroups: comp.lang.ada Subject: Re: BIND Date: Sun, 25 Apr 2004 23:43:08 +0200 Message-ID: <87brlfhgyb.fsf@deneb.enyo.de> References: <87llkjhm4o.fsf@insalien.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: albireo.enyo.de 1082929389 18075 212.9.189.171 (25 Apr 2004 21:43:09 GMT) Cancel-Lock: sha1:g9+9x9Dxv9pbhkXJxEX0bbKwcxQ= Xref: archiver1.google.com comp.lang.ada:7487 Date: 2004-04-25T23:43:08+02:00 List-Id: Ludovic Brenta writes: > Bugs in BIND that nobody cares to fix because of design problems or > source code that is too difficult to read and debug. The BIND 9 source code isn't too bad, actaully. > Common knowledge that BIND is so insecure that nobody but the most > inexperienced sysadmins will run it outside a chroot jail. BIND 9 is quite okay. Keep in mind that so far, no buffer overflow bug has been discovered in the BIND 9 proper. Compare that to the GNAT run-time library. 8-/ > Concerns with the long-term security threats posed by BIND's > inherent problems, as well as the monoculture associated with BIND. There isn't quite a monoculture, BIND 8 and 9 are very different beasts. However, you really shouldn't run BIND 8. You can use RIPE nsd for authoritative servers, if you want. It's also much smaller and aims at bug-for-bug compatibility with BIND 8. BIND 9 on full resolvers is very hard to replace with anything else, though. > Heck, I don't even _need_ a reason why I should write a program, if > it's free software and if I do it on my spare time. My reason is: > Just to have fun, okay? Writing a BIND replacement is not fun. Maybe writing a DNS server, but certainly not a BIND replacement. > 60 kSLOC is not large, and it can be done by a single person (BIND was > indeed written mostly by a single person) Which one of the BINDs? BIND 9 had a team of several developers working full time on it, IIRC. I'd rather see a industry-strength Ada implementation of TLS and X.509. Right now, the OpenSSL monoculture worries me far more than BIND. -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, di-ve.com, netscape.net, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr.