onsdagen den 20 november 2002 22.38 skrev Vincent Danen: > On Wednesday, November 20, 2002, at 11:51 AM, Oden Eriksson wrote:
[snip] > >> So finding out from this "expert" what "job" it is that djbdns cannot > >> do would be very enlightening. From where I sit, the only thing > >> djbdns > >> doesn't do is DNSSEC and DDNS, neither of which are useful to me. > >> DNSSEC can be avoided by using tcprules to protect access to zone > >> transfers. Actually, IIRC, there is a different daemon that does zone > >> transfers, so if you don't need them at all, you just don't link that > >> daemon under supervise's control. If you do need it, use qmail-style > >> tcprules to protect access to it. > > > > Well..., I have known this "expert" (electronically) since my early > > FIDONET > > years (since '93?). This guy has handled the swedish top domain (.se) > > for > > several years, maybe thousands, ten thousands or even hundred > > thousands of > > domain names. Wouldn't you say that is some sort of DNS experience? Do > > you > > really mean I should trust your word instead of his, no matter what? > > No, not at all. But I would hope you would question what you were > told. Simply telling you that "tinydns can't do the job" without > anything to explain why isn't very effective. At least I've told you > what tinydns *can* do, and mentioned it's limitations. I've not made > any blanket statements without providing proof, or at least personal > experience (I realize I haven't provided proof of djbdns being faster > than bind... but having used both, I can notice a difference, and if I > can notice it, then it isn't trivial). Ahh, if I only could remember..., it was almost down to bits and bytes, too complicated for me to remember... The conclusion/advise I got was stick with bind... (for now...) As soon as I get in contact with this fellow again I will ask him about this and post it here. I wonder which big ISP:s is using the djbdns suite these days... > I never implied he wasn't experienced. I quoted "expert" in that you > hadn't made any claims to his expertise. But I never said that he > couldn't be, or wasn't, experienced. Please don't try to make this > sound like I am attempting to dictate to you what you should or should > not do with your systems. Hell, it's *your* system. You're the one > who has to continually worry about the security of your system, and > whether or not ISC will even disclose the problems to you (which seems > questionable these days). That "luxury" is one I cannot afford. If > others feel they can afford it, by all means, continue to use it. > Quite frankly, I don't care what you use. I don't even care if you > upgrade to the latest patched versions. Use an unpatched bind8 or > bind4 for all I care. It does not impact *me* what *you* do on *your* > system. *I* am not the one who has to deal with ISC (other than > providing updates for people like you). he he he..., you sure have a tough job... If only the Mandrake DJB licensing policy would change, bind+sendmail+postfix+tcp_wrappers+ntp+inetd+xinetd+syslog would be history... (did I forget something?) [snip] > > At this time I don't dare converting my clients 3000+ hosts, 12 C > > class nets, > > and let me see... (checking...) 200+ zones to djbdns... > > Why? Too much work? I already told you that using axfr-get makes this > simple. I'm assuming that these 3000 hosts don't each run bind, so > you're looking at one machine. One system to update. With some shell > scripting and using axfr-get, I could do this in 2 hours. In fact I did it in less time (I think) one year ago, it was painless and snappy: 299836 Dec 23 2001 data (the "/var/service/tinydns/root/data" file) I simply don't dare put this into production yet since I have to consider the smallest acceptable TTL too (which is too much as is if something should go wrong...). > And you're right. This is silly. So until you've got the info from > your friend as to why tinydns does such a piss poor job of what bind > can do so well, I really don't think this has to go any further, as > it's not overly constructive. Yeah, it's silly. This week I was told they was looking for ways to integrate dns+dhcp (ddns) into their N0vell network using some softwares from N0vell... (yuk!) I have seen ways to do this with djbdns, but with for example Mandrake 9.0 it's very easy (and does not cost $$$$). -- Regards // Oden Eriksson, Deserve-IT Networks Check the "Modules For Apache2" status page at: http://www.deserve-it.com/modules_for_apache2.html
