faqts : Computers : Internet : Domain Names : djbdns

+ Search
 Add Entry AlertManage Folder Edit Entry Add page to http://del.icio.us/
Did You Find This Entry Useful?

41 of 65 people (63%) answered Yes
Recently 5 of 10 people (50%) answered Yes

Entry

How is djbdns more secure?
Is there really an unclaimed $500 cash reward for security holes?
How is djbdns more secure?

Dec 7th, 2001 03:11
Brian Coogan, 


The fact that Dan Bernstein is prepared to offer a personal $500 
security guarantee speaks volumes about the way djbdns was designed 
(either that, or he's paid too much!).  Some security features:

 - daemons run as non-root users with separate user-ids;

   (the user-ids need have no permission at all on the filesystem
    and thus their ability to impact the system is low)

 - locks itself into an isolated tree on the system via chroot;

   (meaning the process has only very limited access to the
    filesystem and configuration when running)

 - dnscache is immune to cache poisoning;

   (meaning it cannot be attacked and forced to lie about IP
    addresses)

 - dnscache is careful about who it listens to;

   (again meaning it is very hard to mislead dnscache)

 - djbdns is designed carefully with an emphasis on simplicity.

   (simple means easy to audit and less likely to have bugs)

For more details see http://cr.yp.to/djbdns/ad/security.html

There is a $500 reward for the first demonstrable real security hole in 
djbdns.  The author is sufficiently confident that djbdns is secure 
such that he is prepared to offer a reward for holes out of his own 
pocket - something almost unheard of in the software industry, let 
alone for software whose source is made publicly available!  Either 
this is incredibly foolhardy or makes a statement -- and come what may, 
the $500 has remained unclaimed, as has a similar amount for qmail 
security.

A point well worth noting is that djbdns is some 13,000 lines of C code 
and Bind is well over 100,000 lines of code (I've heard rumours Bind 9 
is 300,000 lines).  It is a _lot_ easier to audit 13,000 lines of code 
for security problems than it is to audit 100,000 lines of code!

For details on the security guarantee itself see
 http://cr.yp.to/djbdns/guarantee.html

For some additional thoughts from djb on secure design (from qmail):
 http://cr.yp.to/qmail/guarantee.html