Vixie And Others On Members-Only BIND Info 118
Pac writes: "ISC suggestion of a new 'members-only' security information list for BIND has been the topic of the week over the Internet security community. Kurt Seifried has interviewed Paul Vixie, head of ISC, about the announcement for SecurityPortal. The article includes some (not very suporting) comments from Bugtraq users, including Vincent Danen's (from MandrakeSoft) and Theo de Raadt's (from the OpenBSD project)." If joining the program already in progress, you may want to take this as a chaser to the BIND vulnerabilities and members-only BIND info stories of a few days ago.
Re:Who uses BIND? (Score:1)
In a similar vein, bum tires are of iterest primarily to car mechanics and other "car geeks" who will be upgrading the tires, but users of the cars should be aware of the problem as well.
Granted, they don't have to study the matter in the detail a hacker would a Bugtraq memo on the inner workings of a forged BIND exploit, or the chemistry as to why the tires suck... just enough to know that there is a problem and that they probably should contact their admins to see what is being done.
Re:Time for djbdns... (Score:2)
Looks like it's time to replace BIND with djbdns [cr.yp.to]
Funny you should say that - after reading about the BIND priesthood's latest moves I decided to do exactly that. The man's a pain in the rear sometimes but over the years I've learned that his software works, and works well.
djbdns takes an entirely different approach to DNS serving, breaking the problem apart into completely separate components which are addressed by completely separate programs. This takes some getting used to, and it's not always immediately apparent how you can address every esoteric situation that you could with BIND's kitchen-sink approach (mainly because the different programs can't, of course, share port 53). Plus, you have to tread down the slippery slope of DJB replacements for a score of core system services - inetd, init, and so on. But so far I've got DNS servers running in 1/5 the memory footprint, serving queries about 10% faster, from a source that history suggests is all-but-guaranteed to be free of security problems.
Up to now, I hadn't even considered replacing BIND with anything else - just salivating hungrily when new versions came out, in hopes that they might actually run for more than a month or two without an urgent security upgrade. I guess it seemed somehow easier to use the same package everyone else did, if only because experts and books are easy to come by. But now that their long-awaited conclusive answer to the constant plague of security problems is to formally and officially sweep them under the rug, it looked like time to hitch my wagon to a new star. Obviously the underlying problem is not getting solved anytime soon.
Re:Why does bind run as root? (Score:1)
'man named':
-u user_name
and:
[mark@hubcap mark]$ ps aux | grep namednamed 403 0.0 4.5 2776 1268 ? S 10:09 0:00 named -u named
Bind has been able to run as a non-root user for ages now, certainly over a year.
Re:security through obscurity? (Score:1)
----
You use BIND. (Score:1)
Re:No real explanation of fees (Score:3)
Is there anything he can do? BIND being BSD-licensed, anyone can just slap a GPL on it, call in OpenBind or GnuBind or GnuDNS and that's about it. At the VERY worst, maybe it'd be required to show a message like "this software contains code (c) blahblah". Correct me if I'm wrong, but I'm pretty sure I'm not.
(*sigh*) I wish DJB wouldn't be so anal about his licensing (forced install locations? Sheesh!) I administered qmail, and it rocks. I bet djbdns is just as well-done.
Re:Fucking ORBS? (Score:1)
Re:IT'S NOT A SAFE (Score:1)
Considering vehicle weight, probably better to overinflate slightly rather than underinflate slightly. If the goons in the tire shop know that, then maybe everybody is a tad safer.
Re:Fucking ORBS? (Score:2)
Get a clue.
My postman doesn't make me sit there and open all my mail. I don't get deluged with 20-30 pieces of junk every day on paper. What the postman brings isn't going to expand exponentially because the sender pays to have it sent, whereas spam is paid for by ripping people off. My bandwidth is used up when POP3 downloads the junk before I get to see it. Bogus subjects mean sometimes people click on it to read it anyway so just clicking delete still means time wasted.
