[TriLUG] MAC-based web blocking
Aaron S. Joyner
aaron at joyner.ws
Wed Sep 13 12:21:56 EDT 2006
jason at monsterjam.org wrote:
>bind?! you gotta be kidding..
>http://www.isc.org/index.pl?/sw/bind/bind-security.php
>next to sendmail, its been historically swiss cheese as far as security holes..
>If you feel the need to use software that needs to be updated every few months,
>knock yourself out.
>
>
So BIND might have a sordid past, but that URL you posted is sort of a
testament to the current incorrectness of your statement. Note that the
most recent vulnerability listed was in fact a few months ago (July
9th), but it's only a DOS concern for people using DNSSEC and allowing
recursive queries (effectively, almost no one). The previous
vulnerability was going on two years ago (Jan 2005), prior to that was
almost another year back (Feb 2nd, 2004), prior to that more than
another year (Nov 12th, 2002). If your definition of "updated every few
months" includes bugs which are so specific I have to stop and construct
weird scenarios where you might be affected by them in my head, and
you're either so out-dated as to be running older bind versions less
than 8.3 in 2004 or so bleeding edge as to be doing DNSSEC in the latest
code base (in which case you're upgrading more frequently to follow
feature sets, than bugs, as the standards evolve), *and* "every few
months" really means "every 11 to 20 months", then I might agree with
you. :) Since the changes of that are zero, I'll keep running BIND. :)
Aaron S. Joyner
More information about the TriLUG
mailing list