Security Portal: Securing your name serversNov 24, 1999, 17:18 (0 Talkback[s])
(Other stories by Kurt Seifried)
"Recently a root hack for Bind 8.x came out (that has now been fixed with version 8.2.2PL3 and up...). This is pretty bad since almost all DNS servers on the Internet run Bind, and this makes it pretty widespread, but there is an even worse problem."
"Bind is currently making a transition from being born in the age when the Internet was a relatively safe place, and has become a critical component of the Internet infrastructure. A lot of the code in Bind is quite old and crufty in some ways, this has resulted in various security issues pertaining to the Bind servers themselves (i.e. root hacks, denial of service, etc.). There is also new code in Bind (DNS SECurity, DNSSEC) to allow for cryptographic signing of data, so that the data you receive that claims to be the IP address for www.megabank.com is indeed the right IP address. What is so scary about the recent root hack is that it was in new code pertaining to the DNSSEC features that had been audited. Obviously there is the possibility for other, similar, problems in the existing code base. For Bind 9.x a complete rewrite of the code is planned, with long terms goals such as making it easier to audit and secure, however until then we must made do with Bind 8.x."
"There are a variety of techniques, some internal, and some external to Bind that will allow you to compile, install and configure Bind very securely. These techniques used in conjunction with each other can proactively prevent a server from being compromised in future even if a similar problem crops up."