Quoting vince cagud ([EMAIL PROTECTED]): > okay, if BIND is such a horror....
BIND8 and BIND4 are horrors. BIND9 has zero common code, as discussed previously, and has some questionable architectural features and performance making it sub-optimal for some roles, but is at least serviceable for practically any role. > i have a question for all serious DNS administrators out there. what > nameserver program would you use that supports the RFCs as much as > BIND does? I don't think that's an interesting question. You don't run daemons to "support RFCs": You run them to accomplish desired functionality. RFCs are significant to the extent that they accurately describe and specify things you desire or need to do. Here's a post of mine from elsewhere that might be useful for you: To: SlugLUG <[EMAIL PROTECTED]> Subject: Re: [SlugLUG] DNS links User-Agent: Mutt/1.4i From: Rick Moen <[EMAIL PROTECTED]> Date: Sat, 23 Nov 2002 14:51:17 -0800 Quoting Ignacio Solis ([EMAIL PROTECTED]): > You can find more information about BIND in it home page [1]. The > primary document you might want to consult is the DNS How-To [2]. Or > the troubleshooters page [3]. Brief comments about that, below. > One of the books passed around was the Unix System Administrators > Handbook [4] which I consider an essential reference. That and the similar Aeleen Frisch volume from O'Reilly. Also Craig Hunt's _TCP/IP Network Administration_, also O'Reilly. > I don't have yet the Linux Administrators Handbook [5] but I > do plan to get it. My personal opinion is that the regular Nemeth book (_Unix System Administration Handbook_) makes this redundant. The earlier book covers the topic in worthwhile respects. I figure this book was sawed together mostly to fill a marketing niche. > As usual our friends ad O'Reilly have an excellent book on the topic > [6]. (Referring to Albitz and Liu's _DNS and BIND_.) I have an earlier edition, and have looked at this one on the shelves: This edition (4th) struck me as being a little weak on the new features of BIND 9.x, which is frustrating because there's not enough available on-line about that, either. I'll have to look at it again, but was disappointed at the time I looked. Anyhow, one limitation of both the Albitz book and the troubleshooters.com DNS page is that they concern BIND, solely. Even after the from-scratch rewrite for the v. 9.x series, BIND is a slow, RAM-grabbing, overfeatured, monolithic daemon binary. It's a shame that most DNS information _is_ BIND-specific, since that's held us back. There are now a number of alternative packages that may have advantages for many deployments. E.g.: MaraDNS is a general-purpose, fast DNS server package (doing recursive, authoritative, and caching roles, plus fully supporting zone transfers): http://www.maradns.org/ pdnsd is a small caching-only DNS server with a disk-based cache, suitable for small networks and workstations: http://home.t-online.de/home/Moestl/ Dnsmasq is a small authoritative and caching DNS server for a group of NATted / IPmasqued machines (optionally pulling names from DHCP leases): http://www.thekelleys.org.uk/dnsmasq/ DNRD is a small caching-only DNS server for NAT / IPmasq networks: http://dnrd.nevalabs.org/ MyDNS is a MySQL-based authoritative and caching server (no recursive service) suitable for very large sites. In such roles, it's faster and more responsive than BIND9, even though the latter uses a RAM-based cache: http://mydns.bboy.net/ ldapdns implements the same idea, except out of an LDAP database. Again, much faster than BIND9: http://nimh.org/code/ldapdns/ GnuDIP is an authoritative server for Dynamic DNS: http://gnudip2.sourceforge.net/gnudip-www/ NSD is a high-performance authoritative-only daemon: http://www.nlnetlabs.nl/nsd/ CustomDNS is a authoritative-only daemon for both static addresses and its variant form of dynamic DNS: http://customdns.sourceforge.net/ lbnamed is a similar authoritative-only daemon for static and dynamic information, with a load-balancing multi-machine architecture: http://www.stanford.edu/~riepel/lbnamed/ Posadis is another fast authoritative-only daemon: http://posadis.sourceforge.net/ dents is another general-purpose DNS server, but is perenially unfinished: http://sourceforge.net/projects/dents/ Pliant DNS Server is another general-purpose DNS server, although it may not support zone transfers: http://pliant.cx/pliant/protocol/dns/ Yaku-NS is another small, fast general-purpose DNS server: http://www.kyuzz.org/antirez/ens.html And a follow-up: From rick Sun Nov 24 01:03:30 2002 Date: Sun, 24 Nov 2002 01:03:30 -0800 To: SlugLUG <[EMAIL PROTECTED]> Subject: Re: [SlugLUG] DNS links Quoting Jeremy Avnet ([EMAIL PROTECTED]): > I am wondering why TinyDNS (or djbdns) wasn't on the list? Some beef > with DJB (as many seem to have)? {shrug} PowerDNS wasn't on there, either (http://www.powerdns.com/). In general, I have no problem with people wanting to search out and use proprietary software, but they don't need my help. And -- what the heck -- here are some of my recent posts to a related thread on a different mailing list: From rick Wed Nov 13 00:50:14 2002 Date: Wed, 13 Nov 2002 00:50:14 -0800 To: [EMAIL PROTECTED] Subject: DJB ruckus du jour