[MaraDNS list] Having trouble running maradns and deadwood on the same host

[Sam Trenholme]

> It gets lonely over here because you won't introduce any kewl bugs in
> MaraDNS ;)

Well, there was CVE-2011-0520, which was really embarrassing.  Yes, it
was a buffer overflow (MaraDNS' first, last, and hopefully only one).
No, it could not be exploited to escalate privileges because the
overflowed buffer's content was controlled by MaraDNS.  Yes, when I
rewrote that code back in 2009 for Deadwood, I didn't make the same
mistake again (CVE-2011-0520 was a 2002 programming error)

I think the best way to honestly compare the security of FOSS DNS
servers is by looking at their Debian security record:

http://security-tracker.debian.org/tracker/source-package/djbdns (1
open, 1 resolved)

http://security-tracker.debian.org/tracker/source-package/maradns (1
open, 7 resolved) [1]

http://security-tracker.debian.org/tracker/source-package/bind9 (2
open, about 30 resolved)

http://security-tracker.debian.org/tracker/source-package/pdns (8 resolved)

http://security-tracker.debian.org/tracker/source-package/unbound (1
open, 3 resolved)

The "open" issue in MaraDNS is one I fixed over a year ago, but since
the powers that be at Debian don't feel it's an important enough issue
to backport a fix to the lenny branch, it is still an open issue in
their database.  Sigh.

The djbdns security issue has been around since 2008 and never been
resolved (there is also another remote denial of service security
issue I discuss on my blog [2]); all the other nameservers are pretty
good about fixing bugs as they pop up.

- Sam

[1] 13 resolved security issues are listed at http://maradns.org/security.html

[2] http://samiam.org/blog/20110103.html  Summary: If you still think
djbdns-1.05 is perfectly secure and doesn't need to be updated [3], I
hope you aren't deploying software on live servers.

[3] Some idiot on Slashdot claims this about once every year.  For
example: http://tech.slashdot.org/comments.pl?sid=2008894&cid=35291062