Where is the maraDNS 2.0 source code

Sam Trenholme strenholme.usenet at gmail.com
Fri Feb 4 01:41:09 EST 2011

(It's an obsolete tradition; but I'm an old Usenet poster [1] so I
usually "top quote" and trim quotes instead of "bottom quote")

>> I can see in the source code tarball the source code for deadwood. But if
>> I understand correctly MaraDNS 2.0 will still exist as a separate process.
>> However I cannot find the source code for this.

Nothing stupid about it at all.  MaraDNS 2.0 is normally available on
http://maradns.org/download.html, but in light of last week's zero-day
exploit [2], I have temporarily hidden MaraDNS 2.0 because I didn't
have enough time to properly update all three maintained branches of
MaraDNS.  I should have 2.0 up again this weekend sometime.

> Hmm searching through the mailing list archive I can conclude I could just
> compile the 1.4.x code with AUTH_ONLY=1and call it 2.0.x

2.0.01 was, indeed, 1.4.05 with the makefiles modified to compile it
"--authonly" (unlike 1.4, it is possible to compile 2.0 without IPv6
and without recursion).  However, 2.0.02 will have some bugfixes and
features Yarin has contributed which won't get in to the 1.4 (nor 1.3)
branch of MaraDNS.

As an aside, if you want to get a sense of security updates, we had
one in 2010 and (so far) one in 2011.  I just added security patches
going as far back as 2007 and put them here:


Currently, these are all security patches; all of them except the
"parse segfault" and the "CVE-2011-0520" patches should be in the
"stable" release; some of them may or may not be in the old Lenny
release.  The "parse segfault" bug (CVE-2010-2444) does not exist in
MaraDNS 1.2 [3]; the CVE-2011-0520 bug does.


Making sure these security patches are either applied or will not be
applied to all branches of MaraDNS in Debian's repository should keep
you busy until I can get 2.0.02 out the door this weekend sometime.

- Sam

[1] I just said my final goodbye to Usenet this year:
and http://www.samiam.org/blog/20110111.html

[2] To be fair to the reporter of the security bug, I have made it
quite difficult to contact me because I got sick and tired of people
who demanded free support from me in private email and always ignoring
the "don't ask for free MaraDNS support" line in the page with my
email address.  I plan to, when I get a chance, to make the "security"
page more visible and make a link to my email address visible there.

[3] http://maradns.blogspot.com/2010/02/maradns-1403-and-130710-released.html

More information about the list mailing list