And yes there is a way to stop telemarketing and I've done it already. And there is a way to stop SPAM and congress doesn't even need to get involved. You just hate it because we cut off so many of your relays.
You know, while we're at it... (Score:1)
Re:Time for djbdns... (Score:1)
Suppose you were choosing which of two cars to buy. One model has a history of catastrophic brake problems, and on two recent occasions has been recalled after negative press following bouts of spectacular fatal collisions. (For the sake of argument, assume the two models are comparable in other respects.)
Do you (A) buy the model with dodgy brakes, but install a better airbag and seatbelt and write a will; or (B) buy the other one instead, possibly installing the safety equipment anyway?
Private access to CVS pool (Score:1)
From the article:
Features and benefits of "bind-members" status will include:
1. Private access to the CVS pool where bind4, bind8 and bind9 live
It's hard to know for sure, but that seems to be exactly what the article's saying.
Re:Who uses BIND? (Score:2)
But to who? Not my box. Just the DNS server (one would assume, if the ISP was running only the DNS on that server).
I don't think this hack can trace back through my ISP's DNS, find my machine, and hack into it.
Re:Time for djbdns... (Score:1)
Why in the heck do sendmail and BIND keep appearing together in these messages? They were not written by the same person.
maru
Re:Time for djbdns... (Score:1)
I wasn't referring to a remote-root exploit. The recently announced BIND exploits that are the whole topic of discussion are not remote root either (at least not on a properly-configured BIND installation).
maru
Re:Code fork or replacement coming... (Score:1)
If ISC doesn't back off, we're soon gonna have OpenBind.
This is probably the best thing that can happen. Actually, it usually takes one good kick in the teeth for us to realise that what we are using is a lump of crap and we'd better do something about it. I am so fed up of bind. Hopefully, being forced into admitting we have a big problem might give the incentive to fix it. It has been known to happen.
Re:Who uses BIND? (Score:1)
However, the amount of damage they could cause on the networking/server side of things is potentially massive, which may hurt you in other ways besides them getting root on your personal machine-- your buisness webpage could be redirected to a porn site, for example.
Re: Time for djbdns... (Score:1)
Vixie's gone totally uselss. Time to replace BIND (Score:1)
great to something totally awful, and how he's
out to ruin BIND. Oh well. Time for a new
BIND, free of megalomaniacs.
Re:Time for djbdns... (Score:2)
Has Paul lost his mind? (Score:1)
Re:Time for djbdns... (Score:1)
Re:No real explanation of fees (Score:1)
Re:Time for djbdns... (Score:1)
Alas, that will never happen. So, we poor admins are forced to actually compile something. The humanity.
Closed source doesn't work period! (Score:1)
I could save Amiga's ass with very little work but I CAN'T. I am not allowed to.
You expect me to deal with that kind of frustration in BIND?
ARE YOU MAD?
I have a question for you.
What's with this need to speculate and guess and pontificate whenever something happens? Whatever happened to principles like only criminals will have the tools to defend themselves?
Admit it. You don't know. And you're making it even worse by guessing at their intentions.
How about asking both sides what they think?
Re:security through obscurity? (Score:1)
Re:Code fork or replacement coming... (Score:2)
We don't, however, have to go all the way back to the potato famine to see the damage that this sort of heterogeneous community has. Take a look at the damage that the infamous Morris Worm wreaked. It only knew how to exploit sendmail and either ftpd or fingerd on Suns and VAXes....
Re:Who uses BIND? (Score:1)
To lots of server admins, and other people concerned with security issues, this is not a trivial story and counts as "stuff that matters".
siri
Re:Code fork or replacement coming... (Score:1)
Re:Why does bind run as root? (Score:2)
breach. The very fact that bind doesn't do that leads me to believe that it is insecure by design. "
So why not stick `-u named' on the end of the command?