http://developers.slashdot.org/article.pl?sid=02/11/12/1823213 In which a flying squadron of DJB cultists run in to soften up the terrain, at which point Prof. Bernstein enters proclaiming "Rick Moen is an idiot." RealVideo stream (which is of course based on free software, and only FSF zealots would say otherwise) at 11. -- Cheers, Rick Moen Age, baro, fac ut gaudeam. [EMAIL PROTECTED] From rick Wed Nov 13 15:05:26 2002 Date: Wed, 13 Nov 2002 15:05:26 -0800 To: [EMAIL PROTECTED] Subject: DJB ruckus du jour [Sorry about breaking threading. I had already deleted prior posts.] Marc Merlin wrote: > An entertaining read, as always, thank you for putting things back > into place and exposing those people for who they were. When Bernstein showed up and started posting to that thread, himself, he posted a link to a real stunner Web page that I've never noticed before: http://cr.yp.to/djbdns/third-party.html OK, you probably know that Bernstein, with perhaps some justification, just doesn't like the BIND-originated mechanisms for doing zone transfers, and therefore IXFR/TSIG and outgoing AXFR remain impossible with djbdns, to my knowledge even with third-party add-ons. (Inbound AXFR is possible using axfrdns, after some work.) Bernstein makes an argument that the BIND-originated mechnanisms are badly designed, a poor idea, needlessly dependent on BIND file syntax, and in some cases (IXFR/TSIG incremental transfers) unreliable. He points out that (if you control both ends) you can accomplish the same thing -- better, he says -- using rsync/ssh or scp, among other alternatives. Up to that point, his stance is basically "Hey, I don't like those other things; here's what my stuff does instead. Take it or leave it." Which is at least defensible. (Your comments much earlier about push-distribution using rsync/ssh or scp being a security headache are duly acknonwledged.) _But_, on the page I'm talking about, Bernstein decides that's not enough, and attempts to seriously allege that offsite backup DNS is mostly pointless anyway! I'm not kidding; he really does say that. Remarkable. -- Cheers, Errors have been made. Others will be blamed. Rick Moen [EMAIL PROTECTED] From rick Wed Nov 13 17:03:06 2002 Date: Wed, 13 Nov 2002 17:03:06 -0800 To: [EMAIL PROTECTED] Subject: Re: [linux-elitists] DJB ruckus du jour Quoting Wayne Earl ([EMAIL PROTECTED]): > Having been on both sides of the DJB software issue, the debate has > always struck me as being mostly a conflict of prevailing values: Well, it's _also_ over intellectual honesty, something you did not mention. I got tired of seeing this sort of scheiss bandied about in front of the gullible: o Implying through strategic omission that BIND9 is tainted by BIND8 security problems, when the speaker knows perfectly well that the former was a from-scratch rewrite to jettison a hopeless codebase. o Attempting to mislead everyone into thinking that clearly proprietary projects are open source, instead of saying "Here are the terms. Use the code or don't." o Almost never being willing to compare Qmail against Postfix, only against Sendmail because the latter is a more-facile target, and because the speaker is attempting to rope-in admins too wet behind the ears to have heard of anything _but_ Sendmail, before they've tried and adopted those other options (Postfix, Courier, or even Exim). o Attempting to dismiss licence analyses without addressing them, by claiming merely that proprietary DJBware "doesn't have a licence", when the speakers are fully aware that it has the _default_ licence that is implicit in copyright law unless explicitly overriden, which licence happens to be proprietary in nature. If the DJBware camp were to cease trying to shade the truth, actively mislead the unwary, and play disreputable rhetoric games, they wouldn't encounter such hostility -- when in truth they have some valuable lessons to offer (see below). > DJB has the almost singular distinction of writing major software > packages, widely deployed, with ZERO security holes. In _part_ through modular design, attention to trust relationships, eschewing featuritis, careful coding to prevent buffer overflows, and other worthwhile practices. However, in part, it has also been through omitting needed functionality, requiring you to retrofit it through either third-party patches or ancillary software. I mean, wow! djbdns has never had any security flaws in its outbound AXFR or IXFR/TSIG code. That's great! Except, wait: djbdns doesn't _do_ any of those things, and instead Bernstein suggests that, if you absolutely insist on having offsite backup nameservice (which he claims is mostly pointless) that you do so using file-replication tools such as rsync over ssh, or using scp. Cool! Well, I'm glad we've been saved from any security problems. I mean, it's lucky that there's never been the _least_ security flaw in OpenSSH or OpenSSL, right? Or: You deploy qmail. Oops, you encounter a security problem. You complain about it on the qmail mailing list. Oh, I'm sorry, you failed to understand the rules of the game: Since you expected qmail to actually _do_ something useful, you applied some of the huge number of third-party patches that exist to supply missing functionality. You unfortunately thereby deprived