[dns-operations] "freeware is a recipe for problems"
Douglas Otis
dotis at mail-abuse.org
Thu Sep 24 18:42:32 UTC 2009
On 9/24/09 11:18 AM, Florian Weimer wrote:
> * Douglas Otis:
>
>> There is a fair amount of effort attempting to make it more
>> difficult for bad actors, once they find a means to escalate user
>> privilege, to then locate code locations by things like ALSR
>> (Address Space Layout Randomization).
>
> This reference to ASLR is extremely odd in a DNS context. At best,
> ASLR turns code execution exploits into server crashes. Does this
> help? In the DNS context, not that much.
The general difference between open-source and proprietary is obscured
code. ASLR takes this one step further. Defeating ASLR, when done by
experienced hackers, reliably does _not_ cause servers to crash. This
technique raises the bar for hackers AND integrity checks. Everything,
good or bad, is more obscured. As long as hackers are good, vendors can
better claim no exploits are occurring. This topic was seen as being
about which approach better protects DNS.
>> Maybe they are right. Perhaps it is better to not know what is
>> lurking within a proprietary OS.
>
> But that ship has sailed. How many ISPs still run their DNS servers
> on operating systems for which source code is not widely available?
While agreeing with your view with respect to the OS, would you extend
this to the DNS application as well? Where do you draw the line?
-Doug
More information about the dns-operations
mailing list