Chrooting *is* a jolly good idea for all daemons you're going to be running. But bear in mind that you can break out of a chroot jail, even easier still if you're running as root within it. (I've not read so much about it, but look into shared library requirements and that sort of thing.)
Also remember that prior to 2.2.16, any process calling setuid() could return to being running as root by breaking capabilities, anyway.
~Tim
--
Alternative DNS server under GPL license (Score:2)
Re:Time for djbdns... (Score:2)
Contrast qmail's security history -- with only one, non-compromising DoS vulnerablity -- to sendmail's -- chock full o' root holes -- and you'll see that there is no comparison between the two.
Don't trust anybody's reputation. Read the code. Compare qmail's code to sendmail's. Compare djbdns's code to BIND's. No comparision. Say what you will about the man, but djb codes with a paranoia that few can match.If security matters to you, read the code.
Re:Not Flamebait!! (Score:1)
Re:I'm a BIND backer (Score:1)
Code forks, monoculture and kindness toward others (Score:5)
With respect to monoculture, there are at least four DNS server implementations out there - BIND 4/8, BIND 9, djbdns and Microsoft. If you're afraid of the BIND monoculture and you're running BIND 8, you do have alternatives. Personally I run BIND 9 on my alpha, which takes care of the monoculture issue for me. :')
With respect to questioning Paul's motivation, please think carefully. Paul and the ISC are supporting BIND 8, even though we have a code base that's much more supportable in BIND 9, because he knows that not everybody can just up and switch to BIND 9 right away.
It's a lot of extra trouble to support BIND 8. Nobody wants to do it. Nobody wants to pay for it. You heard from the guy at Mandrake - he's offended that anybody would even suggest that they could contribute monetarily to the maintenance of BIND 8. Despite this, when problems crop up with BIND 8, we do our best to fix them in a timely manner, with a very good track record so far.
I don't know if the proposed revenue stream will amount to enough to hire an engineer, but maybe it will. As far as I can see it (and I'm not an insider on this because I'm a DHCP hacker, not a BIND hacker), the proposal doesn't change when problems will be announced to the public. Paul was quoted in this article as saying that the ISC was interacting with vendors through a private channel (CERT) about this bug - just not a very handy private channel.
Even so, the CERT advisory andthe fixed versions of BIND 4 and 8 came out before the BugTraq advisory. You can argue about whether or not the ISC did the right thing in not announcing the exploit on BugTraq before there was a fix, but what the ISC did looks pretty ethical to me, and it looks like the Open Source community got a pretty good deal.
Naturally I'm a bit biased, but frankly after all the work I put into ISC software, and all the work I know Paul puts into it, not to mention the work all the other ISC people do, it's kind of sad to see how willing folks are to accept the idea that we're rotten incompetent villains out to make a fast buck at the expense of our peers.
Re:security through obscurity? (Score:2)
People planning serious physical security always assume that the attacker has complete knowledge of the defense and its weaknesses. For example, I once read a book by the Nuclear Regulatory Commission which specifies physical security barriers for nuclear plants. Each type of barrier (for example a 10" thick poured concrete wall) has a rating in minutes. This is the number of minutes to penetrate it with the best technique, whether that technique is explosive, gas-powered saw, cutting torch or whatever. This lets them plan security rationally and not have their plan disintegrate because some piece of info was leaked.
Re:Time for djbdns... (Score:1)
And simply making assumptions without reading any documentation isn't a "stupid cop-out"? Of course djbdns supports TCP queries. dnscache (the caching resolver) listens on UDP port 53 and TCP port 53. tinydns, the authoritive nameserver, listens only on port 53, BUT, if you get near the 512 byte limit (which you really shouldn't), you can run axfrdns under tcpserver which will serve queries on TCP port 53.
Re:security through obscurity? (Score:1)
Re:security through obscurity? (Score:1)
Re:security through obscurity? (Score:1)
The millions of sites not on the list still have the hole, dont ever upgrade bind because there is no bug known...and stay that way for a while...meanwhile they are experiencing unexplained bugs and attacks.
