Makers of Bind have warned of a security vulnerability in versions of the domain name resolution application that could allow attackers to trick servers into returning unauthorized results. The bug in the Berkeley Internet Name Domain program surfaces only when the DNSSEC security implementation is enabled and the name server …
"Rare but remote" ???
Bind has suffered heaps of exploits of various sorts over the years. I'm with DJB, it's a pile of steaming poo, even if he is an opinionated old git.
I'd agree with DJB more if he didn't have to rewrite syslog to implement a good dns server.
"and the name server accepts queries from the internet at large, a designation known as recursive"
A DNS server is not recursive if it accepts queries from the internet.
It's recursive if it tries to resolve queries for domains it's not authoratative for, by passing those queries on to the actual authoratative servers (those listed in the NS records for the domain) and then passes the reply back to the client.
So if your DNS server is the NS server for "theregister.co.uk", then it will resolve things like www.theregister.co.uk to an IP, if queried.
If it's recursive, and you ask it for the IP of www.google.com, your DNS server will query googles DNS servers, and return the IP it gets back to you. If it's not recursive and you ask for www.google.com, it will respond that it has no record of that name.
It's got nothing to do with accepting queries from the internet, a DNS server on a LAN can be recursive or not, depending on what you need to achieve.
- SMASH the Bash bug! Red Hat, Apple scramble for patch batches
- A BENDY iPhone 6, you say? Pah, warp claims are bent out of shape: Consumer Reports
- eXpat Files 'Could we please not have naked developers running around the office BEFORE 10pm?'
- CoTW Emma Watson should SHUT UP, all this abuse is HER OWN FAULT
- Vulture at the Wheel Renault Twingo: Small, sporty(ish), safe ... and it's a BACK-ENDER