compilation bug fix for bsds

Yarin yarin at warpmail.net
Sun Jan 2 00:30:03 EST 2011


Happy New Year,

Not handling SIGPIPE is definitely a big deal, especially when that vulnerability lies in something that popular,
(IMHO, SIGPIPE was a really bad design idea in the first place, but that's besides the point)
but it looks like there's been a patch for that since 2003; so I would imagine that there aren't any djbdns versions with this problem in service any more.

http://marc.info/?l=djbdns&m=104804013229536&w=2

Yarin

----- Original message -----
From: "Sam Trenholme" <strenholme.usenet at gmail.com>
To: list at maradns.org
Date: Fri, 31 Dec 2010 12:47:47 -0700
Subject: Re: compilation bug fix for bsds

> But actually, I'm already using MaraDNS 2 and the Deadwood resolver you
> bundled with it; I liked that you separated the server and resolver.

Separating them removes a lot of annoying corner cases which have
caused problems over the years.  For example, how do we set the "RA"
(recursion available) bit...I have applied countless patches over the
years to come up with heuristics which try to give this bit the right
value (or, at least, a value which doesn't cause problems with other
DNS servers)

With MaraDNS 2.0, "RA" is always "0", and, with Deadwood, "RA" is
always "1".  Simple, clean, and elegant.

> early on I decided against djbdns, "personal rants" aside, after finding out
> that it hasn't really been maintained in a while (besides the various
> patches), and even in my limited experience,
> unmaintained = asking for trouble.

The argument djbdns advocates make against using an updated DNS server
is that djbdns is perfect and doesn't need to be updated.  Indeed, in
spite of the three known security problems with djbdns, as recently as
2010 we can see people publically declaring djbdns "bug-free":

http://tech.slashdot.org/comments.pl?sid=1589160&cid=31547474

It's probably time someone posted to Bugtraq (or file a CVE) that
djbdns doesn't catch SIGPIPE, making it trivial for anyone who can
connect to a djbdns server via TCP to crash and restart the server;
this way it is well known that djbdns has security problems so people
update their software instead of deluding themselves that they are
secure when they are not.

That said, there are maintained branches of djbdns.  zinq is a djbdns
fork with the major security holes patched, and some other updates (it
is possible to compile zinq with "./configure; make", for example):

http://freshmeat.net/projects/zinq
http://sourceforge.net/projects/zinq/files/

> Unbound looks pretty cool though.

Oh, I agree.  Unbound is a really great DNS server.  It has one
"killer feature" which Deadwood does not have: DNSSEC.  On the other
hand, Deadwood is a 64k binary (on x86) which is a fraction of the
size of Unbound; it's a far lighter DNS server.

- Sam

P.S. Happy new year 2011 everyone!



More information about the list mailing list