“Recently a root hack for Bind 8.x came out (that has now
been fixed with version 8.2.2PL3 and up…). This is pretty bad
since almost all DNS servers on the Internet run Bind, and this
makes it pretty widespread, but there is an even worse
problem.“
“Bind is currently making a transition from being born in the
age when the Internet was a relatively safe place, and has become a
critical component of the Internet infrastructure. A lot of the
code in Bind is quite old and crufty in some ways, this has
resulted in various security issues pertaining to the Bind servers
themselves (i.e. root hacks, denial of service, etc.). There is
also new code in Bind (DNS SECurity, DNSSEC) to allow for
cryptographic signing of data, so that the data you receive that
claims to be the IP address for www.megabank.com is indeed the
right IP address. What is so scary about the recent root hack is
that it was in new code pertaining to the DNSSEC features that had
been audited. Obviously there is the possibility for other,
similar, problems in the existing code base. For Bind 9.x a
complete rewrite of the code is planned, with long terms goals such
as making it easier to audit and secure, however until then we must
made do with Bind 8.x.”
“There are a variety of techniques, some internal, and some
external to Bind that will allow you to compile, install and
configure Bind very securely. These techniques used in conjunction
with each other can proactively prevent a server from being
compromised in future even if a similar problem crops up.”