yourself of the DJB Seal of Absolute Perfection<tm>. Silly boy. You Have Lost. A large part of the reason why its author created the Courier MTA was that he was a Qmail admirer, generally, but got sick to death of having to deluge it with third-party, unsupported (and never regression-tested) hacks in order to make it actually _do_ things. See: http://www.courier-mta.org/history.html > People choose to use software for a variety of reasons. If you don't > like the license, don't use the code. Real freedom means the freedom > to choose, based on the premises and reasons that make sence to you. Absolutely. And all I ask is honesty about that licensing from the DJBware camp. Which is conspicuously lacking. > As an aside, I find it ironic that for all the trashing people do to > DJB for his software being "non-free", his legal case with the EFF has > the potential to do MORE for real freedom than any OSI license ever > has. Speaking just for myself, I never trash his software for being non-free; I just say it's one of several reasons I elect not to use it. And I very prominently praise Prof. Bernstein for the Bernstein v. US DoJ lawsuit, frequently. -- Cheers, Errors have been made. Others will be blamed. Rick Moen [EMAIL PROTECTED] Date: Wed, 13 Nov 2002 18:13:28 -0800 From: Rick Moen <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [linux-elitists] DJB ruckus du jour Quoting Wayne Earl ([EMAIL PROTECTED]): > I definately see this point. In fact, of all the rumblings against > djb's work, yours seems to be one of the few based on logic. My point > wasn't to support or refute either "side" - it was to point out that, > imo, most of the arguments come from different points of view. Noted. And thanks. I will admit to experiencing about ten minutes of unreasoning rage on 2001-02-18 immediately following Prof. Bernstein barraging my mailbox with what amounted to a lawsuit threat over the initial form of my Web essay about why I choose not to use his software. About two minutes after _that_, I decided that a constructive form of therapy would be to append (to that essay) a listing of all open-source alternatives to each piece of DJBware. The beauty of that, as it turns out, is that every time Prof. Bernstein has railed against me and called me names -- calling attention thereby to my essays -- he has built mindshare for packages like MaraDNS, vs-ftpd, and Postfix, and exposed to public view the pervasive con-jobs surrounding his own projects. And all I have to do is sit back and watch. -- Cheers, Chaos, panic, & disorder - my work here is done. Rick Moen [EMAIL PROTECTED] Date: Wed, 13 Nov 2002 18:26:09 -0800 From: Rick Moen <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [linux-elitists] DJB ruckus du jour Quoting Michael Bacarella ([EMAIL PROTECTED]): > Before you crucify me as a DJB-cultist (or just ignore me) I figure > a preemptive response is in order. > > I don't run any of DJB's software, and I don't particularly approve of > the way he organizes any of it (I'm really not interested in > downloading all of his UNIX-reinvented). However, I do believe that > his ideas aren't as patently insane as you do (although admittedly, he > can be a bit excessive). Herewith, in what I hope is pleasant surprise, a preemptive gesture on my own part: I agree with you. > I think BINDv9 is likely to be a security liability soon enough, but > because of architectural reasons. The DNS spec is cram-packed with > useless functionality that BIND has to support, and has to support > with a single process image design, and a complex configuration file. Hey, I agree. I think there are too many eggs in that basket, and too much code for a monolithic design. Further, I think having all 13 root nameservers run BIND is friggin' nuts -- and that it would be so, even if it weren't BIND8 that they're running. I likewise think that the time for keeping all data in an in-memory cache passed a decade ago. Vixie knows this from personal experience, since adding the DNSSEC data to BIND9's cache has tended to explode the RAM requirements to the point where even ISC's enormous primary DNS host has a difficult time juggling all that data. I heard him admit this during a lecture, a year or so back. Also, we always suspected that the throughput of BIND (any version) sucked, but recently have been seeing confirmation from competiting products. Notably, MyDNS has proven to have an order of magnitude better transction-handling capacity, despite being back-ended into a MySQL database. > It would be neat to see him compare qmail to Postfix, et al, but > perhaps he simply believes they're all inferior to qmail and that > since Sendmail is by far the largest target, he may as well > concentrate on attacking that? But there's also the fact that he's willfully comparing it against one of two monolithic-binary designs (Sendmail, Exim) rather than against the two other common modular ones (Postfix, Courier). Apples, oranges -- and both he and essentially all of his groupies know it. Certainly, it could be coincidence. But, as Runyon said, that's not the way to bet. -- Cheers, Before enlightenment, caffeine. Rick Moen After enlightenment, caffeine. [EMAIL PROTECTED] _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
