Subject: Re: Fwd: Re: Microsoft: Closed source is more secure
From: Ian Lance Taylor <ian@airs.com>
Date: 04 May 2001 13:04:00 -0700

shap@cs.jhu.edu writes:

> I don't have an opinion about the merits of djbdns.  Having read the
> comments by others, however, I want to point something out. Djbdns may
> or may not be secure, but it is decidedly *not* high assurance.
> Auditability and documentation of code are *essential* to high
> assurance. If the documentation is poor, if the design is not clearly
> articulated and published, and if the code is substantially difficult to
> comprehend and to cross-check against the design, then djbdns *cannot*
> be a high assurance system.

I don't want to get into a mode of defending DJB.  But I have looked
at the djbdns code (and, for that matter, the code for qmail,
daemontools, and ucspi-tcp).  It is small, highly modular, and
reasonably straightforward to understand.

The security design is clearly articulated:
    http://cr.yp.to/djbdns/ad/security.html

In particular, it's straightforward to verify that dnscache and
tinydns run under a non-root UID in a chroot jail.  That in itself
provides a very high level of security.  I believe it ensures that no
root exploit is possible except by playing off some hypothetical bug
in the operating system itself.  Would that the same were true of
bind.

Ian