Sven Hoexter <[EMAIL PROTECTED]> writes: [snip] >> I'm still under the impression that it's quite possible to do a >> reasonably secure bind install. Bind9 has some nice security-related >> features, and a completely rewritten codebase (as opposed to bind8). I'm >> not sure what insecurities you'd impose upon yourself by installing it.. > > You forgot to mention that you can chroot bind since a 8.x release. The > chroot is not the non plus ultra solution but it throws a few more stones > in the way of the script kiddies.
Heck, it's possible to run something listening on port 21 in a secure fashion... all it means is that you've got to be awake! > Anyway it looks like the normal flamewars like sendmail vs. *your > alternativ MTA here* :) Oh, definitely. Saying "just use <foo> instead" never got anyone anywhere. It's perfectly possible to run services in a secure manner - tighten Bind just like you would anything else - run in a virtual machine and/or chrooted, as a non-root user, statically linked, 53/tcp restricted to listed secondary NS boxes, use crypto sig things for updates, come back tomorrow and keep it uptodate, ... ~Tim -- <http://spodzone.org.uk/>
