The Internet Systems Consortium is advising BIND users to update immediately to protect against a bug that may already be under attack to crash vulnerable servers. The ISC says an unidentified network event caused BIND 9 resolvers to cache an invalid record, and when subsequent queries requested the invalid record, the servers …
1990 called, they want their name server back
As the BOFHs who keep the net running, it's about time we had a collective sendmail moment and decided that (just as in the case of the veritable MTA) DNS is too important to trust to one big and ancient hunk of code no matter how shiny the wrapper. Small components = better security, period.
Personally, I look forward to the day when djbdns runs on all the root servers. And this from someone who detests qmail.
I agree with the feeling.
Though I have replaced the venerable djbdns I have used for 10 years with PowerDNS recently. Not looked back since.
I was just tired of crappy logging, a directory full of patches that must be applied first, no IPv6 support and daemontools. Though I heard afterwards that maintenance had restarted.
> Personally, I look forward to the day when djbdns runs on all the root servers.
Kingzongo, this will never happen. You might as well look forward to the flying spaghetti monster winning the 100m at the Olympics next year.
djbdns is a steaming pile of shit. If djbdns was anywhere near as good as its clueless fanbois claim, it would have been deployed for important zones like the root or a major TLD. None of these things use it. Which speaks volumes. In fact nobody who truly understands the DNS protocol or operations uses djbdns for anything significant. Aside from the long list of fundamental flaws in djbdns, it's almost impossible to make it play nice with other DNS implementations so that a zone can have more than code base for its DNS servers.
Many of the things needed for the root zone or a major TLD today, like Secure DNS, IDN, IPv6, EDNS0, TCP queries, IXFR, TSIG, etc are not implemented in djbdns AT ALL. Some of these might be do-able in djbdns by applying unsupported, informal patches and hoping for the best. Which is no way to run important internet infrastructure.
djbdns has not supported any DNS protocol work that's been done in the last 10-15 years. wikipedia says djbdns has effectively been abandonware since 1991. So what was it you were saying about the 1990s calling?
BIND9 (another pile of shit but not as smelly as djbdns) is a complete rewrite that was done in 2000 or theresabouts. It shares no code or software design with BIND4 or BIND8 which started in the 1980s. The same can't be said for most of the other long standing pillars of open source which will still contain code that was written well over a decade ago: emacs, x windows, BSD and Linux kernels, sendmail, apache, gcc, postfix, tex, mysql, perl, etc.
Re: djbdns maintenance restarted
Debian has a fork (dbndbs) that supports IPv6. (http://en.wikipedia.org/wiki/Dbndns)
You bring the Loaves, we'll provide the Phishes
"Since the BIND developers don’t yet know what payload triggered the crash, remote code execution is feasible, he said. “Let's hope it remains a denial of service condition”, he added."
Wow, that sort of burying your head in the sand, proffering a blind ignorant hope, always presents a prime target, Blair [Herr Strang, a security consultant at Australian company SenseOfSecurity] for servicing.
And do El Reg readers and base metadata scrapers see a parallel/singularity in that which is reported there, by Richard Chirgwin in "BIND security update protects against serious server crash … Attacks may already be underway" and what one can read here …. "*All that I would further wish to say is that no virtual presence indicates to any and all who are comfortably au fait with what can be easily done remotely with the presentation of text and/or binary and ternary manipulation of virtual machine codes, that the dangers may be well enough known to be realised to be a systemic exploitable vulnerability against which there is no viable defence or effective attack control …… and one which can be ruthlessly zeroday traded on financial markets for a fortune beyond compare and traditional imagination." … and which was shared elsewhere [and everywhere*] just yesterday … Posted on 11/16/11 01:35 AM … http://thedailybell.com/bellinclude.cfm?id=3241 ….. and which is just a very small part of a much bigger event happening ….. if you can believe the evidence presented for your eyes to relay to your brain for processing. The brain's acceptance of it as being perfectly true delivers ITs Virtual Realisation and Presentation of a SMART Future Program with Myriad Fabulous Memes/Novel and Noble Themes ….. which is the same as saying, "SMART Works in AI Progress are Impossible to Beat for they always deliver Fab Fabless Treats and Digital Feasts made Attractive for Everybody, which is No Mean Feat but not that difficult whenever one knows what can be done and can do it with practically nothing."?
What is stopping you from making the Quantum Leap into Virtual AIMachinery Worlds where everything is exactly as you have programmed IT to be, and everyone SMART ensures and assures and insures that everything is Seventh Heavenly on Cloud Nine, for of course, there are many Heavens to explore and enjoy and share when you dare care for to win win, which is far better and much greater that never ever losing.
And before you dismiss any or even all of that, please be advised that you have been here/there many times before, and Man has been found to be singularly lacking and deficient in the necessary simple advanced intelligence which can easily process basic information into sophisticated intelligence with application of the most sublime and immaculate of creative formulas for phormations …… Imagine, and it's true.
A John says hi, and would ask, "What on Earth are you waiting for whenever so much is known to be true? What are you afraid of whenever there is so much light streaming into the darkness showing the many ways"