D. J. Bernstein
Internet publication
djbdns
Blurbs

BIND, the Buggy Internet Name Daemon

BIND is like Microsoft Windows. The damn thing doesn't work. Every version has been brimming with bugs.

I need to publish my computer's address. I need to look up the addresses of other computers. When I was using BIND, I often found these functions disrupted by BIND bugs. Aargh!

Some of BIND's bugs are major design flaws. The cache data structure isn't designed to allow FIFO operations; running out of memory is a disaster. The query data structure isn't designed to handle the complications of ``query restart''; lookups are delayed and sometimes fail. The record data structure isn't designed to handle unrecognized types; every new type is an interoperability disaster.

But most of the bugs are stupid little mistakes. BIND sometimes sends SIGTERM to the wrong place, accidentally killing itself. BIND forgets to free memory it has allocated for AR names, so it chews up more and more memory until it dies. The BIND cache forgets to check a buffer length in the NXT-handling code, so anyone on the Internet can take over the machine. These specific bugs have been squashed, but new bugs keep showing up to take their place.

During the million-dollar BIND 9 rewrite, Paul Vixie characterized the original BIND code as ``sleazeware produced in a drunken fury by a bunch of U C Berkeley grad students.'' Throwing out all that code would produce a ``robust'' system: BIND 9 was ``written by a large team of professional software developers who had enough time and enough money to "get it right."''

But BIND 9 isn't right. It crashes even more often than BIND 8 does. There are hundreds of bugs listed in the 9.1.0rc1 CHANGES file. Many of these are serious reliability problems; for example, ``dns_zone_dump() overwrote existing zone files rather than writing to a temporary file and renaming'' means that a temporary power outage can destroy addresses. Some of the bugs, just like some of the BIND 8 bugs described on the BIND company's ``BIND security'' web page, allow anyone on the Internet to disable BIND with a single packet. It's just a matter of time before someone sees how one of these BIND 9 bugs opens up a security hole.

The bugginess of BIND 9 didn't come as a surprise to those of us who were paying attention to the BIND 8 bugs. Were most of them the fault of those drunken grad students? No! The ``professional software developers'' at the BIND company added huge chunks of buggy code to BIND. Why should we believe that the 300000 lines of new code in BIND 9 were written more carefully than the 130000 lines of new code in BIND 8?

The BIND company says that BIND 9 is ``auditable.'' They say that they used a ``programming by contract paradigm.'' Blah, blah, blah. Bottom line: it doesn't work.

Appendix: Thoughts after the TSIG disaster

I wrote the above essay in mid-January 2001. Ten days later, the BIND company announced another major security hole in BIND 8. The TSIG bug, like the NXT bug, allows anyone on the Internet to take over the machine.

Can the TSIG bug and the NXT bug be traced back to those drunken grad students? No! They both appeared as new features in BIND 8.2.

BIND 9 was funded in August 1998. There was a public statement that ``code drop has been made to funding organizations'' in March 1999. Guess when BIND 8.2 was released? That's right: March 1999.

Appendix 2: Who are the BIND programmers?

Paul Vixie has been telling people that the BIND 9 programming team is ``completely different'' from the BIND 8 programming team.

However, I have been told, by a source I trust, that Michael Graff worked on both BIND 8 and BIND 9. The second part of this is confirmed by the BIND 9 ``authors.bind'' response, which lists Bob Halley, David Lawrence, Danny Mayer, Damien Neil, Matt Nelson, Michael Sawyer, Brian Wellington, Mark Andrews, James Brister, Ben Cottrell, Michael Graff, and Andreas Gustafsson.

I asked Vixie for an explanation in July 2001. I also asked him to state for the record who has worked on BIND 8 and who has worked on BIND 9. He didn't respond.

Appendix 3: More data on BIND 9's code quality

Here's a summary of the BIND 9.2.2rc1 CHANGES file, published 2002.08.08 by the BIND company:
     9.0.0b2:   bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug
     9.0.0b3:   bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug
     9.0.0b4:   bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug
     9.1.0b1:   bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug
     9.1.0b2:   bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
               	    ``BIND9 *rocks*'' ---Paul Vixie, 2001.01.29
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug
     9.2.0a1:   bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug
     9.2.0a2:   bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug
     9.2.0a3:   bug bug bug
     9.2.0b1:   bug bug bug bug
     9.2.0b2:   bug bug bug bug bug bug
     9.2.0rc1:  bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug
     9.2.0rc2:  bug bug bug bug bug
     9.2.0rc3:  bug bug bug bug bug bug bug
     9.2.0rc4:  bug bug bug bug bug bug bug
     9.2.0rc5:  bug bug bug bug bug bug
     9.2.0rc6:  bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug
     9.2.0rc7:  bug bug bug bug bug bug bug bug
     9.2.0rc8:  bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug
     9.2.0rc9:  bug bug bug bug bug bug bug bug bug bug
     9.2.0rc10: bug bug
     9.2.0:     bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug
     9.2.1rc1:  bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug
     9.2.1rc2:  bug bug bug
     9.2.1:     bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug bug bug bug bug
                bug bug bug bug bug bug bug bug bug
That's six hundred seventy-two bugs. Many of the recent bugs, like many of the earlier bugs, indicate serious problems. For example, bug 1252 (``dig, host and nslookup were not checking the address the answer was coming from'') means that the BIND 9.2.1 lookup utilities were vulnerable to completely trivial forgeries, and bug 1310 (``rndc stop failed to cause zones to be flushed sometimes'') means that BIND 9.2.1 would sometimes destroy addresses.

This is what Paul Vixie calls a ``robust'' system? This was ``written by a large team of professional software developers who had enough time and enough money to "get it right"''? Those programmers should be ashamed of themselves.