Re:DNSSEC needn't be a panacea to be useful. (Score 1)

Hm, what I've learned is that [TCP/IP, SMTP, other aged Internet standards] work.

I agree, in a way analogous to how Microsoft Windows "works". Perhaps I'm expecting too much, but that's simply not good enough.

But if we have something that's a significant incremental improvement, and don't have the complete panacea, is it a mistake to use what we have? It sounds like you're saying it is.

I'll continue with the Microsoft analogy: every one of the 40-some-odd security and bugfix updates I had to apply the last time I installed Windows on a machine was a 'significant incremental improvement'. Incremental improvements necessitated by flawed design, IMHO, are simply not good enough- especially when we know they're not good enough before we even implement them! This is even more true when we try to use them as building blocks for the future.

I'm not trying to equate DNSSEC and Windows- but similar, really the same, concepts are involved. Poor design necessitates more and more of these significant incremental improvements. With Windows, it's marginally acceptable to apply these improvements; if you're one of the many who don't like doing that, there are choices of other software to run on your computer. But how do you 'patch' an Internet standard once it's been widely deployed, with a lot of time and effort spent to implement this in software applications? And unlike Windows, there is *no* choice. If someone says 'I want a protocol for publishing and resolving names to IP addresses on the Internet', what option does s/he have other than DNS?

That's not a very good attitude for an engineer to have - you never get anything done with that attitude.

It does indeed take more time to realize a complete, properly deisgned solution than one that is an incremental improvement. But this does not equate to 'never getting anything done'- it simply requires more patience. I am very willing to be patient in that case.

It's unfortunate that BIND 8 and BIND 9 are always discussed by DJB and his acolytes as if they are the same product, when in fact they are two completely separate code bases, one of which was in fact engineered to specifically avoid the failings of the other.

Whether it's BIND version 4, 8, or 9 is of minor importance. I don't trust the people writing the code, and here's why: I'm aware that the ISC says BIND 9 was a complete redesign from previous versions. I haven't read the source code to see if this is actually true or not, but I'll take their word for it for purposes of this discussion. I appreciate the fact that they recognized the problems caused by poor design in previous versions, and did the right thing- rewrote it from scratch. But it didn't take very long for attackers to be able to kill a BIND 9 server with a malformed DNS packet or find remotely exploitable buffer overflows in BIND 9's resolver library. (If you're unclear or doubtful on what vulnerabilities I'm referring to, I'll be happy to provide references.)

Whether the ISC is lying about BIND 9 being a complete rewrite, or they have simply done a poor job implementing their finally-got-it-right-this-time design, or whatever the reason, matters very little. I wouldn't trust them to sit the right way on a toilet seat.

In contrast, Bernstein's still sitting on the $500 reward for finding similar security holes in djbdns. My own experience with BIND and djbdns has shown me BIND is not particularly high quality software, and that the problems encountered with BIND don't appear in djbdns. Given the choice between these software packages, does my choice of djbdns over BIND seem unreasonable?

It would be much more fun to debate these points if we were actually talking about the merits of each software package, rather than tarring one with the same brush as the other.

BIND's ugly history, regardless of version, is well documented by many third parties (not ISC or DJB: CERT, for example, has all the info one needs to evaluate BIND's security history). Did you think I'm taking Bernstein's word blindly? As I touched on earlier, because ISC claims that BIND 9 is a complete rewrite, and that the problems with BIND 4 and 8 will never happen with 9, means nothing to me. I find it extremely hard to believe them; history suggests they are either lying, or just hire poor programmers. So, yes, I am admittedly tarring BIND 9 with the same brush as I do BIND 8; do you think, for the reasons I've given, that it's unreasonable to do so?