linux, säkerhet

7773543 2002-01-09 12:36 -0800  /41 rader/  <bugtraq@artemas.reachin.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-09  22:10  av Brevbäraren
Extern mottagare: Bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20444>
Ärende: Announcing a new DNS server implementation
------------------------------------------------------------
From: bugtraq@artemas.reachin.com
To: Bugtraq@securityfocus.com
Message-ID: <20020109123631.A24072@artemas.reachin.com>

About a year ago, there was a thread on Bugtraq, the result of which
was  people asking for a new implementation of a DNS server, since
people felt  that BIND was insecure, and because people felt that
DjbDNS had a license  which was too restrictive.

First of all, BIND 9 is a complete rewrite of BIND, which, so far,
has not had one security problem reported with it.  When people say
that "BIND is insecure", they really ought to say "BIND before BIND 9
is insecure".

In addition, there is my project, MaraDNS.  MaraDNS strives to be a
secure DNS server, by mandating that MaraDNS run as an unprivledged
UID, and by performing its own chroot operation.  In addition,
MaraDNS uses a special string library (which I wrote myself) which is
buffer-overflow resistant (and permits nulls in strings, something
which DNS data uses extensivly).

I have just released the first beta release of MaraDNS.  This release
has gone under months of testing by a volunteer crew, and I belive
that we have most of the bugs ironed out.  Now, it is ready to be
more extensivly tested.

Which is why I am announcing MaraDNS on this mailing list.  MaraDNS
can be downloaded here:

        http://sourceforge.net/projects/maradns

MaraDNS, naturally, is fully free and open-sourced.  In fact, MaraDNS
is  public domain code.

Of course, there are some other DNS projects which deserve to be
mentioned.  Pdnsd is a caching-only DNS server; Posadis is a DNS
server undergoing extensive development, and is roughly about where
MaraDNS was about six months ago--I wish them the best of luck; and
there was Dents  which, sadly, stopped development in 1999 or so
before being usable.

- Sam
(7773543) / <bugtraq@artemas.reachin.com>/(Ombruten)
Kommentar i text 7775087 av D. J. Bernstein <djb@cr.yp.to>
7775087 2002-01-10 04:05 +0000  /44 rader/ D. J. Bernstein <djb@cr.yp.to>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-10  06:10  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20466>
Kommentar till text 7773543 av  <bugtraq@artemas.reachin.com>
Ärende: Re: Announcing a new DNS server implementation
------------------------------------------------------------
From: "D. J. Bernstein" <djb@cr.yp.to>
To: bugtraq@securityfocus.com
Message-ID: <20020110040505.24874.qmail@cr.yp.to>

bugtraq@artemas.reachin.com writes:
> First of all, BIND 9 is a complete rewrite of BIND, which, so far, has
> not had one security problem reported with it.

I have two questions. First, why has ISC reported all the crash-BIND-8
bugs on its ``BIND security'' page and in CERT advisories, but none of
the crash-BIND-9 bugs?

(The primary ``security'' mechanism in BIND 9 is a fragility
mechanism: BIND 9 commits suicide if it gets confused, or if you poke
it sharply, or if you simply think bad thoughts in its general
direction. The BIND 9 change log is full of reports of easily
triggered crashes.)

Second, how much money do I get from ISC if I look at the BIND 9 code
and find, for example, a bug letting attackers take over the server?

> This release has gone under months of testing by a volunteer crew, and
> I belive that we have most of the bugs ironed out.

I have three questions. First, what exactly do you mean by ``found
some security problems'' in your change log for 0.8.99? Why doesn't
the change log explain exactly what the problem is and what its
impact is?

Second, how much money do I get from you if I look at your code and
find, for example, a bug letting attackers take over the server?

Third, bottom line: How serious are you about security? I don't just
mean chroot and stralloc. I don't just mean ``strive to be secure.''
And I certainly don't mean Microsoft's ``we'll try but we guarantee
you that we'll fail.'' _Will_ your software be secure?

---Dan

P.S. I also have a question for the bugtraq moderators. You regularly
accept BIND 9 advertisements from the BIND authors, and you've
accepted this MaraDNS advertisement from the MaraDNS author. Why did
you reject
http://cr.yp.to/djbdns/bugtraq/20010201072942-22539-qmail@cr-yp-to,
specifically the final paragraph about djbdns, as ``marketing''?
(7775087) /D. J. Bernstein <djb@cr.yp.to>/(Ombruten)