bugtraqat_private writes: > First of all, BIND 9 is a complete rewrite of BIND, which, so far, has > not had one security problem reported with it. I have two questions. First, why has ISC reported all the crash-BIND-8 bugs on its ``BIND security'' page and in CERT advisories, but none of the crash-BIND-9 bugs? (The primary ``security'' mechanism in BIND 9 is a fragility mechanism: BIND 9 commits suicide if it gets confused, or if you poke it sharply, or if you simply think bad thoughts in its general direction. The BIND 9 change log is full of reports of easily triggered crashes.) Second, how much money do I get from ISC if I look at the BIND 9 code and find, for example, a bug letting attackers take over the server? > This release has gone under months of testing by a volunteer crew, and > I belive that we have most of the bugs ironed out. I have three questions. First, what exactly do you mean by ``found some security problems'' in your change log for 0.8.99? Why doesn't the change log explain exactly what the problem is and what its impact is? Second, how much money do I get from you if I look at your code and find, for example, a bug letting attackers take over the server? Third, bottom line: How serious are you about security? I don't just mean chroot and stralloc. I don't just mean ``strive to be secure.'' And I certainly don't mean Microsoft's ``we'll try but we guarantee you that we'll fail.'' _Will_ your software be secure? ---Dan P.S. I also have a question for the bugtraq moderators. You regularly accept BIND 9 advertisements from the BIND authors, and you've accepted this MaraDNS advertisement from the MaraDNS author. Why did you reject http://cr.yp.to/djbdns/bugtraq/20010201072942-22539-qmail@cr-yp-to, specifically the final paragraph about djbdns, as ``marketing''?
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 21:04:56 PST