OR:
Hole is found and documented, everyone can access this info, sysadmins fix their servers in fear, some sites go down because the admins arent doing their job.
Re:Because bind author's don't like Linux' threads (Score:1)
With bind 9 on linux, a chroot jail cannot be broken out of using those steps, since the CAP_SYS_CHROOT capability is dropped.
If you want setuid on a 2.4 kernel, compile with --disable-threads.
Re:Setuid Bind _8_ does work on Linux (Score:1)
security through obscurity? (Score:2)
Apparently it's not working. I realize that, as the primary unix nameserver, it's very dangerous when a new bug comes out in bind. Millions of sites probably run bind, and they're all vulnerable to the latest bugs. This is obviously bad.
But doesn't going to this private-group model for security information show that the open source security model really doesn't work for important, widely used applications?
Re:Time for djbdns... (Score:2)
NO ONE HAS EVER SUGGESTED HIDING ANY BUG REPORTS! (Score:2)
EVERYTHING THAT IS CURRENTLY PUBLIC WILL REMAIN PUBLIC AND WILL BE RELEASED ON THE SAME SCHEDULE THAT IT ALWAYS HAS.
Certain information which is private *NOW* will be made available to people who have a plausible, legitimate, reason to want to have it *even sooner*. Access to the CVS tree, stuff like that. Stuff that *no one* gets right now on any kind of formal basis.
No one is talking about not releasing bug fixes in source, or not releasing bug announcements *exactly* when they are released now.
They have *always* waited, whenever possible, until a fix is known before releasing a bug discovered through auditing.
There's nothing, at all, worth complaining about here. This isn't "security through obscurity". This is "let's make the internal discussion about how to handle a bug a bit broader so that vendors who need to be involved early can do so".
Why does any support company charge a fee? (Score:2)
Code fork or replacement coming... (Score:5)
The operative question is: Is this a good thing? I think the track record (ssh/openssh, RSA/PGP/GPG, GIF/JPG/PNG, UNIX/BSD/Linux, etc, etc) shows that the answer will eventually be yes.
Comment removed (Score:3)
Re:security through obscurity? (Score:1)
Mostly because nobody fucking DIES when Yahoo or eBay goes down for a couple hours.
Yes you can yammer about how much DoS attacks and server downtime cost the economy, and make bad analogies about bank vaults guns, and Microsoft. You could act like not knowing the latest hole in BIND is more dangerous than driving an asbestos-insulated Yugo without seatbelts at 115 MPH through L.A. during rush hour while smoking unfiltered Camels, but it's not.
Re:security through obscurity? (Score:1)
If a parent leaves a loaded gun on a table and their young child kills himself or his sister, then the parent is certianly legaly responsible. How is this different?
Because that analogy isn't even vaguely applicable.
First of all, if you find a security flaw, you have no way of knowing that you're the only person to have done so. Chances are you're not. But some of those people will keep it to themselves, to use for their own purposes which are probably not constructive.
Secondly, you're completely ignoring the actual point of releasing this information, which is to give people who use the flawed product some way to protect themselves. With knowledge of the flaw, they can take measures to make sure they're not attacked. Without this knowledge, they are at the mercy of the other people who have discovered the problem.
I will say this: Making this information available benefits experienced and competent system administrators, to the detriment of the less knowledgeable (who may not have the means to protect themselves against the problem, and may therefore find themselves under attack by copycat exploiters). However, since being or hiring experienced administrators is a socially beneficial act, it is to be encouraged through this and any other measures, especially when better overall security is the main dividend.
Fucking ORBS? (Score:2)
Producing a superior product is not called "fucking", it's called "innovating".
...now, if we could just teach the USPTO the difference between "innovating" and "fucking", the world might actually be a nice place.
--
Re:Time for djbdns... (Score:1)
djb doesn't release his work under a proper opensource license, so most distributions want nothing to do with his software. Thus djbdns is not a viable alternative.
