Makers of Bind have warned of a security vulnerability in versions of the domain name resolution application that could allow attackers to trick servers into returning unauthorized results. The bug in the Berkeley Internet Name Domain program surfaces only when the DNSSEC security implementation is enabled and the name server …
"Rare but remote" ???
Bind has suffered heaps of exploits of various sorts over the years. I'm with DJB, it's a pile of steaming poo, even if he is an opinionated old git.
I'd agree with DJB more if he didn't have to rewrite syslog to implement a good dns server.
"and the name server accepts queries from the internet at large, a designation known as recursive"
A DNS server is not recursive if it accepts queries from the internet.
It's recursive if it tries to resolve queries for domains it's not authoratative for, by passing those queries on to the actual authoratative servers (those listed in the NS records for the domain) and then passes the reply back to the client.
So if your DNS server is the NS server for "theregister.co.uk", then it will resolve things like www.theregister.co.uk to an IP, if queried.
If it's recursive, and you ask it for the IP of www.google.com, your DNS server will query googles DNS servers, and return the IP it gets back to you. If it's not recursive and you ask for www.google.com, it will respond that it has no record of that name.
It's got nothing to do with accepting queries from the internet, a DNS server on a LAN can be recursive or not, depending on what you need to achieve.
- Apple's spamtastic iBeacon retail alerts launch with Frisco FAIL
- Submerged Navy submarine successfully launches drone from missile tubes
- Cache in the Attic El Reg's contraptions confessional no.2: Tablet PC, CRT screen and more
- Developer unleashes bowel-shaking KILLER APP for Google Glass
- Pix Astroboffins spot HOT, YOUNG GIANT where she doesn't belong