> On Aug 18, 2016, at 4:53 PM, Swift Griggs <[email protected]> wrote: > >> On Thu, 18 Aug 2016, Greg Troxel wrote: >> Is it about security track record? > > I'm not wanting to get into the discussion of fiat versus consensus > decision making. However, I'd like to give my own personal answer on some > of the questions you raise, as a heavy DNS user/sysadmin. > > Bind's security track record has been somewhere between "horrible" and > "really bad" depending on the version. > > http://www.cvedetails.com/product/144/ISC-Bind.html?vendor_id=64 > > Bind 9 was released in 2000, IIRC. So, that is mostly just for the 9.x > code stream. Lots of folks still preferred the 4.x code base since 9.x > added so much that it became a huge mess. 4.x had terrible security, but > exhibited less inertia for getting started and maintaining the zones. So, > Bind 4.x was maintained for quite a while. > > The trend is also not in decline. Note that in 2016 there were eight > vulnerabilities and that's the largest number since 2002. However, to be > fair, Bind has also had the maximum amount of beatings from every > high-profile hacking team you can imagine. Perhaps if competing projects > had the same amount of scrutiny they wouldn't fair well, either. > >> Is unbound/nsd feature complete relative to everything that can be done >> with bind? > > Not even close if you consider the whole list. Unbound can only function > as a recursive resolver. It has *no* ability to serve PTR and A records > directly. It does, however, have some DNSSEC functionality. > >> Specifically, serving authoritative zones, DNSSEC, dynamic updates, and >> (for others) split dns? > > It does not do split horizon because it can't be authoritative (same for > dynamic DNS). > >
Don't ignore the NSD part of the subject.
