Others have already pointed out the value of running the named service
non-root and chroot'ed.  These changes alone would have avoided the recent
and widespread ADMROCKS remote root exploits.  And, it is trivial to make
named drop root privileges; I am embarrassed that I didn't check it and
disappointed that RedHat didn't either, given the ubiquity of named.

There is another way in which ADMROCKS and other remote named exploits can
be avoided completely for -some- users, such as PPP or end-of-the-line
users.  Namely those of us with cachine-only nameservers probably do -not-
want to provide DNS service to the world.  So I suggest a
"caching-and-local-only" RPM which would refuse all DNS requests, except
those from localhost.  This is so simple.  Just add

	listen-on { 127.0.0.1; };

to the "options" phrase of /etc/named.conf.  This would protect a lot of
people at very low cost and enhance RedHat's reputation as a
security-conscious distribution.  Of course, there may still be a need for
the existing caching-only RPM, but given the currently unsafe privileges of
named, the out-of-the-box defaults are very unsafe.  See the
redhat-security list for the imapact of this combination of problems.

One more thing.  Mandrake (based on RedHat, I think) had bind 8.2.2-P5
RPM-ified just days after RedHat had bind 8.2.2-P3 RPM-ified, around
November 17, 1999.  RedHat still does not seem to have patchlevel 5
RPM-ified.  This is disappointing, given how remarkably cleanly it compiles
on RedHat 6.x.

Please keep up the good work and better,
Kyle Ferrio