BIND Patches Make Bad Situation Worse 280
An anonymous reader writes "After .COM and .NET started using a wildcard, the internet community busily started
creating patches to various pieces of software to circumvent this. It was
said that this was a grave problem to the internet. Several official BIND
patches were
announced over the next few days. However, it turns out they weren't necessarily
too well thought through. Usage of the patch unexpectedly
broke at least 7 Top Level Domains, ISC announced 3 weeks later, after
users
started having problems. The .NAME registry has sent a formal letter to ICANN's Security and Stability Advisory Comittee to warn against using the BIND patch, which they will look into in their next meeting. The intention may have been good, but...
Stability? Anyone?"
There are two features (Score:4, Insightful)
The second feature is much more dangerous because you have to explicitly mark the TLD zones which contain records which aren't delegations--all other zones are assumed to be delegation-only. Some zones have lots of in-zone A and/or MX records (DE, for example), so you have to do some research before you can enable this feature.
If the second feature is incorrectly configured, there will be some local disruption of service. While it might contribute slightly to the instability of the Internet, it's just a localized configuration error (mind that BIND doesn't even have a default for the configuration option), and it's not comparable to what VeriSign did on a global scale.
ISC at fault? Not likely. (Score:3, Insightful)
Re:Not ISC's fault (Score:3, Insightful)
The problem is that some TLDs do more than just delegation. The article mentioned the .name domain specifically.
The problem with the BIND patch arose when people implemeting the patch decided to not allow wildcarding on all TLDs. If you used the patch to only set .com/.net to delegate-only, there wasn't a problem. If you also set .name to delegate-only, then you would have a problem with stuff in the .name domain.
For those who didn't install the patch and start using the delegate-only options, BIND doesn't automatically start enforcing a delegate-only on all TLDs. The TLDs which you want to be delegate-only have to be specified in the config file. To undo VeriSign's wildcard behavior, one would only want to set the delegate-only option on the .com and .net domains. Other TLDs had been doing wildcards prior to VeriSign's actions, and, indeed, some TLDs relied on wildcarding for some things to work. Unilaterally stopping all TLDs from doing more than delegating would break things.
BIND considered harmful (Score:3, Insightful)
And every time, someone comes back and says no, it's really fixed this time, it's really finally stable, the developers really are both concerned and competent.
I no longer bother replying anymore. Usually CERT does it for me.
BIND must go. The only thing it does reliably is diminish the credibility of open source. (And make sendmail look good by comparison, which is no mean feat, either.)
Re:Not ISC's fault (Score:3, Insightful)
If anything, the rest of the blame for this part of the fiasco lies with the DNS admins at the TLDs concerned that took so long to realise that they were doing wildcarding and raise this issue with ISC. Or any of the other DNS vendors that provided a similar workaround for that matter. Still, at least I know some more TLD operators to avoid registering domains with now...
Not safe to install patches? (Score:3, Insightful)
Hypocrits. (Score:3, Insightful)
How many times has slashdot bitched and moaned about a certain unnamed corporation doing something similar.
Some people say "this could have been avoided if your named.conf was written properly." Yes, and most viruses and worms could be prevented if people would patch their desktops.
So what we have:
A patch that caused a lot of problems.
Users that could have prevented the problem if they had known better.
Sounds a lot like the kind of users all you eleet unix junkies diss on so often.