Jump to content

Talk:BIND: Difference between revisions

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
Content deleted Content added
Raybellis (talk | contribs)
Line 107: Line 107:


:: You wouldn't characterize the Kaminsky bug as a security vulnerability? It may not be a direct 'Here's root, mate!' security vulnerability for the server itself, but it exposed an attack surface against the entire internet. Yes, it was/is a shortcoming of the DNS protocol itself - not of BIND9, but that doesn't change that it was vulnerable, and was patched to mitigate it. I've no problem with those caveats being acknowledged in describing it - but the reality is, BIND was vulnerable to it. I'd say that CVE-2007-2926 also qualifies as a severe security issue, albeit of limited scope. There have been a number of DoS exploits as well, which I would also consider as falling within the definition of a security vulnerability - but that's just my opinion, not necessarily canon. [[User:Anastrophe|Anastrophe]] ([[User talk:Anastrophe|talk]]) 16:49, 9 December 2016 (UTC)
:: You wouldn't characterize the Kaminsky bug as a security vulnerability? It may not be a direct 'Here's root, mate!' security vulnerability for the server itself, but it exposed an attack surface against the entire internet. Yes, it was/is a shortcoming of the DNS protocol itself - not of BIND9, but that doesn't change that it was vulnerable, and was patched to mitigate it. I've no problem with those caveats being acknowledged in describing it - but the reality is, BIND was vulnerable to it. I'd say that CVE-2007-2926 also qualifies as a severe security issue, albeit of limited scope. There have been a number of DoS exploits as well, which I would also consider as falling within the definition of a security vulnerability - but that's just my opinion, not necessarily canon. [[User:Anastrophe|Anastrophe]] ([[User talk:Anastrophe|talk]]) 16:49, 9 December 2016 (UTC)

::: I didn't say there aren't security issues, I was taking issue with the _level of severity_ of those issues. The most severe forms of security vulnerability are ones that involve remote code execution and/or privilege escalation. BIND 9 never had any of those. [[User:Raybellis|Raybellis]] ([[User talk:Raybellis|talk]]) 15:58, 30 December 2016 (UTC)

Revision as of 15:59, 30 December 2016

WikiProject iconComputing Unassessed
WikiProject iconThis article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
???This article has not yet received a rating on Wikipedia's content assessment scale.
???This article has not yet received a rating on the project's importance scale.

What about version numbers? The first version was version 4, why? Where are version 5-7?

What about the bind10 project? —Preceding unsigned comment added by Compukid (talkcontribs) 18:26, 22 April 2009 (UTC)[reply]

Why is djbdns singled out as an example of an alternative system? --Karlkatzke 06:16, 30 Mar 2005 (UTC)

Not any more, it would seem. But, yes, this article still has bits and pieces of what looks to be an ad for djbdbs. I've tried to minimize that (such as making it clear BIND 9 is a good deal more secure than BIND 4/8). Considering that BIND is the standard DNS server, the article for it should be at least as long as the article for MaraDNS, my humble little DNS offering. Samboy 08:20, 9 October 2005 (UTC)[reply]


"it was originally created by Paul Vixie in 1988." Not it wasn't. Check the history page. 1988 is just when Vixie took over maintainership.

What does Microsoft use

I heard a perception that microsoft also use bind, okay not really bind but bind in a customized/extended form? Is this true or is their DNS a complete different implementation?

Microsoft uses its own custom implimentation of DNS as of Windows NT4 (I think) and Windows 2000 for certain. Microsoft's DNS implimentation, as of Windows 2000 is designed to be intigrated into Active Directory. This is called, creativly enough, "Active Directory Intigrated DNS". An Administrator, at his option, may use BIND in lieu of Microsoft's own DNS. This arrangment brakes Active Directory intigration, however. I hope this clears things up.
Wikijeff
Microsoft has its own implementation of DNS called, creatively enough, Microsoft DNS. This is complete and separate from BIND, and is highly recommended when it is to be used with Active Directory (because of AD's heavy usage of DNS, it will add custom records). This is of Windows Server 2003.
—RShi


Criticisms

Removed the configuration file criticism. An application like Apache HTTPD does not check syntax at runtime either, if there is a syntax error it just aborts the start/restart. Someone with an ax-to-grind/agenda was trying to weasel this in. BIND 9 will abort a start/reload of the zone if the configuration files contain a syntax error. In both applications a manually-run syntax checker is included. Cowbert (talk) 05:57, 20 February 2010 (UTC)[reply]


