[dns-operations] bogus claims arising from Nominum marketing drivel
Jim Reid
jim at rfc1035.com
Wed Sep 23 10:27:21 UTC 2009
On 23 Sep 2009, at 10:13, Matthew Dempsky wrote:
> "And Nominum has not had a single known vulnerability in its
> software."
>
> Maybe if you don't remember who wrote BIND 9 ("entirely new code base
> written from scratch")
You're letting your prejudices obscure the facts. Again. Yes, Nominum
wrote the first BIND9 releases. But this was under contract to ISC.
ISC always "owned" the code. BIND9 was never Nominum's product or
intellectual property. When Nominum decided to pursue its own
proprietary DNS implementations 5-6 years ago, ISC took over
responsibility for BIND9 development. That was around the time of the
9.1 release IIRC.
Whether the marketing claim about Nominum's IP is true or not is
another matter. I don't care either way because of a Pavlovian
response which means I never pay attention to marketing and sales
hype. It's usually a good idea not to believe everything you read in
the sales blurbs and advertorials. After all the Internet is full of
web sites that say Elvis is dead....
> and also don't count CVE-2008-1447 (which ironically didn't affect
> "freeware" implementations like djbdns, PowerDNS, and MaraDNS)...
This statement is also misleading because it doesn't tell the whole
story.
Some DNS implementations were more vulnerable to the Kaminsky attack
than others. That wasn't news then or now. The root cause of that is
the DNS protocol itself. That's not news either. The implementations
on your chosen are not immune from cache poisoning. They just were
lucky enough not to succumb to one particular flavour of cache
poisoning attack.
More information about the dns-operations
mailing list