lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3DDA1F32.BC6D7EAF@wretched.demon.co.uk>
From: Simon at wretched.demon.co.uk (Simon Waters)
Subject: Re: Bind 8 patches available

> > 8.3.3-REL:  c,e,f,h

> That might explain why there isn't a whole new version, although it is
> interesting that none are running BIND 9, not even the "f" name server which
> is hosted by ISC itself.

F is now running 9.2.2rc1 (at least from here, looks like we
will be getting a proliferation of F's in future, all part of
Paul's plan to take over the world I suspect.

> Can anyone have much confidence in a company that doesn't eat its own
> dogfood?

It is complicated ISC don't run the root servers, only F AFAIK.
Hell I think Verisign still run one, although it was "moved
recently. 

ISC write BIND 8, maintain BIND 4 and subcontract BIND 9
authorship to Nominum.

Version.bind queries to Nominum give Version of 99.314159... (is
that a pun I'm missing?)

authors.bind ;-) queries to Nominum name servers give "refused",
which is identical to behaviour of recent BIND 9 versions with a
"version" directive, although NOT unique to BIND 9. Older BIND
9's will report the authors list even if "version" is set to
give another result, so you can easily finger print stale
versions of BIND 9.

BIND 9 has much lower peak (~50%) throughput than BIND 8, at
least until and including 9.2.1, so it is not too surprising
root server operators choose BIND 8, they are one of the few
places where authoritative DNS load can't be handled by a ten
year old PC.

In this sense ISC and Nominum are apparently eating their own
dog food, guess if you serve several brands of dogfood, you can
only eat so much in one sitting, although my spaniel was always
keen to disprove this.

If you run BIND, you probably ought to be running 9.2.2rc1, much
as I hate release candidates. If you provide public
authoritative servers, you should have disabled recursion many
moons ago, and so the vulnerability SHOULD have been largely
academic.

Although there is the risk of corrupting private recursive
servers by sending trojan "packages", be they programs, webpages
or e-mails.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