It may make it a tricky alternative for distributors (who have to supply the original plus patches rather than a modified original), but that doesn't mean it's not a fine alternative for savvy admins whose needs it otherwise meets.
Qmail is saddled with the same restrictions and is used by many of the busiest mail sites on the net (Hotmail, Critical Path, Yahoo, the spam-magnet server in my house, etc.). Surely there's some hint of viability in there.
BIND vs. Internic (Score:1)
Replacing BIND involves creating a program that properly implements a number of well defined protocols. Replacing the Internic involves convincing everyone running DNS on the Internet to switch to a different set of root name servers. Both tasks are technically feasible, but one of those tasks is extremely unlikely due to political reasons.
On the other hand, if you could convince Redhat, SuSE, Mandrake, Sun, and the *BSD distributions to ship with your new root nameservers in their default named cache, you would probably be most of the way to highjacking DNS since many admins wouldn't be bothered to notice the difference (and the remainder might be willing to give you the benefit of the doubt if your reliability and response time was as good as Internic's). Convincing all those vendors might be a little tough, but it's more likely than convincing hundreds of thousands of sysadmins.
Re:security through obscurity? (Score:1)
Re:security through obscurity? (Score:1)
Out here in the 'real world', though, security through obscurity leads to laziness - people are generally unable to act as if the design is public when it's secret. And yet the secret design has probably been leaked.
Leaving aside the fact that the parent is responsible for the kid's welfare, I don't think we can compare publishing research results to furnishing a physical object. Suppose Alice is the CEO of an overvalued company. Bob, an analyst, explains why it's overvalued and suggests that investors sell. Investors sell and the stock price plummets. Did Bob do something wrong? I don't think so.
I dont know all of you (Score:1)
I think is way too much responsibility for the ISC to do such an important piece of software for the Internet and to be by far the most used.
All that Im trying to say is that there should be others open-source/GPL choices of software for this task.
Re:security through obscurity? (Score:1)
Re: shove your monoculture (Score:1)
saying there was not enough food grown in ireland to feed the population during the "potato" famine(s) is like saying the armenians committed mass suicide in 1918.
Re:Why does bind run as root? (Score:1)
$ ls -ld /usr/local/named
/usr/local/named/
drwxr-xr-x 5 named named 4096 Jan 31 17:13
$ ps -ef |grep named
named 577 1 0 Feb02 ? 00:00:54 named -u named
Because bind author's don't like Linux' threads (Score:5)
Quoted from the bind9 FAQ:
Q: Why doesn't -u work on Linux 2.2.x?
A: Linux threads do not fully implement the Posix threads (pthreads) standard. In particular, setuid() operates only on the current thread, not the full process. Because of this limitation, BIND 9 cannot use setuid() on Linux as it can on all other supported platforms. setuid() cannot be called before creating threads, since the server does not start listening on reserved ports until after threads have started.
My take on this:
Then why the hell do they do the setuid() call so late in the process? Just do it right after binding the port, but before forking any threads. Why the hell does that port have to be bound after starting threads? It's shared by all threads anyways, so why not bind it early?
> But some people have suggested that it is possible for a process to get out of chroot. Can somebody please elaborate?
If a process still has uid 0, there are several ways to break out of chroot:
- make a subdirectory foo
- chroot into it (without chdir'ing into it...): Current directory is now above root... Indeed, the chroot syscall only changes your process' root, but does not automatically change its current directory.
- repeatedly chdir("..");. This works because chdir only checks whether your current directory is equal to your root, it does not check for the case where it is above the root.
- once arrived at the physical root, chroot("."); and presto, you just broke out of the chroot jail
Even if this hole was patched (AFAIK, it exists in all Unix variants...), it would still be possible to break out of chroot by fiddling with raw devices such as disks andIT'S NOT A SAFE (Score:1)
It isn't all like a safe. It's like a tire.
