Subject: Re: switching from bind8 to bind9
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Greg A. Woods <email@example.com>
Date: 11/19/2002 15:15:12
[ On Tuesday, November 19, 2002 at 19:43:11 (+0100), der Mouse wrote: ]
> Subject: Re: switching from bind8 to bind9
> > [...]. To that end it seems quite prudent to have the DNS software
> > do the checking early and often too, especially on certain record
> > types, just in case that other software might fall flat on its face
> > with the likes of a unicode exploit or what have you.
> Perhaps. On the other hand, doing this means that your DNS software
> will then prevent you from doing things like investigating Empire
> Towers spam thoroughly (they tend to use octets in the 0x00-0x1f range
> in DNS labels).
I use the latest version of 'host' for such things and it easily lets me
bypass my any caching/forwarding servers. :-) (where permitted by
firwall rules, of course, but if I control the DNS then I likely also
control the firewall too! ;-)
> > It's one thing to be liberal in what you accept and quite another to
> > pass on poisoned data.
> But you cannot tell what constitutes "poisoned" data to arbitrary other
> pieces of software.
No, of course not -- but I can tell that non-ASCII labels for some types
of records is suspect, and that's all I need to worry about.
The rest of what you say starts to get much further away from the realm
of the practical and into the realm of theory. BIND-8's checks are
practical, and they work, and for the most part they make me happy
enough to use them.
> Surely the right fix is to just not run software that broken?
I agree, but the people who own and operate the DNS clients I serve
don't seem to agree with us.
I suppose I could just let the full fury of the Big Bad Internet strike
them full face. Either way I'm damned by some if I do and damned by
others if I don't. The status quo is at least a stable state.
Greg A. Woods
+1 416 218-0098; <firstname.lastname@example.org>; <email@example.com>
Planix, Inc. <firstname.lastname@example.org>; VE3TCP; Secrets of the Weird <email@example.com>