Check out the new USENIX Web site.

DNS and BIND Security Issues

Paul Vixie
Internet Software Consortium


Efforts are underway to add security to the DNS protocol. We have observed that if BIND would just do what the DNS specifications say it should do, stop crashing, and start checking its inputs, then most of the existing security holes in DNS as practiced would go away. To be sure, attackers would still have a pretty easy time co-opting DNS in their break-in attempts. Our aim has been to get BIND to the point where its only vulnerabilities are due to the DNS protocol, and not to the implementation. This paper describes our progress to date.

Download the full text of this paper in ASCII (45,431 bytes),
POSTSCRIPT (178,774 bytes),
and PDF (270,766 bytes) form.

To Become a USENIX Member, please see our Membership Information.