Slashdot Mirror

It already takes forever for DNS changes to propagate through every network, which can be extremely frustrating when you have a high bandwidth domain. There definitely needs some optimization on the DNS front.

• pdksh is a superb shell
• screen is a first-rate window manager
• nvi is a fine editor
• lynx is a good browser
• snownews is a decent RSS aggregator
• And /usr/bin contains most anything else you might require.

The most obvious example? The fact is that there are 13 of them, in widely scattered locations across the globe, and it's not decentralized?

Even more to your point, there are many more than 13 root name servers. There are 13 root name server IP addresses, but some of those belong to many different servers.

For example, the "f" root server is really 22 servers, themselves distributed around the world. Check out ISC F-Root Information.

I don't know how many root servers there really are, though. Anyone?

Other DNS software

This is a list of some other DNS software out there:

Freely downloadable DNS servers

Caching DNS servers

• BIND 9 is a complete rewrite of BIND, and, as such, probably does not have the security issues that previous versions of BIND has. In fact, one of the BIND developers found a security problem in earlier versions of MaraDNS. Very full-featured, and is the reference standard for the newer DNS RFCs.
• Oak DNS is a DNS server written completely in python. It is compatible (I think) with both BIND zone files and cache files.
• pdnsd is a recursive caching DNS server. Paul Rombouts is the current maintainer of this program.
• Posadis is another DNS server project, similiar to MaraDNS. This server is now both a resolving and an suthoritative DNS server.

Non-recursive DNS servers

• PowerDNS is an authoritative-only DNS server with support for, among other things, SQL. I would like to applaud the PowerDNS developers for making a libre release of this software. Note: Recursive code is in the works; PowerDNS will soon enough be a fully functioning recursive DNS server.
• DnsJAVA is an authoritative-only DNS server written in Java.
• NSD is an authoritative-only DNS server which is compatible with BIND zone files.
• MyDNS is an authoritative-only DNS server which uses MySQL as a database back end.
• The Pliant language/package comes with a DNS server. This DNS server can not recursively process DNS queries given a list of root servers.
• Twisted includes a non-recursive DNS server.
• The Eddit project includes a DNS server
• SheerDNS is a simple non-caching DNS server that stores all records as their own files.

Abandoned DNS server projects

These are DNS server projects which have not released any files for six months or longer, and which never became functioning recursive (caching) DNS servers.

• MooDNS is another DNS server project. A CVS checkout on January 21, 2003 shows that no files have been updated since July 20, 2002, except for a single readme file updated on August 1, 2002. This project is abadoned.

  I have made a tarball available for people who do not want to bother with a CVS checkout.

• Dents is a DNS server that showed a lot of promise. Unfortunatly, no files have been released since 1999.
• Yaku-NS is a DNS server geared towards embedded systems. According to the changelog, no one has made any changes to this software since Feburary, 2001.
• CustomDNS has not released any files since the summer of 2000.

Other

• LdapDNS is a small DNS server which converts DNS requests in to LDAP requests, without caching.
• DnsPython is a DNS toolkit for Python.

Other DNS software

Management tools

twa lets authorized browsers edit the tinydns data file.

ldap2dns converts an LDAP DNS database to a tinydns data file. tinyadmin is a graphical interface to the LDAP DNS database used by ldap2dns.

mkdns converts a MySQL DNS database to a tinydns data file. It lets authorized browsers edit the MySQL DNS database.

sql2tinydns is similar to mkdns.

dhcp_dns watches dhcpd for new DHCP address assignments, and publishes those addresses through tinydns.

tinydyndns publishes dynamic IP addresses authenticated through POP connections.

Servers

ldapdns publishes DNS information from an LDAP database.

MyDNS publishes DNS information from a MySQL database.

Posadis publishes DNS information from BIND-style zone files. Security history: Buffer overflow, allowing attackers around the Internet to take control of the server; fixed in m5pre2 (2002.03.30). Someone announced an exploitable buffer overflow in m5pre2 a few weeks later; the history here isn't clear from the Posadis web pages.

NSD publishes DNS information from BIND-style zone files. Security history: Unclear. The NSD documentation includes bugs like ``Very strange coredump in hash_destroy() that happens sometimes'' without any analysis of their security impact. Is that an exploitable buffer overflow?

PowerDNS publishes DNS information from MySQL databases, PostgreSQL databases, Oracle databases, IBM databases, LDAP databases, or BIND-style zone files. Security history: Unclear, like the NSD security history.

MaraDNS is a general-purpose DNS server.

lbnamed is a load-balancing DNS server.

lbdns is another load-balancing DNS server.

Oak DNS Server is a good example of why novices shouldn't try to write DNS software. The digitallumber.net domain, served by Oak DNS Server 1.0, is inaccessible to a huge number of clients that try AAAA lookups before A lookups: the server incorrectly returns NXDOMAIN for AAAA, effectively wiping out its own A record.

Caches

pdnsd is a DNS cache. Security history: Remotely exploitable buffer overflow; fixed in 1.1.7a (2002.01.18).

