On Thu, 18 Aug 2016, Greg Troxel wrote: > Is it about security track record?
I'm not wanting to get into the discussion of fiat versus consensus decision making. However, I'd like to give my own personal answer on some of the questions you raise, as a heavy DNS user/sysadmin. Bind's security track record has been somewhere between "horrible" and "really bad" depending on the version. http://www.cvedetails.com/product/144/ISC-Bind.html?vendor_id=64 Bind 9 was released in 2000, IIRC. So, that is mostly just for the 9.x code stream. Lots of folks still preferred the 4.x code base since 9.x added so much that it became a huge mess. 4.x had terrible security, but exhibited less inertia for getting started and maintaining the zones. So, Bind 4.x was maintained for quite a while. The trend is also not in decline. Note that in 2016 there were eight vulnerabilities and that's the largest number since 2002. However, to be fair, Bind has also had the maximum amount of beatings from every high-profile hacking team you can imagine. Perhaps if competing projects had the same amount of scrutiny they wouldn't fair well, either. > Is unbound/nsd feature complete relative to everything that can be done > with bind? Not even close if you consider the whole list. Unbound can only function as a recursive resolver. It has *no* ability to serve PTR and A records directly. It does, however, have some DNSSEC functionality. > Specifically, serving authoritative zones, DNSSEC, dynamic updates, and > (for others) split dns? It does not do split horizon because it can't be authoritative (same for dynamic DNS). YADIFA, MaraDNS, Knot DNS, or Djbdns would all be better choices than Unbound if you want a "real" server. The idea behind Unbound is to provide a secure and fast client resolver. Here's how the other's would break down in a nutshell: YADIFA Pros: BSD licensed. Fast. Full featured Cons: Newer. Not even in pkgsrc yet. No recursion. No split horizon MaraDNS: Pros: Good security record, stable, most features available Cons: Zany "Mara-DNS" license and weird layout / config Knot DNS: Pros: Very full featured. Fast. Awesome YAML config setup Cons: GPL'd, won't act as a recursive resolver Djbdns: Pros: Very secure. Fast. Public domain (no license) Cons: Missing features, spotty maintenance > Please note that I'm not objecting; I'm just asking for the rationale to > be articulated. In my mind the rationalization would be that most folks would probably have a secure resolver than a full-featured (potential) authoritative server. My guess is that a recursive server is what most folks want. The trade-off is essentially that you lose a bunch of features, but you also create a much smaller attack surface and gain Unbound's (slightly) more clear syntax. If authoritative DNS is seen as indispensable for distribution in NetBSD, it might be expedient to track YADIFA (since it's got a compatible license). However, the trouble it's about 8 years behind Bind's feature set. -Swift <offtopic curmudgeon lament> PS: It's sad that ISC decided to move to the MPL but I don't blame them much. It sucks to work on something for years that's "insanely popular" but nobody will contribute to or support. I'm sure folks know the feeling. I've read similar complaints from the OpenSSH team. I don't blame them a bit. Our 19[90|80]'s ideas about software freedom have been put to the test, and I'm not sure they've come out unblemished by the big-B-Billions of Internet ab^H^Husers. </lament>