I need a knife to cut a tire. I need Firestone's trade secrets to fix it.
Re:Time for djbdns... (Score:2)
-russ (webmaster@qmail.org and webmaster@djbdns.com)
Re:I'm a BIND backer (Score:1)
Maybe that's why I read
I have no problem with giving the authors a bit of time to fix the problem before making it public, but I know that I would much rather read about a potential problem that experience it first-hand. Keeping bugs and exploits secret doesn't really work very well.
Open Bind (Score:1)
A good take on this? (Score:5)
In trying to read his email and interview in the best-possible light I think that his bind-members mailing list proposal may not really be a bad thing for the internet community. We all rely on Bind and we all rely on mostly the same sources of information about vulnerabilities and vulnerability fixes (CERT, bugtraq, ISC-patches for Bind, etc).
I think what Mr. Vixie has said can be read this way:
Some vendors have ISC-derived private code. They want some support for their code from the ISC and they want to discuss fixing their closed-source Bind-derivatives in a closed forum (thus the NDA's and PGP encryption on the mailing list). The bind-members list will become that closed forum. New CERT advisories and ISC's own vulnerability discoveries will still be posted and available in open forums at the same time they are available to the closed forum. However, information that only applys to the closed forum will stay inside the closed forum.
If that "spin" is correct then the closed forum members will be subsidising the ISC's development efforts (on a regular basis) and getting privacy for their money.
I think there aught to be a parallel open forum for the free software Bind derivatives and distributions for posting bug discoveries and bug-fixes.
While Vixie's proposal is not strictly a bad thing we won't know if the closed forum is sticking to their stated mission. I think the real solution is to start development in the spirit of Mr. DeRaadt's comment: re-develop bind into task-oriented, well defined subcomponents. Large "hub" nameservers and root servers will use more components than small local nameservers and caching-only nameservers will use fewer still.
The development of this new nameserver daemon should be under a Free software liscense (GPL(!!)).
Then again, I could be wrong....
DBase Alternatives to a Simple Function (Score:2)
Something that has an application front-end with a database back-end would provide better security and other features. The dbase could be replicated to off-line servers for redundancy in case of faults. This could also be used for load-balancing and backups as well. The front-end for administration could be web-based with a php or perl api for ease of expanding the application. I'd be interested in seeing active development on this project and would definitely contribute. Note that MySQL [mysql.com] is GPL, so the potential for this type of thing happening again would be eliminated.
Linux rocks!!! www.dedserius.com [dedserius.com]
Re:Time for djbdns... (Score:1)
Since qmail has already had one exploit in its history, why should we believe that the rest of DJB's software is any more secure?
maru
Bind follows in the steps of Microsoft (Score:2)
Re:Code fork or replacement coming... (Score:1)
More seriously I agree that this increases the likelihood of a code fork unless it's abandoned.
----
Not Flamebait!! (Score:1)
Re:Time for djbdns... (Score:1)
To answer your rhetorical question, I don't think anyone believes that djbdns is inherently more secure than qmail (although it is a lot easier to configure qmail in an insecure way, if for no other reason than that it's capable of running programs from .qmail files). I trust both of them a lot more than I'd ever trust BIND, though,
even if that isn't saying much at this point.
Re:Paul Vixie? (Score:1)
Isn't the author of , a with many past security problems?
maru
How does fixing my copy of the source AFFECT YOU? (Score:1)
Re:Closed source doesn't work period! (Score:1)
I fail to see the bad side of this?!
I much rather think, that this would be a positive attitude. Just imagine, how many millions of tax DMs/Dollars/Pounds/... could be saved, if everyone did this. And also think about how fast this would fix all the streets.
Sorry, but I think that this would be a good rather than a bad attitude...
Re:Time for djbdns... (Score:2)
Re:IT'S NOT A SAFE (Score:1)
But think for a minute. Are you suggesting technicians who don't have Firestone's Trade Secrets or the right to discover those secrets would be able to find what caused those tires to explode.
