Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
The Internet

BIND Patches Make Bad Situation Worse 280

Posted by CmdrTaco from the screwing-with-the-infrastructure dept.
An anonymous reader writes "After .COM and .NET started using a wildcard, the internet community busily started creating patches to various pieces of software to circumvent this. It was said that this was a grave problem to the internet. Several official BIND patches were announced over the next few days. However, it turns out they weren't necessarily too well thought through. Usage of the patch unexpectedly broke at least 7 Top Level Domains, ISC announced 3 weeks later, after users started having problems. The .NAME registry has sent a formal letter to ICANN's Security and Stability Advisory Comittee to warn against using the BIND patch, which they will look into in their next meeting. The intention may have been good, but... Stability? Anyone?"
This discussion has been archived. No new comments can be posted.

BIND Patches Make Bad Situation Worse More

BIND Patches Make Bad Situation Worse

Comments Filter:

  • There are two features (Score:4, Insightful)

    by Florian Weimer ( 88405 ) <fw@deneb.enyo.de> on Wednesday October 15, 2003 @02:19PM (#7221892) Homepage
    The first feature (which is the one that was implemented initially) supports marking selected zones as delegation-only. This is safe, as long as VeriSign doesn't rush ahead and offers a special DNS service (with alleged super-high reliability) which involves A records directly in the COM and NET zones.

    The second feature is much more dangerous because you have to explicitly mark the TLD zones which contain records which aren't delegations--all other zones are assumed to be delegation-only. Some zones have lots of in-zone A and/or MX records (DE, for example), so you have to do some research before you can enable this feature.

    If the second feature is incorrectly configured, there will be some local disruption of service. While it might contribute slightly to the instability of the Internet, it's just a localized configuration error (mind that BIND doesn't even have a default for the configuration option), and it's not comparable to what VeriSign did on a global scale.

  • ISC at fault? Not likely. (Score:3, Insightful)

    by samj ( 115984 ) * <samj@samj.net> on Wednesday October 15, 2003 @02:34PM (#7222070) Homepage
    I find it strange that I be coming to the aid of the authors of BIND as a loyal djbdns user, but in this case I strongly believe it is Verisign who are to be hung, drawn and quartered over this one. The ISC were merely attempting to meet the needs of their customers. I haven't looked at why this caused breakage yet, but I wonder how much of it is related to poor configuration of the other domains? I wonder also how difficult it would be to modify the patch to sanitise only .com and .net domains? Not quite as clean, but better than, say, filtering IP numbers!

  • Re:Not ISC's fault (Score:3, Insightful)

    by rufey ( 683902 ) on Wednesday October 15, 2003 @02:45PM (#7222186)
    I don't necessarily think that it is a bug in the BIND patches, nor with VeriSign. Its more a configuration issue with BIND.

    The problem is that some TLDs do more than just delegation. The article mentioned the .name domain specifically.

    The problem with the BIND patch arose when people implemeting the patch decided to not allow wildcarding on all TLDs. If you used the patch to only set .com/.net to delegate-only, there wasn't a problem. If you also set .name to delegate-only, then you would have a problem with stuff in the .name domain.

    For those who didn't install the patch and start using the delegate-only options, BIND doesn't automatically start enforcing a delegate-only on all TLDs. The TLDs which you want to be delegate-only have to be specified in the config file. To undo VeriSign's wildcard behavior, one would only want to set the delegate-only option on the .com and .net domains. Other TLDs had been doing wildcards prior to VeriSign's actions, and, indeed, some TLDs relied on wildcarding for some things to work. Unilaterally stopping all TLDs from doing more than delegating would break things.

  • BIND considered harmful (Score:3, Insightful)

    by Angst Badger ( 8636 ) on Wednesday October 15, 2003 @02:54PM (#7222302)
    You know, every time this buggy, insecure, over-complicated sack of crap is the source of a security hole, I make a post here to the effect that BIND is a buggy, insecure, over-complicated sack of crap and that its maintainers evidently lack either the will or the ability to fix it, and that there is more than one good alternative, including, but not limited to, djbdns.

    And every time, someone comes back and says no, it's really fixed this time, it's really finally stable, the developers really are both concerned and competent.

    I no longer bother replying anymore. Usually CERT does it for me.

    BIND must go. The only thing it does reliably is diminish the credibility of open source. (And make sendmail look good by comparison, which is no mean feat, either.)

  • Re:Not ISC's fault (Score:3, Insightful)

    by Zocalo ( 252965 ) on Wednesday October 15, 2003 @03:17PM (#7222525) Homepage
    *What* bugs are there in BIND due to the anti-wildcarding of DNS patches? ISC's patch provides two ways of approaching the problem; either prevent wildcarding of specific TLDs or globally ban wildcarding of TLDs and provide an exception list. Both approaches work fine, provided that the DNS admins that implement them take the time to understand the implications and approach the patch with caution instead of a jerking knee. It also clearly stated in the release notes with the patches what the issues were and that there were exceptions such as .de, .museum and several others.

    If anything, the rest of the blame for this part of the fiasco lies with the DNS admins at the TLDs concerned that took so long to realise that they were doing wildcarding and raise this issue with ISC. Or any of the other DNS vendors that provided a similar workaround for that matter. Still, at least I know some more TLD operators to avoid registering domains with now...

  • Not safe to install patches? (Score:3, Insightful)

    by dirk ( 87083 ) <dirk@one.net> on Wednesday October 15, 2003 @03:20PM (#7222551) Homepage
    People are always saying it isn't safe to install MS patches because they break things, but this case surely shows that it can happen in any OS or any environment (closed and open). Where are all the people screaming about how people shouldn't install patches until they have been out at least 6 months like they do with MS patches? And doesn't this make OSS patches as dangerous, since they obviously aren't being tested?

  • Hypocrits. (Score:3, Insightful)

    by zapp ( 201236 ) on Wednesday October 15, 2003 @03:27PM (#7222618)
    Wow, so the open source community released a patch that wasn't well tested, that caused problems, and probably cost some people a bit of money.

    How many times has slashdot bitched and moaned about a certain unnamed corporation doing something similar.

    Some people say "this could have been avoided if your named.conf was written properly." Yes, and most viruses and worms could be prevented if people would patch their desktops.

    So what we have:
    A patch that caused a lot of problems.
    Users that could have prevented the problem if they had known better.

    Sounds a lot like the kind of users all you eleet unix junkies diss on so often.

Slashdot Top Deals

The faster I go, the behinder I get. -- Lewis Carroll

Close