On Tue, Dec 12, 2006 at 04:20:19PM +0900, Masataka Ohta wrote:

> Complex protocols are more complex to implement and operate and,
> thus, insecure.
> For example, it is a lot more likely that DNSSEC software has
> buffer overflow valunerability than plain DNS software.

This is not only a lot more likely, but actual fact if we look at most DNS
security advisories of the past few years.

For example, look at SIG Query Processing (CVE-2006-4095), "BIND: Self Check
Failing" (2005-25-01), "BIND: Remote Execution of Code" A/K/A "sigrec",
"OpenSSL buffer overflow", "tsig bug", "sigdiv0 bug", etc, all found on
the fine page http://www.isc.org/index.pl?/sw/bind/bind-security.php


http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.