BIND should be treated with the utmost caution, as CERT has listed it as
the #1 way to break into a computer and Im sure some of us have had
k1dd13z on our systems because of it. I know I have seen this
discussion before in old USENET posts, but I do think it would be a good
idea to maybe include a debconf option that lets the user choose whether
or not BIND would run as root. That way, upgrades of BIND could respect
the setup and users could have safer defaults on their system.
Even if that doesn't happen, I think that should be in the Security HOWTO.
-A. Dave
Javier Fernández-Sanguino Peña wrote:
On Thu, Jan 03, 2002 at 03:34:32PM +0100, martin f krafft wrote:
(...)
but more importantly, if the question was how to secure bind, then let's
not secure it by substituting... bind is still the #1 nameserver, and a
thread like this (even though argued a million times) can be quite
informative.
The way to avoid this kind of threads over and over again is to
*document*
them. I find that there are quite a number of people willing to answer emails
in the
list but not willing to take some time and *write* about it.
If anyone feels like writting a few paragraphs on how to secure BIND,
improving
the existing documentation (of course, the Debian Security HOWTO), feel free to
send me
any material worth adding.
Regards
Javi