Re:Time for djbdns... (Score:1)
Are we reading the same article? (Score:1)
In fact, Paul said that they were going to continue to distribute code in the same way they always had - which I take to mean including source that anyone can look at. I doubt there will be much change in the way 99.9% of the community interreacts with Bind and ISC.
Today, what happens is that someone finds a bug, ISC gets told about it, and then they FIX IT IN PUBLIC, while thousands of script kiddies run around and try the exploit on machines that don't even have a patch available yet. Even Microsoft is usally given the opportunity to fix major security bugs prior to them being posted publically on Bugtraq. Why should ISC be any different?
From the bugtraq faq:
Now, assuming that people DO this, where today can ISC discuss and fix the bug in private? I think having a list with only selected individuals on - specifically the ones Vixie mentioned, including the people who maintain bind for the major Open Source Distributions (FreeBSD, Linux, etc.) - where they can prepare fixes prior to CERT releasing the information and (hopefully) prior to it being seen on bugtraq.I'm not sure the reason behind the fees. Perhaps it is to help pay for the additional coordination required for doing this. Perhaps it's just to keep the script kiddies out.
I'm also not sure about the private access to the CVS database. This is the only part of this that concerns me. I can think of several reasons why this might be a good idea. Does anyone know if you can get a hold of the CVS database today?
Re:DBase Alternatives to a Simple Function (Score:1)
Something that has an application front-end with a database back-end would provide better security and other features. The dbase could be replicated to off-line servers for redundancy in case of faults. This could also be used for load-balancing and backups as well. The front-end for administration could be web-based with a php or perl api for ease of expanding the application.
==
Have you ever administered a name server before and do you have any idea how one operates? The "back end database" idea is not displaying a real insight as to the development issues posed by a name server, it's not like resolution requests can be queried against the database so the storage model is not real relevant. It all has to go into memory. The request for an administrative GUI is equally short-sighted. I have administered NT-based DNS systems that used GUIs before and changing IP information on 300+ domains was a real mouse-killer.
maru
Re:Paul Vixie? (Score:1)
He isn't the author of [insert the name of any widely used *nix-based software that is 10+ years old] , a [insert application use] with many past security problems?
maru
Re:Why does bind run as root? (Score:2)
--
I'm a BIND backer (Score:2)
Setuid Bind _8_ does work on Linux (Score:2)
But, I have deployed 8.2.x extensively, and I run Bind as user "named" or "dns" as a matter of course.
If Bind9 can't be run securely on Linux--and I don't think LinuxThreads are materially different in 2.4--then Bind9 may just be where I get off the train.
Re:Code fork or replacement coming... (Score:3)
I agree, but for a slightly different reason.
Remember the Irish potato(e) famine. It has been shown repeatedly that monoculture doesn't work well for stability and fault tolerance.
Why were the recent BIND exploits increadibly serious? Because 99.99% of DNS servers use BIND. (Waring: Statistics made up.)
If half the population used BIND, and the other half used OpenBind, when a security flaw is found in OpenBind (or BIND), only half of the DNS servers are affected. Additionally, if flaws are serious/ slow to be fixed, you can always switch to the other program.
It'd be a rare exploit (most likely in the DNS protocol itself) which could take down two different DNS servers.
Re:Why does bind run as root? (Score:2)
bind can be configured to run as nonroot in a chrooted jail easily, at least in version 9.1.0.
named -u named -t
gets you started. Other versions I'm not so sure support running as user *blank*. Older versions don't, but the recent rewrite (9.1.0) does.
chroot'ed directories can be escaped by root users doing chroot
--johnny
Oppositional forces (Score:2)
The bottom line is that there are oppositional forces and tradeoffs, like so many other things in security and in the computing world. One setup is not always the best, it depends greatly on the entirity of the situation.