MaraDNS can act as a cache.

I don't know why anyone would want to use these caches in place of dnscache .

DNS clients

adns is a DNS client library.

ares is a DNS client library.

perldns is a DNS client library for Perl.

The Buggy Internet Name Daemon [how very professional... *sigh*]

BIND is a monolithic server/cache; it also includes a client library, libresolv. Security history: IQUERY buffer overflow in BIND before 8.1.2-T3B (1998); NXT buffer overflow in BIND before 8.2.2-P4 (1999); nslookupcompla

bind was the first unix dns implementation and its user base has a lot of inertia. ISC supports it, both for free and for fee. it follows RFC's. there's DLZ for folks who need sql-driven zone or config data (and we're working with DLZ's author to integrate it into an upcoming BIND9 release). BIND4 and BIND8 were subject to exploit-of-the-year syndrome but BIND9 (released in Y2K) has been exploit free.

but the number one reason folks do use, or should use, BIND is that ISC wants to help you use it, including answering questions, accepting contributed code, adding requested features whenever possible, using a BSD-style license, and otherwise working to ensure BIND's relevance.

if you prefer something else, that's cool. but according to ISC's own survey, most servers on the internet today run BIND, and we at ISC could not possibly be any more pleased about that than we are. making DNS work, and keeping the specifications in the hands of what you now call "the open source community" has been our goal from day 1.

paul vixie

bind was the first unix dns implementation and its user base has a lot of inertia. ISC supports it, both for free and for fee. it follows RFC's. there's DLZ for folks who need sql-driven zone or config data (and we're working with DLZ's author to integrate it into an upcoming BIND9 release). BIND4 and BIND8 were subject to exploit-of-the-year syndrome but BIND9 (released in Y2K) has been exploit free.

but the number one reason folks do use, or should use, BIND is that ISC wants to help you use it, including answering questions, accepting contributed code, adding requested features whenever possible, using a BSD-style license, and otherwise working to ensure BIND's relevance.

if you prefer something else, that's cool. but according to ISC's own survey, most servers on the internet today run BIND, and we at ISC could not possibly be any more pleased about that than we are. making DNS work, and keeping the specifications in the hands of what you now call "the open source community" has been our goal from day 1.

paul vixie

bind was the first unix dns implementation and its user base has a lot of inertia. ISC supports it, both for free and for fee. it follows RFC's. there's DLZ for folks who need sql-driven zone or config data (and we're working with DLZ's author to integrate it into an upcoming BIND9 release). BIND4 and BIND8 were subject to exploit-of-the-year syndrome but BIND9 (released in Y2K) has been exploit free.

but the number one reason folks do use, or should use, BIND is that ISC wants to help you use it, including answering questions, accepting contributed code, adding requested features whenever possible, using a BSD-style license, and otherwise working to ensure BIND's relevance.

if you prefer something else, that's cool. but according to ISC's own survey, most servers on the internet today run BIND, and we at ISC could not possibly be any more pleased about that than we are. making DNS work, and keeping the specifications in the hands of what you now call "the open source community" has been our goal from day 1.

paul vixie

I must say that I find it very interesting that people are able to spread worms this fast nowadays. Back in the day it took weeks or months to see something, and most people had already patched the worms by then, but now it's crazy, a worm can propagate to the entire world in a day! Even faster than DNS :D Maybe something for the BIND developers to consider?

Maybe he means the Lynx web browser? I don't know what it has to do with the 2800, though.

Yes, because no-one is going to make things if other people can just take a copy without paying.

Yes, because no-one is going to make things if other people can just take a copy without paying.

please name a "serious vulnerability" for Bind 9

The ISC website lists the DoS_findtype bug, in all BIND versions prior to 9.2.1, and rates it "SERIOUS".

Your going to need to learn how to read first. Bind for Windows NT/2000 binary and source, just a little down the page.

Exploits are not uncommon in BIND, even today. Take a look at their security alert page, especially the matrix at the bottom. Security problems abound!

It's not clear why people continue to use BIND. It's probably because it's just assumed that it's the only thing out there. But everything from security to configuration is poorly done in BIND. I use tinydns (part of djbdns) instead on all my servers. It's written by Daniel Bernstein, the same guy that wrote qmail. He's got a great track record -- no security holes in any of his software, AND he backs up that assertion with a $1000 prize to anyone that finds such a hole. He makes a better case than I do for tinydns/qmail vs. BIND/sendmail than I ever could.

a.a-s was indeed there, and once you were looking at the actual Usenet group names, finding it was no problem. The default AOL setting, though, was to present "friendly" names for newsgroups. For example, a.a-s appeared in the groups list as something like "Discussion about America Online," even if you searched specifically for alt.aol-sucks.

In AOL's defense, they didn't just sugar-coat controversial group names; pretty much everything outside of alt.binaries had a "friendly" name. Some of them came from the "For your newsgroups file" line in the newgroup messages. Some seemed to be custom-written. a.a-s fell into the latter category, I'm positive that the friendly name for it was not "Why we hate AOL and its users."

