On Thu, Nov 14, 2002 at 03:17:55PM -0700, Vincent Danen wrote: > No opinion on how good they are as I haven't tried them. But any of > them will be better than BIND on a security and ethical standpoint.
Well I took some time to look at some of them today. Dents: - Hasn't been updated since July 11th, 1999. - Has 2 support requests sitting in the queue that have never been responsed too (Both are over a year old). - Mailing list archives show about 5 messages a year. - Doesn't provide a cryptographic signature or even an md5 sum for their package. - Documentation is missing in the package. Points you to the website: http://www.dents.org/, which fails to load for me. - The MaraDNS site has a list of DNS programs... it says this one is abandoned. From the looks of it I'd agree. MaraDNS: - Has documentation. - Has cryptographic signatures, but the key they are signed with isn't on wwwkeys.pgp.net, but the key is included in package. But not putting their key in the keyserver doesn't give me a whole lot of confidence in the signature. So I imported the key that was in the package. It is only a self signed key. Not very useful to prove that it's real. So much for a security focused DNS server. - Doesn't support multiple views. - Doesn't support separate ACLs for each zone. - Doesn't support acting as a secondary server as far as I can tell. - Doesn't support round robin setups e.g. CNAME for www.domain.com points to multiple ips that get returned in a rotating fashion. It only returns the first ip. - Doesn't handle MX's and wildcard listsings properly. - Has an absolutely horrid zone file format. - Doesn't appear to support the LOC record. At least I didn't see any explanation of how to make one in their file format. MyDNS: - Runs out of MySQL (I'm not terribly fond of this idea, so I didn't spend a lot of time on it). - Does not do recursive name service. - Once again doesn't have any cryprtographic signatures for the files. (though one is an rpm, they didn't sign it). Or for that matter md5sums. Posadis: - No recursion - No cryptographic sig. Even the rpm download isn't signed. They do provide md5sum's... but we already know how useful these are for security, they aren't! - Supports standard zone file format that BIND uses (wahoo). - supports DNS notify. - Doesn't handle LOC records. - Limited access controls. Which leaves me with two functional servers, that can handle my needs: djbdns bind I haven't really looked at djbdns all that much. I don't really care to. But considering that it too is missing a cryptographic signature I find it hard to take his concern about security seriously. The above is my evaluation of the software. Based upon my needs. Others may find the other DNS servers more than effective for their needs. Especially if they aren't wanting recursive or authoritative zone hosting (I need to do both). Especially if they have much simpler requirements... -- Ben Reser <[EMAIL PROTECTED]> http://ben.reser.org "If you're not making any mistakes, you're flat out not trying hard enough." - Jim Nichols
