CircleID

Thanks, Mr. Vixie. I was a bit shocked at the very same article. I manage a small number of domains (50), yet we have three BIND servers (on different networks), all running version 9, with none of the vulnerabilities mentioned in the BBC article. I have not found this difficult-- in fact upgrading or installing BIND 9 has been quite simple. Running it in a jail and observing all of the other security measures is only slightly more work, none of it difficult. There is more than ample documentation, including examples, shipped with the distribution. In other words, no excuses!

I remember the "repository for illicit material" alert from some time ago, and trying (to no avail) to find ANY detail so I could check my systems. I think the concept of SANS is a good idea, but to realize their potential, they need to maintain credibility.

Dear Paul,

http://www.sans.org/top20/#u5

It's no consolation, but IMO, the section on MTAs contains very similar flaws.

Reading the description of sendmail:

"Sendmail has had a large number of vulnerabilities in the past. These vulnerabilities have often been due to its complexity. These have made Sendmail one of the most exploited services on the Internet."

vs that of Qmail:

"Qmail is a secure MTA that has had few vulnerabilities in the past. It is also one of the most popular MTAs after Sendmail."

The slant of the author does seem to again criticise and highlight past (and since addressed) vulnerabilities of the most popularly deployed agent, without underlining the many best practise issues you raise in your above response.

On top of that to describe other agents (including DJB's Qmail) as "secure" in such a context, raises further issues of impartiality.

The tireless Eric Allman should have similar cause to review his faith and charity towards SANS.

It makes me wonder whether these reports are in any way peer reviewed?

Regardless, to Eric and yourself, and the many others who contribute to such software projects with such rigour, thank you.

shine,

.vortex

Paul,

I believe, as you know, that ISC has done a wonderful job to address past problems with Bind with respect to security. 

However I believe SANS is directing a broader audiance in it's concerns which are mostly concerned with older unpatched versions of BIND that many are still using/running.  Many of these organizations are registries and ISP's which seem to not be as effective or reasonably concerned enough to take the time and effort to upgrade.

A fascinating article, highlighting the more "interesting" perspectives offered by less balanced viewpoints. On the one hand, it is very right and proper to highlight genuine concerns. It is a valuable, almost essential, reality check.

When, however, this vital tool is abused, it weakens vital lines of trust. Can you trust "security reports" if there is a high risk of them being bogus? Can you trust software watchdog groups if they don't verify their facts?

Sure, I know people who don't update software. I've seen commercial organizations happily run horribly early versions of software. BIND 4? Sendmail 6? Provided they'll actually run, people use them. "If they're not broken, why fix them?"

The problem is, they are broken, just not in ways that are immediately obvious. Therein lies the problem, and the dangers of negative advertising presented as a serious article. A program can run but still contain flaws that endanger security or trustworthiness. Unfortunately, your average Joe and Jane Average are not computer security experts. They don't know how to identify when software does contain such problems, so when they are told such problems exist they generally either do nothing or panic.

Institutes such as SANS are fully aware of this. This is why academia has long insisted on peer-review. It's not fool-proof, by a long way, but it cuts back on the more blatant abuses of the published media. When I want raw, unfiltered opinions, I can visit a weblog or a place such as Slashdot. If I go to a professional security institute, I expect something a little more solid.

To finish up, I'll make a point that I've made on other boards, elsewhere. The vast majority of software out there has security flaws. It is possible to eliminate them entirely, but that doesn't make it practical. Worse, the only way to never reintroduce bugs is to never add or change any code, so the only way to be completely secure is to be completely stagnant.

Usually, the sensible choice is to steer towards software that is getting lots of eyeballing and auditing (and therefore is reasonably safe to use), but at the same time is expanding to cover next week's or next year's needs.

Unless there is a specific requirement that can only be met by a package that is little known or may not be adequately reviewed, the prudent choice for the workplace is to aim for a solid foundation first and work out from there. An ounce of prevention is better than a tonne of cure.

As far as ISC products are concerned, I don't think I've ever had many security concerns. Irritations over a few things I'd have liked them to add, sure! Plenty of those. But since they're not writing specifically for me, that isn't likely to change anything. Besides, it's not as if I've written the changes myself and sent them patches. If I had, I might even have a legitimate reason to grouse.

But security? When was the last time you heard of a security hole in OpenBSD? Guess whose nameserver software they run? Then I don't think it's likely there are too many problems, then.

SANS has published something stupid more than once.  I had a protracted semi-private argument with them in June 2000 about their recommendation that ICMP unreachables be blocked - no exception for "fragmentation needed." And government agencies were trying to rubber stamp the SANS word as policy. This was a crisis for some of us, and it took quite a while to get SANS to understand PMTUD.

Paul:
Thank you for a "tour de force" reply, which provided me a nice review, refresh, and update on BIND and DNS.  I am concerned about the SANS report and (lack of?) peer reviewing materials from what I expect to be an organization that conducts itself in a professional manner.  Its frustrating enough for everyone from network administrators to Internet strategists to stay on top of what's real vs. what's "spun." Your passion for BIND is clear, yet I respect your ability to maintain objectivity in your responses to what seems like less-than-informed attacks on the integrity of BIND (9).  I wonder if SANS is reaching for a wider audience in its publications (as suggested I believe in an earlier comment) and in so doing practiced more "typical" news reporting than professional technical journalism (e.g., more peer-review like).  Please keep up your excellent work and vigil for accuracy in BIND information.
Cheers
GAM