Re:Time for djbdns... (Score:2)
I think that the reason he uses such draconian language is that he wants to ensure that any modifications by a programmer will not make djbdns less secure. I think it would be pretty easy for any new code to make his code less secure, if for instance, you were to add a system call using data from a remote machine.
Also if porting to a different machine there may be other architectural/security considerations to keep in mind and trying to force djb's code to fit into that computer architecture may break its security model. That's probably why the license is the way it is.
He does give you the option to send him a request for license specifics if perhaps you might want some leeway but that would be on a case-by-case basis.
Re:I'm a BIND backer (Score:2)
Re:Because bind author's don't like Linux' threads (Score:2)
Looking at the bind 9.1.0 sources, specifically bin/named/unix/os.c, it appears that the BIND authors have hacked around the pthreads problem using capabilities. The main thread does setuid() early-on, so as to propagate the new uid to its child threads, but reserves for itself the capability to bind to privileged ports. This allows named to launch its child threads before it decides what ports to listen on.
My only problem with this approach is that I don't see where named eventually drops the privileged-port capability later.
^^^ mod the parent up ^^^ (Score:2)
Zebbers makes it so clear and basic why open source is the right way to go and incompetent administrators should be fired.
Re:security through obscurity? (Score:2)
Combining open source with closed information is what will fail. The only way closing the bug reports works at all is if the source is also closed. Otherwise l33t cR4q3rz who can read source can find bugs and distribute exploits (w/o NDAs), and admins who can't (read source) won't be able to fix things, all the while the members get to sit on their own lazy asses because they got them covered.
Re:Fucking ORBS? (Score:3)
Closed bug reports only work with closed source. It's just a matter of time before Vixie closes BIND, or at least the leet version of it that members get to use.
Time for djbdns... (Score:4)
Djbdns is to BIND what qmail is to sendmail. Not only is it written with security in mind, it even has a security guarantee. [cr.yp.to] A refreshing change of pace.
Re:Why does bind run as root? (Score:2)
Ahh, yes. Somebody finally noticed. Unfortunately TCP/IP was not added to UNIX until BSD in the 80's. So we have BSD Sockets and the "Everything is a File" mantra no longer holds.
I believe that Plan9 [bell-labs.com], now known as Inferno [vitanuova.com], works this way. It was developed in the late 80's/early 90's by the original UNIX people at Bell Labs. Lucent (Bell Labs) has released Plan9 source under their own license, source and binaries can be downloaded here [bell-labs.com].
Have Fun!
Re:Code forks, monoculture and kindness toward oth (Score:2)
Don't forget Novell DHCP/DNS [novell.com], it comes with NetWare 5. There are more esoteric DNS servers listed here [dns.net].
No real explanation of fees (Score:4)
I feel that this whole mailing list looks like an attempt to generate a revenue stream through what boils down to blackmail: "if you do not pay us you will not get timely information about the security holes in BIND."
This will (inevitably) lead to a code split, will be a very good thing: having practically the whole internet run DNS resolver (irrespective of how good it is) is dangerous.
Why does bind run as root? (Score:3)
My second question is about running bind chroot'ed. I have seen the howto and it looks *very* useful for any daemon, especially bind in light of recent security problems. But some people have suggested that it is possible for a process to get out of chroot. Can somebody please elaborate?
___
Who uses BIND? (Score:2)
Re:Because bind author's don't like Linux' threads (Score:3)
Then, what would happen (in the non-Linux case) if the config was indeed reloaded, but a different low port was specified now? At that point, bind would already have dropped the privilege to bind to that port, and couldn't satisfy the reload request anyways. (Ironically enough, it would work on Linux, because you'd still have the capability to bind low ports...). Conclusion: changing port numbers on the fly wouldn't work anyways, so why not do a first parse of the config file before forking threads, and use this pass to gather those pieces of information which aren't changeable after reload anyways?
'Security Guarantee" (Score:2)
And 500$ is an insignifigant amount of money compared to the damage that a DNS bug can cause.
--
Remove the rocks to send email