Makers of the internet's most widely used domain name resolution software have patched a vulnerability that allowed attackers to crash many systems that run the program. By querying a domain with large resource record sets (or RRsets) and trying to negatively cache a response, attackers can cause the Bind server to crash. The …
In a Bind
Bind - possibly one of the most bug-ridden pieces of software ever written. It's not even doing anything particularly difficult for goodness sake!
And yet, everyone STILL uses it! Arrrggghghhhhhhh!!!!
That's hardly constructive.
If you know about DNS, tell us what they should be using instead.
bind is buggiest?
Are you sure that honor doesn't go to sendmail?
That's easy! nsd & unbound. They are lightyears ahead of crappy BIND!
He said "one of" the buggiest. But since you've mentioned it, yes, sendmail had a poor reputation. Then people got fed up and started writing alternatives. They were better, and now sendmail is better too. That doesn't seem to have happened with BIND, which is odd, because DNS is *much* simpler than SMTP.
On the server and cache side a whole lot of people are using DJB and PowerDNS instead. Not so much sure about client resolvers, then again, most clients are Windows computers on the Internet.
The ISC makes big bloated software with odd data formats. Big + Complex = security flaws.
DNS is *NOT much* simpler than SMTP
have you ever read the specs for these protocols or implemented them?
an existence proof: telnet to port 25 and deliver an email message. now telnet to port 53 and do a dns query/response transaction.
oh, let's not forget the mind boggling complexity of secure dns or internationalised domain names. these are probably the most complex network protocols paris hilton has invented for us.
how much is a whole lot?
> a whole lot of people are using DJB and PowerDNS instead
Depends on your definition of "a whole lot". These two implementations have a *tiny* installed base and handle an insignificant percentage of the world's DNS queries.
This survey suggests that there were 30-100 times as many BIND installations as DJBDNS, depending on how you measure things. I'm guessing that PowerDNS had a footprint that was too small to be observed for one of their sampling exercises.
"That doesn't seem to have happened with BIND, which is odd, because DNS is *much* simpler than SMTP."
But simpler -> No sense of *challenge* improving it -> no kudos when you do.
Bind already updated in Debian.
I love Debian, me.