paul at iconoplex.co.uk
Tue Feb 12 11:13:14 GMT 2002
On Feb 12, Rik <freebsd-users at rikrose.net> wrote:
> BIND - Not exactly a great record, but acknowledged that does mean
> it's been reasonably well reviewed recently. It does, however take a
> lot of memory, and leaks it too, and crashes, and requires restarting.
It depends on what you mean by a 'great record'. OK, I have long held a
theory about vulns in daemons. If nobody uses them, you won't find many
vulns being posted to BUGTRAQ about them. When was the last time you saw a
remote exploit for Plan 9? Back in around '97-ish time there were hardly any
holes around in NT - not because NT wasn't full of holes (we know now that
it was) - but because no hacker/cracker/s-kiddie was interested in breaking
into NT boxes. Thus, no research. Thus, no holes found.
BIND and Sendmail have had many holes found in them because they are
normally found running on machines hackers/crackers/s-kiddies would love to
break into. You find a remote root vuln in Sendmail, then congratulations,
you've just taken over the Internet.
So, we have to ask why these tools are so popular? Big argument for them
being the longest around, and the default installs on most modern UNIXes and
of course they have faults (I prefer exim to sendmail etc.) but BIND is
ridiculously powerful. It's just nobody ever really uses it's power. Memory
leaks are something I've noticed on high-load servers though. At least it's
not as broken as dig. :-)
> I kid you not. If you CD to a directory that doesn't exist, it *DOES*
> *NOT* *FAIL* until you try to do something else. What the *hell* is he
If it can't handle that, you're expecting it to be written with good
security in place? Are you insane? Actually there is a security argument as
to why it should be written to behave in that manner, but that's another
> I'm going to do a clean-room implementation of a DNS server (well, set
> of servers, really), in the same style as djbdns, but with a better
> interface, and a more understandable config file (DJB's config files are
> not the easiest in the world. You can learn them, but they're not fun).
> I don't know when, but I'm going to, just so people don't need to cope
> with publicfile, and other DJB quirks. I have other projects to do first.
Funnily enough, two years ago my project list looked like this:
- Lots of other stuff that I won't post here - Decent open RADIUS server
- Decent DNS server that is relatively sane and is configurable like exim
- Decent FTP server that is configurable a bit like exim
I like exim. :-)
Anyway, the other stuff at the top of the list got in the way, but it now
looks like I might have some spare time coming up in the next few months.
The RADIUS server has been done through XTRadius, so no need for me to play
there unless I get bored. The DNS server and FTP server are still there, and
I still want to play with them because I want to get more familiar with
their RFCs. So, if you're looking to do this as a joint effort, give me a
shout. I'll be at the next Manchester BSD UG meet at a guess.
However, you may not want a co-designer/developer, as often with projects
like these, the ideas become like children... :-)
More information about the Ukfreebsd