This post by D. J. Bernstein, author of djbdns, a "secure" DNS server, wrote this message prompted by the recent problems experienced with BIND 9 and its "300000 lines of bad code." "BIND 9 is good code, you say? The BIND programmers learned their lesson from these security disasters and rewrote everything from scratch? Professor Bernstein's opinion differs. . .
This post by D. J. Bernstein, author of djbdns, a "secure" DNS server, wrote this message prompted by the recent problems experienced with BIND 9 and its "300000 lines of bad code." "BIND 9 is good code, you say? The BIND programmers learned their lesson from these security disasters and rewrote everything from scratch? Professor Bernstein's opinion differs

 Date: 1 Feb 2001 07:29:42 -0000 Message-ID: <20010201072942.22539.qmail@cr.yp.to> From: "D. J. Bernstein"  To: bugtraq@securityfocus.com Subject: Time to un-BIND your network! Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline  It's interesting that the NXT security disaster and the TSIG security disaster were both introduced as new features in BIND 8.2.  Paul Vixie blames BIND's problems on ``sleazeware produced in a drunken fury by a bunch of U C Berkeley grad students.'' But BIND 4 was only 20000 lines of bad code. BIND 8.2 is 150000 lines of bad code.  BIND 9 is good code, you say? The BIND programmers learned their lesson from these security disasters and rewrote everything from scratch? Let's look at the facts:     * BIND 9 was funded in August 1998. There was a public statement that      ``code drop has been made to funding organizations'' in March 1999.      Guess when BIND 8.2 was released? That's right: March 1999.     * BIND 9 was made available for public testing in February 2000. The      official BIND 9.0.0 release was in September 2000. _Hundreds_ of      bugs have been discovered in BIND 9 since then. (The list of      previously discovered bugs---presumably even more embarrassing---      doesn't seem to be publicly available. Gee, what a surprise.)     * By all accounts, BIND 9 chokes even more often than BIND 8 does.      Sample from the bind9-users mailing list last week: two sysadmins      at large sites reported that, within a few days, BIND 9.1.0 stopped      responding and started burning CPU time.  Bottom line: The Buggy Internet Name Daemon lives on. BIND 9 is 300000 lines of bad code. Does anyone seriously believe that none of BIND 9's bugs can be exploited by attackers?  I don't. But I can relax, because I've been free of my BINDs for the past year; I wrote my own DNS software, djbdns. To learn more:               yp  djbdns works for citysearch.com and pobox.com and one site that handles nearly 400000 *.com's; I think it'll work for you too. It's free, it doesn't crash, and it doesn't let attackers take over your machine.  ---Dan20010201072942.22539.qmail@cr.yp.to