Rick Murphy wrote:
> At 03:30 PM 2/9/2001 +0000, Herman Van Keer \(N\) \[M-PRO\] wrote:
>
>> I heard some very bad news about bind (in general for bugs [security]
>> and specifically now with their pay-policy ;-) )
>
> There is no "pay-policy". Bind remains open-source just like it always
> has been. Some organizations are being asked to pony up some of the
> cost of notifying vendors quickly about security holes, but that's it.
As you are probably aware, this is not so cut and dried. I don't want to
start a holy war, or feed one even, but this statement would seem to be
silly, even at first glance. The "cost" of notifying vendors quickly
about security holes? Considering the ISC already maintains mailing
lists, having a mailing list for BIND bugs which they're finding ANYWAY
shouldn't really be costing them anything. Whether or not they're
justified in creating this list is outside the scope of this document.
>> An alternative to bind, could be djbdns... from Dan Bernstein (creator
>> of qmail).
>> Has anyone have experience with this DNS server?
>> Security?
>
> It's an alternative; I haven't used it, but it's an option for many
> sites.
> Bind 9.x (what I'm using) appears to be a real improvement from older
> versions of Bind.
For me, the "hidden list" was the final straw. I switched to djbdns, and
am VERY happy with it.
First: Configuration is dramatically easier than it is in BIND. The
domain data files are very small and simple. I was annoyed that you
couldn't create multiple A records in the data file, but as it turns
out, it returns aliases as A records upon query anyway, so that's no big
deal.
Second: Installation is trivial, especially under OpenBSD. :) djbdns
relies on daemontools (at least, that's how DJB wants you to control
djbdns) and as such is trivial to control. Just make sure that svstat
has a sufficient PATH variable when it starts up.
Third: There is no third, but two is not a very auspicious number.
Martin "Outside the Scope of This Document" Espinoza
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