I fail to see how a list of security vulnerabilities that has affected BIND 9, adequately justifies this sentence. "it has not experienced a significantly better security history.". Yes we get that there have been many exploits, but nothing there justifies that sentence, unless you did the research yourself. 10:26 PM, 21 Setpmber 2008 (PDT) Steve R


Rewrote that sentence to more accurately reflect the information given by the referenced site, removed unfounded conclusion that BIND9 "has not experienced a significantly better security history". Alex G. (talk) 01:38, 5 June 2008 (UTC)[reply]

I took a look at the ISC vulnerability matrix for BIND (BIND 9, although a complete rewrite, has not experienced a significantly better security history.) and I'd like to note that the ISC page itself does not draw the conclusion that BIND 9 security is not much better than previous versions. 10:26, 21 September 2008 (PDT)

In fact, both 'critical' vulnerabilities were for BIND 8, and many of the BIND 9 vulns are fairly specific as to the configuration of the server and context of the attack. Alex G. (talk) 05:10, 4 June 2008 (UTC)[reply]

Modified LDAP section and changed it to a more general commentary on zone storage mechanisms. This isn't an advertisement for a commercial product supporting LDAP storage. Fehrgo (talk) 11:25, 15 January 2008 (UTC)[reply]

Removed this sentence:

BIND 9 is a fairly large application that includes a large number of features that most DNS administrators probably will never use.

Clearly not a sentence worthy of being in an encyclopedia of any sort. "fairly large", "large number", "most [admins] probably will never use". Wow! Vague. Vague. Vague AND speculatory. Amazing!

contribs) 05:22, 2 August 2006 (UTC) [reply]

Geodns

Agreed. Additionally the section has no sources cited, which alone is reason to cull it. I'll remove. Anastrophe (talk) 16:37, 2 December 2016 (UTC)[reply]

Merge rndc into BIND

I'd like to suggest rndc be merged into this page. It looks to me like rndc is part of bind, for example it is included as part of the bind9 debian package. All comments welcome. --h2g2bob 12:10, 17 March 2007 (UTC)[reply]

Configuration Criticism

The trailing dot, is actually the standard way that DNS Works, and most browsers accept that format as well. The BIND Configuration file has origins and zones which controls what domain will be appended to it. Ex:

$ORIGIN wikipedia.org. www IN A 10.10.27.83

Is the correct way to configure the www.wikipedia.org entry, any administrator who puts www.wikipedia.org has just not read the manual. This makes sense really as otherwise you'd have to retype the parent domain constantly, you can explicitly override the origin by appending a period to it if you'd like.

While I'll admit that this is counter-intuitive to users not familiar with BIND, and that perhaps it seems backwards given that almost every other program that uses FQDN does not require the final period, this is in fact the standard (in fact without the final period, most borwsers will also search your local domains form something like www.microsoft.com.your.company.com.

I will also go so far as to admit that this is a Critism of BIND, if you'd like however some people do not like Wikipedia's default color schemes, the fact that the sky is blue, and the fact that the sun rises in the east and sets in the west, I don't think that by itself merits it being included as Critism in there respective articles. —Preceding unsigned comment added by SJrX10 (talkcontribs) 19:38, 9 January 2009 (UTC)[reply]

geodns

there is no information about geodns here, but there are links to Geodns in wiki. `a5b (talk) 18:36, 31 December 2009 (UTC)[reply]

Yeah this is not to smart, to bounce to a place where there is no information on the bounce... WTF is geodns? is it a plug in a patch, a religion? — Preceding unsigned comment added by 207.96.182.162 (talk) 17:49, 4 September 2012 (UTC)[reply]

Naming

I see the BIND expansion has just been re-altered back to "Berkeley Internet Name Daemon" in spite of what the most reliable sources state. Firstly we have a peer reviewed paper with the ... Domain expansion. We also have the package itself, which still uses that expansion, not least in the Administrator's Reference Manual. In my view there isn't really any debate about what the package is actually called. To counter that we have a number of informal and less authoritative web pages using the ... Daemon expansion.

