On Wed, 2 Jan 2002, Len Conrad wrote:

> >Always (for performance reasons)- however it's important to ensure that
> >the DNS isn't exploitable- after WU-FTP, BIND is pretty high on the list of
> >*nix exploit vectors
>
> This has not been true for over a year for ISC BIND8, and ISC BIND9 hasn't
> yet been compromised.

Not everyone runs ISC BIND directly- especially if they're using
vendor-supplied software, and definitely a large number of places don't update
nearly often enough. Also, I think we've still got a couple weeks before we hit
"over a year."

> Check with SANS where the put BIND at the top of risks, BUT at least they
> qualify that warning by saying it's the old versions of BIND that are still
> running years after they were exploited.

None the less- BIND's history doesn't instill confidence and irregardless
of that protecting BIND only makes sense on a mail server.

WU-FTPD, BIND and Sendmail fall into the "large codebase that's historically
been broken" category.

The current BIND trend is a very significant improvement, but Sendmail's
had some smooth stretches too.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
probertspatriot.net which may have no basis whatsoever in fact."

-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]