RE: BIND on OpenBSD

["Caruso, Ken" <ken.caruso@fsbti.com>]

Hello,

   I am not an expert on BIND or OpenBSD (use both), however the question
you ask is a fundemental of security: Risk Assesment. Isnt a deadbolt lock
on the front door of my house safe enough? It maybe if I dont have any
valuable possesions. If I have an extremely precious diamond or some other
valuable that I can not afford to loose then the deadbolt is not safe
enough, I need to put bars on the windows, alarms etc.. 

   The same applies to network/computer security. Every individual/company
needs to determine what is safe enough, and what they have at risk. If they
have alot to risk, then maybe the new features aren't worth the security
risks. 


My two pennies


Ken Caruso

-----Original Message-----
From: Dave Taira [mailto:bodhi@hagakure.org]
Sent: Friday, February 09, 2001 11:56 AM
To: misc@openbsd.org
Subject: Re: BIND on OpenBSD 


On Fri, 9 Feb 2001 obsd@righi.df.unibo.it wrote:

> I agree,but isn't bind 8.2.3 safe enough right now ?
>
> I believe the first goal of OpenBSD is security,
> I just don't think that systems like FreeBSD or NetBSD has to be
> considered insecure just because they are using bind 8, for this I asked
> why OpenBSD uses bind 4 and I got the explanation, thanks.

What it boils down to is that OpenBSD ships with the code that
the OpenBSD team has audited. There is a port for BIND8, so you
can run it if you want, but it has not been audited by the OpenBSD
team. And I believe Theo has said that it's too much of a mess to
even try to audit. (And as someone else posted, Vixie has said
pretty much the same thing.) So, BIND8 will never been integrated
into the base system.

A question for you: what is "safe enough"? For some people, yes,
BIND 8.2.3 is indeed safe enough. For many, it's not.