Makers of Bind have warned of a security vulnerability in versions of the domain name resolution application that could allow attackers to trick servers into returning unauthorized results. The bug in the Berkeley Internet Name Domain program surfaces only when the DNSSEC security implementation is enabled and the name server …
"Rare but remote" ???
Bind has suffered heaps of exploits of various sorts over the years. I'm with DJB, it's a pile of steaming poo, even if he is an opinionated old git.
I'd agree with DJB more if he didn't have to rewrite syslog to implement a good dns server.
"and the name server accepts queries from the internet at large, a designation known as recursive"
A DNS server is not recursive if it accepts queries from the internet.
It's recursive if it tries to resolve queries for domains it's not authoratative for, by passing those queries on to the actual authoratative servers (those listed in the NS records for the domain) and then passes the reply back to the client.
So if your DNS server is the NS server for "theregister.co.uk", then it will resolve things like www.theregister.co.uk to an IP, if queried.
If it's recursive, and you ask it for the IP of www.google.com, your DNS server will query googles DNS servers, and return the IP it gets back to you. If it's not recursive and you ask for www.google.com, it will respond that it has no record of that name.
It's got nothing to do with accepting queries from the internet, a DNS server on a LAN can be recursive or not, depending on what you need to achieve.
- IT bloke publishes comprehensive maps of CALL CENTRE menu HELL
- Analysis Who is the mystery sixth member of LulzSec?
- Comment Congress: It's not the Glass that's scary - It's the GOOGLE
- Analysis Hey, Teflon Ballmer. Look, isn't it time? You know, time to quit?
- Murdoch Facebook gloat: You're like my $580m, 'CRAPPY' MySpace