[svlug] Bind Vulnerabilities

[Dagmar d'Surreal]

On Sat, 24 Mar 2001, Drew Bertola wrote:

> I see a lot of great things happening in 9.- .  My favorite is that
> you can reload a single zone without reloading all zones.  That would
> sure make updates easier.  How many times have you had to plead with
> an ISP to update their nameserver right away or as soon as possible?
> They of course reply that it won't happen for 20 more hours because
> it's too hard on their nameservers.  Now they can just reload your
> zone.  Bingo.  

Mmm...  Reloading of single zones can be done with BIND 8.x, using ndc by
any user who has enough permissions to write to /var/run/ndc.  Somewhat
handy for giving administrators access to modify zones without needing any
special privledges.  It's probably best used through sudo still, since
it's possible for an adminstrator using ndc to tell the daemon to simply
die, and have no way to start the thing up again.  In certain scenarios it
would be handy to know who to blame for knocking the thing over and not
remembering to restart it.

One nice thing that _is_ in BIND 9.x is their "views" stuff.  
Adminstrators of nameservers cursed with departments who insist on having
intranet hosts living in the same namespace as internet hosts and only one
server to do it on will be able to essentially have different namespaces
without having to run multiple daemons on multiple interfaces.

> I think this will be a tough transition because of the difficulties
> large sites will have.  Small sites will struggle w/ the security
> enhancing encryption stuff (I'm still not sure what that's all about
> yet).

Most smaller sites won't need the DNSSEC stuff.  It's primary usefulness
is for scenarios like having a remote nameserver in a co-location facility
where you'd like to make sure your secondaries are getting their updates
from _your_ primary and not someone who's managed to confuse a nearby
router or switch.  You won't see much usefulness come from it for normal
resolution until many more sites start using DNSSEC as well. 

One of the uglier ouchies to using 9.x is that anything you have that
linked against libbind.a is going to still need the BIND 8 library because
the API has changed quite a bit.

I'm hoping they'll work out the problems with threading under Solaris 2.6
(if that's possible, I haven't looked into it yet).  The test server
daemon I put together did indeed explode as promised when faced with
several dozen simultaneous transfers and queries.  Disabling threads does
get around it (at least on Solaris, don't know about BSD) but it's still
annoying.  All things considered I'm not going to put a 9.x server into
production for another six months at least until it's had more testing in
the field.