[TriLUG] MAC-based web blocking

Aaron S. Joyner aaron at joyner.ws
Wed Sep 13 12:21:56 EDT 2006


jason at monsterjam.org wrote:

>bind?! you gotta be kidding..
>http://www.isc.org/index.pl?/sw/bind/bind-security.php
>next to sendmail, its been historically swiss cheese as far as security holes..
>If you feel the need to use software that needs to be updated every few months, 
>knock yourself out.
>  
>
So BIND might have a sordid past, but that URL you posted is sort of a 
testament to the current incorrectness of your statement.  Note that the 
most recent vulnerability listed was in fact a few months ago (July 
9th), but it's only a DOS concern for people using DNSSEC and allowing 
recursive queries (effectively, almost no one).  The previous 
vulnerability was going on two years ago (Jan 2005), prior to that was 
almost another year back (Feb 2nd, 2004), prior to that more than 
another year (Nov 12th, 2002).  If your definition of "updated every few 
months" includes bugs which are so specific I have to stop and construct 
weird scenarios where you might be affected by them in my head, and 
you're either so out-dated as to be running older bind versions less 
than 8.3 in 2004 or so bleeding edge as to be doing DNSSEC in the latest 
code base (in which case you're upgrading more frequently to follow 
feature sets, than bugs, as the standards evolve), *and* "every few 
months" really means "every 11 to 20 months", then I might agree with 
you.  :)  Since the changes of that are zero, I'll keep running BIND.  :)

Aaron S. Joyner



More information about the TriLUG mailing list