back to article Bind DNS resolver purged of critical DoS bug

Makers of the internet's most widely used domain name resolution software have patched a vulnerability that allowed attackers to crash many systems that run the program. By querying a domain with large resource record sets (or RRsets) and trying to negatively cache a response, attackers can cause the Bind server to crash. The …

COMMENTS

This topic is closed for new posts.
WTF?

In a Bind

Bind - possibly one of the most bug-ridden pieces of software ever written. It's not even doing anything particularly difficult for goodness sake!

And yet, everyone STILL uses it! Arrrggghghhhhhhh!!!!

1
9
Stop

That's hardly constructive.

If you know about DNS, tell us what they should be using instead.

7
0

bind is buggiest?

Are you sure that honor doesn't go to sendmail?

4
1
Happy

@nyelvmark

That's easy! nsd & unbound. They are lightyears ahead of crappy BIND!

0
1
Gold badge

Re: sendmail

He said "one of" the buggiest. But since you've mentioned it, yes, sendmail had a poor reputation. Then people got fed up and started writing alternatives. They were better, and now sendmail is better too. That doesn't seem to have happened with BIND, which is odd, because DNS is *much* simpler than SMTP.

0
0

Title:DateTime:Dataformat:Data

On the server and cache side a whole lot of people are using DJB and PowerDNS instead. Not so much sure about client resolvers, then again, most clients are Windows computers on the Internet.

The ISC makes big bloated software with odd data formats. Big + Complex = security flaws.

0
0
Boffin

DNS is *NOT much* simpler than SMTP

have you ever read the specs for these protocols or implemented them?

an existence proof: telnet to port 25 and deliver an email message. now telnet to port 53 and do a dns query/response transaction.

oh, let's not forget the mind boggling complexity of secure dns or internationalised domain names. these are probably the most complex network protocols paris hilton has invented for us.

0
0
FAIL

how much is a whole lot?

> a whole lot of people are using DJB and PowerDNS instead

Depends on your definition of "a whole lot". These two implementations have a *tiny* installed base and handle an insignificant percentage of the world's DNS queries.

See http://dns.measurement-factory.com/surveys/201010

This survey suggests that there were 30-100 times as many BIND installations as DJBDNS, depending on how you measure things. I'm guessing that PowerDNS had a footprint that was too small to be observed for one of their sampling exercises.

0
0
Gold badge
Happy

@Ken Hagan

"That doesn't seem to have happened with BIND, which is odd, because DNS is *much* simpler than SMTP."

But simpler -> No sense of *challenge* improving it -> no kudos when you do.

0
0
Anonymous Coward

apt-get upgrade

Bind already updated in Debian.

http://www.debian.org/security/2011/dsa-2244

I love Debian, me.

0
1
This topic is closed for new posts.

Forums