Security Portal: Securing your name servers Nov 24, 1999, 17 :18 UTC (0 Talkback[s]) (4701 reads) (Other stories by Kurt Seifried)
"Recently a root hack for Bind 8.x came out (that has now been fixed with
version 8.2.2PL3 and up...). This is pretty bad since almost all DNS servers on the Internet
run Bind, and this makes it pretty widespread, but there is an even worse problem."
"Bind is currently making a transition from being born in the age when the Internet was a relatively
safe place, and has become a critical component of the Internet infrastructure. A lot of the code in
Bind is quite old and crufty in some ways, this has resulted in various security issues pertaining to the
Bind servers themselves (i.e. root hacks, denial of service, etc.). There is also new code in Bind (DNS
SECurity, DNSSEC) to allow for cryptographic signing of data, so that the data you receive that
claims to be the IP address for www.megabank.com is indeed the right IP address. What is so scary
about the recent root hack is that it was in new code pertaining to the DNSSEC features that had
been audited. Obviously there is the possibility for other, similar, problems in the existing code base.
For Bind 9.x a complete rewrite of the code is planned, with long terms goals such as making it
easier to audit and secure, however until then we must made do with Bind 8.x."
"There are a variety of techniques, some internal, and some external to Bind that will allow you to compile, install and configure Bind very
securely. These techniques used in conjunction with each other can proactively prevent a server from being compromised in future even if a
similar problem crops up."
