Two BIND 9 Security Vulnerabilities Announced Today
ISC is releasing updated versions of BIND 9 to address two newly-discovered security vulnerabilities We have released new versions of BIND: 9.Read post
The worldwide DNS system is very stable and scalable, but the software underlying it is extremely complex. At ISC we kind of enjoy mastering the intricacies of the DNS. BIND’s most enduring competitive strength may even be our feature-completeness. However, we know that complexity is really the enemy of stability and performance.
ISC has long endeavored to make BIND 9 a ‘reference implementation’ of the IETF DNS standards, but in recent years we have been hearing from our users that more is not always better. Our colleague Bert Hubert from PowerDNS coined the term “the DNS Camel” in a presentation at an IETF DNS Operations working group meeting, in which he protested that the Internet community should stop increasing the complexity of DNS software implementations by constraining the impulse to create additional Internet Standards for the DNS.
namedimplementations of those features. We are remediating that complexity with refactoring, such as the recent refactoring in BIND 9.16 to use the libuv library in place of named network code. While adopting other open source components simplifies the BIND 9 code, it does not necessarily simplify the situation for packagers and operators, as the issues that have arisen with availability of libuv have shown.
Of course it is possible!
Reducing the complexity of BIND 9 requires a combination of refactoring and simplifying obsolete code, and removing obsolete features. The BIND 9 development team has invested quite a bit of effort since 2017 in rewriting some functions, but we haven’t yet removed many features. ISC has published a process for removing features from BIND 9; per that policy we first will ask for user input when we propose to remove a supported feature. We have actually removed a few features, but as you can see from the 980-line long list of options in BIND 9 there are still an enormous number of features remaining.
namedsupervise communications and catch non standards-compliant messages and adjust to them with exceptional behavior.
At ISC we will continue to retire features that we think are obsolete. However, it is much harder to remove features than you might think. For any given feature you think is useless, there is someone on the Internet using it. You can help by identifying features you don’t use, or that you think are inadvisable.
Our colleagues at CZ.NIC are running a survey of open source DNS operators to try to determine which features are really in widespread use, and which can perhaps be decremented with little impact. Please help open-source vendors by providing feedback in their survey.
If you don’t want to complete the whole survey, consider at least answering the question about remote telemetry. If we had some data about what features are actually in use, that would be invaluable.
If you can’t be bothered with a survey at all, consider suggesting some of your favorite lame duck features as candidates for removal by emailing bind-users.
What's New from ISC