What has changed with DjbDNS since I wrote this criticism:
- DjbDNS has finally been made open-source
- Three security holes have been discovered in DjbDNS
- The DjbDNS tarball on the official download page is still the outdated 1.05 version of DjbDNS
In comparison, MaraDNS has had 12 security problems in its near-decade of existence. OK, so I have four security problems for every security problem DjbDNS has. Then again, of those 12 holes:
- Four were only in unstable development releases of MaraDNS
- One was caused by broken behavior in the Linux kernel and not by MaraDNS
- Two were patches against theoretical problems in AES that do not have any real-world exploits
- The remaining five problems only allowed an attacker to perform a denial of service against MaraDNS; the one I patched yesterday only works in the unusual case of an attacker being able to give MaraDNS a csv2 zone file
I should also point out the hole I patched yesterday only exists because I decided it was good to have a more attractive zone file format for MaraDNS.
The idea that there exists an uber-genius programmer who can magically make code without any security problems that never needs to be updated was a myth DJB advocates liked to present in the first decade of the 2000s. This is nothing more than a myth, shattered by the three security holes people have discovered in DJBdns (not to mention the backscatter spam problem in Qmail, which is a security problem).
Security is a process. Programmers, no matter how experienced or skilled, make errors. To criticize a programmer for making a mistake is unreasonable and unrealistic. The best we can do is make a program with a coding style that minimizes security problems; considering that MaraDNS has had only four (maybe five) practically exploitable security problems in stable releases is a very good record.
If you want security, you want to use a program that the programmer stands behind and continues to support. Which is what I have been doing with MaraDNS for nearly a decade and which I have no plans to stop doing.