[MaraDNS list] MaraDNS and Deadwood updates ; djbdns rant

Sam Trenholme maradns at gmail.com
Sat Jul 21 15:11:46 EDT 2012


==Deadwood update==

I have updated the patch resolving the problem Deadwood had with
es-us.noticias.yahoo.com last month so that, should a similar issue
pop up in the future, Deadwood logs messages (starting at log level
100) describing the issue. In addition, in light of Rich Felker's
concerns a couple of months ago with MaraDNS' handling of malloc() I
have replaced all calls to "malloc()" in the code with "dw_malloc()",
which is simply a macro that is replaced with "malloc()".

Doing this would make it easier for one to replace malloc() in
Deadwood with something that more gracefully handles malloc()
failures, such as blocking Deadwood until malloc() succeeds again, or
by having malloc() failures terminate Deadwood and wrapping Deadwood
in a script that restarts it when terminated. Since I am in debug, not
develop mode, I have no plans to implement this kind of code myself.
Deadwood was written for Linux and Windows; Linux does not, by
default, have malloc() fail; it simply terminates processes that use
too much memory.

For the record: MaraDNS terminates upon a malloc() failure. Deadwood's
behavior is undefined should malloc() fail. If anyone is using MaraDNS
in an environment where a kernel allows malloc() to return a NULL
pointer, it is best to wrap MaraDNS is a script that restarts it when
it terminates. If using Deadwood in an environment where malloc() may
return NULL, please replace the dw_malloc() macro with a function that
can properly handle a malloc() failure.  (I know some of this has
already been covered on the mailing list, but there are a lot of
MaraDNS users who do not pay attention to the mailing list nor the
blog, so I sometimes repeat myself)

It can be downloaded here:

    http://www.maradns.org/deadwood/snap/

I plan to work on MaraDNS/Deadwood again one day next month in August,
after the 20th, unless a critical security bug with a CVE number is
found.  My next TO DO item for MaraDNS is to get back to updating
MaraDNS for CentOS/Scientific Linux 6.

==Harlan==

Harlan: As it turns out, I have already updated the copyright in the
last development snapshot for MaraDNS.  Since users seem to not find
these snapshots -- And, yes, I have been giving links in my blog [1]
-- I have updated http://maradns.org/download.html to point to the
development snapshots.

==djbdns userbase rant==

I need to stop trying to point out djbdns' problems with its users;
pretty much every time I do, the djbdns user is completely unwilling
to acknowledge that, yes, djbdns has security problems.  They usually,
as part of their denial mechanism, accuse me of spamming for MaraDNS.

djbdns was a breath of fresh air in the late 1990s when running a DNS
server meant exposing your computer to potential remote root exploits.
 It's too bad it came with a crappy license and an attitude that it
was somehow magically perfect and never needed to be updated.  It's
too bad there are still ostriches in 2012 with their head in the sand
and pretend its security problems (such as CVE-2012-1191 and CVE
2008-4392) do not exist.

This denial is understandable: Djbdns users took a perverse pleasure
wagging their male reproductive organ around and boasting how much
more secure they were than those pathetic BIND users.  It's hard for a
person with that kind of attitude to admit they are wrong.

For the record: Yes, djbdns has a better security record than MaraDNS.
 Indeed, Unbound has a better security record than MaraDNS.  djbdns
doesn't have a monopoly on DNS securty: NSD has (knock on wood) a
perfect security record and while Unbound has twice as many CVE
reports as djbdns' recursor, Unbound does quite a bit more than djbdns
and their security holes are usually things like "DNSSEC in this
particular setup may not be as secure as it should be".

==Patches==

Right now, I am not readily incorporating third party patches in to
MaraDNS.  The reason is because I become responsible for any and all
bugs a given patch creates once I accept the patch; I have had issues
over the years with patches causing bugs to pop up which I then had to
fix.

Hopefully, someone else can get MaraDNS-ng going where patches can be
accepted.

- Sam

[1] For example, the MaraDNS update in
http://samiam.org/blog/20120521.html points to the version with
copyright dates updated for 2012


More information about the list mailing list