| gabriel rosenkoetter on Sun, 15 Sep 2002 21:03:17 -0400 |
|
On Sun, Sep 15, 2002 at 08:01:51PM -0400, Fred K Ollinger wrote: > Well, I agree, that it must be good if it's more secure. Well, designed with security in mind, whereas BIND 8 was not. That doesn't mean quite the same thing as "more secure", but it may imply a greater probability that BIND 9's more secure than 8. > Bind was the second hardest thing that I set up. I hated it. I still hate > it, so I don't see how any version of bind can make my life easier. :) Well, things that were hard with BIND 8 (internal/external DNS for NAT'ed zones where some servers behind the NAT need to be accessible to some machines by private and to other machines by public addresses is the example I've run into most frequently) are (relatively) easy in BIND 9. If you don't do those things, then the features won't make anything *worse*. :^> (Note, btw, that that same thing that's hard in BIND 8 and easy in BIND 9 is effectively impossible with, say, Microsoft's DNS. I think it's at least as hard with djbdns as BIND 8, if not more so, but I'm not very familiar with djbdns.) If you want BIND 9 training, have a look at http://www.isc.org/services/training/. (Perhaps your employer would fork over for it?) > I'm guessing you mean that if I actually knew what I was doing and I was > managing a great number of IPs. Or mashing more machines than you've got IP addresses, especially when there's dynamic assignment of IP addresses involved. Screams broadband to me. :^> > I don't know. I was hoping you could help. The OpenBSD propaganda makes a > good case on using the older version as they claim that bind 8 is not > audited, but bind 4 was, and that there are no known holes in the version > that they ship. I don't know enough about this to verify this, though. Audited by them. Now, I wouldn't say that the OpenBSD folks don't know what they're talking about (it wouldn't be true; and some of them are even nice people to boot!), but they've demonstrably made mistakes (cf, the re-introduction of the decade-plus-old ~-parsing bug in mail(1) when it lacks a tty, the bug that led to OpenSSH's rushed and hushed 3.4p1 release, so forth). BIND 4 was designed well before we started distrusting everyone else on the Internet. That they audited speaks well for it over BIND 8, but it really doesn't say much for it over BIND 9, which was designed in the present climate. BIND 4 is *significantly* lacking in the features category compared to either of the later versions, too. > > If nothing else, you can be sure that there are as-yet undiscovered > > buffer overflows in BIND 8, and that those buffer overflows *will* > > be discovered by malicious hackers, not benevolent ones. > Now, you are being too pessimistic. :) No, just historically accurate. :^> > Ah, bind 8 is deprecated all ready. I didn't know. I'm glad someone is > keeping us informed. :) Heh. Thought that was vaguely common knowledge (cf, the language at the top of http://www.isc.org/products/BIND/bind8.html). It'd be kind of unfair to expect maintenance of BIND 8. Paul Vixie (who wrote most of it) has washed his hands of the affair (said as much to an auditorium of people, myself included, at LISA in New Orleans two years ago), and it's an intensely complicated system. Rooting out the bugs would *definitely* take longer than rewriting it right, especially considering the latter's already been done. > Thanks, as usual, for the info. No prob. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpOOxSlmi5s5.pgp
|
|