[dns-operations] bogus claims arising from Nominum marketing drivel

Jim Reid jim at rfc1035.com
Wed Sep 23 10:27:21 UTC 2009


On 23 Sep 2009, at 10:13, Matthew Dempsky wrote:

> "And Nominum has not had a single known vulnerability in its  
> software."
>
> Maybe if you don't remember who wrote BIND 9 ("entirely new code base
> written from scratch")

You're letting your prejudices obscure the facts. Again. Yes, Nominum  
wrote the first BIND9 releases. But this was under contract to ISC.  
ISC always "owned" the code. BIND9 was never Nominum's product or  
intellectual property. When Nominum decided to pursue its own  
proprietary DNS implementations 5-6 years ago, ISC took over  
responsibility for BIND9 development. That was around the time of the  
9.1 release IIRC.

Whether the marketing claim about Nominum's IP is true or not is  
another matter. I don't care either way because of a Pavlovian  
response which means I never pay attention to marketing and sales  
hype. It's usually a good idea not to believe everything you read in  
the sales blurbs and advertorials. After all the Internet is full of  
web sites that say Elvis is dead....

> and also don't count CVE-2008-1447 (which ironically didn't affect  
> "freeware" implementations like djbdns, PowerDNS, and MaraDNS)...

This statement is also misleading because it doesn't tell the whole  
story.

Some DNS implementations were more vulnerable to the Kaminsky attack  
than others. That wasn't news then or now. The root cause of that is  
the DNS protocol itself. That's not news either. The implementations  
on your chosen are not immune from cache poisoning. They just were  
lucky enough not to succumb to one particular flavour of cache  
poisoning attack.



More information about the dns-operations mailing list