[dns-operations] knot-dns

Matthew Ghali mghali at gmail.com
Mon Dec 15 02:08:20 UTC 2014


Hi DRC!

Sorry, I didn’t mean to advocate a monoculture in a vacuum. My point was delivered much more eloquently by Roland: Given the set of practical issues we’re worried about today, delivering a service via multiple codebases certainly isn’t a magic bullet. Upon closer inspection heterogeneity might reduce exposure to catastrophe much less than you’d expect. Or more likely, have a multiplicative effect instead.

For a simple example, if my business depended on PKI, would I have gained security and reliability over the last few years by using both OpenSSL and GnuTLS? Would adding in native OSX and Windows frameworks have reduced my exposure or multiplied my risks?

Cheers,
matto


> On Dec 14, 2014, at 2:52 PM, David Conrad <drc at virtualized.org> wrote:
> 
> On Dec 14, 2014, at 12:28 PM, Matthew Ghali <mghali at snark.net> wrote:
> 
>> How does code diversity fix protocol vulns?
> 
> Because different people implement the protocol differently (as evidenced by the above)?
> 
> Of course, one might argue that the fact that there were different behaviors might suggest a bug in the protocol specification, but that doesn't argue against code diversity.  Code diversity is to help mitigate implementation bugs.
> 
> Regards,
> -drc
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1597 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141214/fbfc8f51/attachment.bin>


More information about the dns-operations mailing list