Saturday, January 3, 2009

Deadwood minor update; djb software rant

I have made a minor update to Deadwood; I have updated the DwMain man page (manual page; "man page" is *NIX-ese for "manual") and added a Makefile to automatically convert the man pages from MaraDNS' internal documentation format to text files and *NIX's standard documentation format.

It can be downloaded at

Using DJB software is harmful.

If you're looking to use a DNS server, use anything besides DjbDNS. DjbDNS sucks, frankly.

The first problem is that it hasn't been able to compile on Linux for years. Yeah, there's a fix for it, but what use is it to download a program where you have to look online for help just to compile the program.

The second is that the program has a nasty remote denial of service security bug. It is possible to remotely restart DjbDNS' cache unless you apply the security fix.

The third problem is the userbase. DjbDNS advocates do not acknowledge the remote denial of service problem, and go out of their way to cover it up and pretend the problem does not exist. Instead, they will continue to repeat the same lies about how DjbDNS is "100% secure" and "has never had a security problem".

Indeed, I got in a nasty edit war on the Wikipedia when I unsuccessfully tried to put accurate information about DjbDNS' security problems there; the Wiki's acceptance of these kinds of lies getting published there disgusted me so much I have left the Wikipedia. The Wikipedia entry still has the same old BS about about DjbDNS is "highly secure".

DjbDNS has a number of other problems, which I have detailed in older blog entires (just look for older entries tagged "DjbDNS"), which its advocates respond to by either blaming the user for DjbDNS' problem, or by pretending the problem doesn't exist.

Don't waste your time with a program with security problems (that DJB and DJB advocates try and cover up instead of acknowledging and patching) and that won't even compile unpatched. There are a lot of other currently maintained DNS offerings, such as BIND, such as Power DNS, such as Unbound, such as dnsmasq, and, yeah, such as my own MaraDNS (and Deadwood).

On a related topic, Qmail has a nasty security problem called "Backscatter spam". Netqmail, which is the maintained branch of Qmail, doesn't fix this problem. Yes, there are fixes, but they require people to go out of their way to find and install patches. Which is something people shouldn't have to do in 2009.

Just use sendmail, postfix, exim, courier MTA, or another currently maintained MTA that doesn't pretend issues like backscatter spam aren't security problems.

Some interesting links: Rick Moen on DJBware How one person handled legitimate criticism of DJB's software