The .. Daemon expansion is admittedly commonplace but there is no reason to suppose that it is anything other than in error. An error is still an error no matter no often it is repeated. It is easy to see how this error comes about, after all it follows the pattern of other daemon services - crond, inetd, syslogd etc where the "d" indicates the daemon nature of the process. However, in this instance we have very strong evidence against that, and that the terminal "d" is purely coincidence. The current treatment acknowledges both names but give preference to the incorrect form based on an unsourced "popular usage" argument as if that alone is enough to make it correct. Crispmuncher (talk) 14:26, 10 July 2010 (UTC)[reply]

I disagree. It is easy to find a lot of credible sources for ... Daemon, starting with the ISC own site which states "The name BIND stands for "Berkeley Internet Name Daemon"" and google can find more than 196.000 occurences of Daemon vs 31.900 for "Domain". Now you call "Daemon" an "error" and I would like to see a credible source backing that up explicitely. As far as I can see, there are two meanings generally given to this acronym, the most popular being Daemon. Calling "Daemon" an error is an exaggeration. Mro (talk) 08:52, 11 July 2010 (UTC)[reply]
I work for ISC, the use of the term Daemon was an error on our part which was just recently caught and has been corrected on our site. I've just updated the article for accuracy. BIND = Berkeley Internet Name Domain. Temptaker (talk) 19:26, 29 January 2011 (UTC)[reply]

"Claims?"

"Claims" to be so? In what way is BIND possibly *not* the primary IP name service in use in the world? In fact apart from limited proprietary systems (that don't scale), and others that require *help from BIND* in order to work - BIND is it. Puzzled by the fatuous opening statement. 110.174.169.36 (talk) —Preceding undated comment added 07:58, 16 September 2010 (UTC).[reply]

Probably written by a frustrated Windows user. 217.125.117.197 (talk) 15:51, 11 May 2011 (UTC)[reply]
The real answer to this question is that Wikipedia needs factual backing to say that it's the most widely used DNS software. Its own website said that, so we cited that, but that wasn't a good reliable source, so we said it "claims" to be most popular. Since then, Wikipedia editors have found some reliable sources backing this as fact, and have re-written the opening sentence. It now reads: "BIND ( /ˈbaɪnd/), or named (/ˈneɪmdiː/), is the most widely used DNS software on the Internet.[1][2]" —fudoreaper (talk) 05:46, 5 September 2012 (UTC)[reply]

Security

Having looked over the article for the first time in several years, I see that all mentions of the severe security issues that BIND 9 has experienced have been scrubbed from the article - in favor of simply offering a bland 'issues are reported according to common practices'....While retaining mention of the same issues that BIND 4 and BIND 8 experienced. This leaves the impression that BIND 9 has _not_ experienced issues of similar severity. But that's not the reality. It's a disservice to the reader to leave the implication that BIND 9 has not experienced severe security issues as well. This really needs to be fixed. I'll look into it when I get a chance. Anastrophe (talk) 16:43, 2 December 2016 (UTC)[reply]

ISC Staffer here - it's fair to say that BIND 9 has had its share of security issues, but almost without exception they have been "intentional" crashes triggered by BIND's "design by contract" model where it aborts rather than continuing to run with potentially inconsistent data. To my knowledge there's never been a remote-code-execution or privilege escalation vulnerability in BIND 9, and in that regard BIND 9 has not experienced issues as severe as some of those seen in BIND 4 or BIND 8. Raybellis (talk) 13:41, 9 December 2016 (UTC)[reply]
You wouldn't characterize the Kaminsky bug as a security vulnerability? It may not be a direct 'Here's root, mate!' security vulnerability for the server itself, but it exposed an attack surface against the entire internet. Yes, it was/is a shortcoming of the DNS protocol itself - not of BIND9, but that doesn't change that it was vulnerable, and was patched to mitigate it. I've no problem with those caveats being acknowledged in describing it - but the reality is, BIND was vulnerable to it. I'd say that CVE-2007-2926 also qualifies as a severe security issue, albeit of limited scope. There have been a number of DoS exploits as well, which I would also consider as falling within the definition of a security vulnerability - but that's just my opinion, not necessarily canon. Anastrophe (talk) 16:49, 9 December 2016 (UTC)[reply]
I didn't say there aren't security issues, I was taking issue with the _level of severity_ of those issues. The most severe forms of security vulnerability are ones that involve remote code execution and/or privilege escalation. BIND 9 never had any of those. Raybellis (talk) 15:58, 30 December 2016 (UTC)[reply]