I don't remember the exact option, but you had to toggle the default setting in Newsgroup Preferences to _not_ "display friendly newsgroup names." After doing that, finding and subscribing to a.a-s was a piece of cake.

-s

Don't forget ISC, I hear their stuff gets used a lot...

Start by rewriting bind in the safe language of your choice...

In the meantime, people are working at making current code that people are relying on more secure...

Until you have something to show, STFU...

ISC (previously mentioned in this context) would indeed be a fine choice as it has proven itself to be reliable and politically independent over time.

I'm not sure if it's available as a patch, but you can download the latest version of BIND and you'll be set.

And then, as AKnightCowboy pointed out earlier:

zone "com" {
type delegation-only;
};

zone "net" {
type delegation-only;
};

The following is a full list of the primary and secondary mirrors that have Firefox 0.8 builds. This list will also be maintained and updated.

Apologies for not listing one per line, but slashdot rejects posts with "too few characters per line".

North America: mozilla.isc.org (http) mozilla.isc.org (ftp) trillian.cc.gatech.edu (http) trillian.cc.gatech.edu (ftp) mozilla.ussg.indiana.edu (http) mozilla.ussg.indiana.edu (ftp) mozilla.oregonstate.edu (http) mozilla.oregonstate.edu (ftp) mozilla.gnusoft.net (http)

Europe: sunsite.rediris.es (http) sunsite.rediris.es (ftp) sunsite.cnlab-switch.ch (ftp) ftp.cvut.cz (ftp) www.artfiles.org (http) ftp.rediris.es (ftp) ftp.rediris.es (http) ftp.task.gda.pl (ftp) ftp.task.gda.pl (http) sunsite.icm.edu.pl (ftp) (Windows only) sunsite.icm.edu.pl (http) (Windows only) ftp.mirror.ac.uk (ftp)

Asia/Australia: ftp.lab.kdd.co.jp (ftp) ftp.kaist.ac.kr (http) ftp.kaist.ac.kr (ftp) ftp.nctu.edu.tw (ftp) mozilla.mirror.pacific.net.au (ftp) mozilla.mirror.pacific.net.au (http)

The following is a full list of the primary and secondary mirrors that have Firefox 0.8 builds. This list will also be maintained and updated.

Apologies for not listing one per line, but slashdot rejects posts with "too few characters per line".

North America: mozilla.isc.org (http) mozilla.isc.org (ftp) trillian.cc.gatech.edu (http) trillian.cc.gatech.edu (ftp) mozilla.ussg.indiana.edu (http) mozilla.ussg.indiana.edu (ftp) mozilla.oregonstate.edu (http) mozilla.oregonstate.edu (ftp) mozilla.gnusoft.net (http)

Europe: sunsite.rediris.es (http) sunsite.rediris.es (ftp) sunsite.cnlab-switch.ch (ftp) ftp.cvut.cz (ftp) www.artfiles.org (http) ftp.rediris.es (ftp) ftp.rediris.es (http) ftp.task.gda.pl (ftp) ftp.task.gda.pl (http) sunsite.icm.edu.pl (ftp) (Windows only) sunsite.icm.edu.pl (http) (Windows only) ftp.mirror.ac.uk (ftp)

Asia/Australia: ftp.lab.kdd.co.jp (ftp) ftp.kaist.ac.kr (http) ftp.kaist.ac.kr (ftp) ftp.nctu.edu.tw (ftp) mozilla.mirror.pacific.net.au (ftp) mozilla.mirror.pacific.net.au (http)

Correction. The official Lynx site is http://lynx.isc.org/. It's now listed as so in 2.8.5rel1.

2.8.5rel.1.

Mozilla.org seems to be real slow now. Try downloading from the mirrors. Out of the mirrors, this one seems to be updated.

Since mozilla.org is slashdotted, here are the primary mirrors:

And the google cache for more mirrors.

Since mozilla.org is slashdotted, here are the primary mirrors:

And the google cache for more mirrors.

USA:
California
Georgia
Indiana
Oregon
Europe:
Spain

The full list may be found on the google cache

Since nobody has (yet) taken the pains of posting the mirror list (yea, yea, I know, this is /.) -- here it is:

Hmm .. I wonder if the /. lameness filter was designed so that people couldn't post whole mirror lists themselves. Telling me that I don't have enough characters per line. I think I'll just ask the KDE people to create a static fast-serving no-css page full of mirrors for KDE whenever a release happens. That way, at least some amount of trouble would be saved. Goes off to mail KDE team ...

(pulled from KDE Mirror List)

WARNING: VERY BAD FORMATTING to get around the lame lameness filter.

mirrors.isc.org. . .ibiblio.org. . .ibiblio.org. . .ftp.gtlib.cc.gatech.edu. . .ftp.gtlib.cc.gatech.edu. . .
mirrors.midco.net. . .mirrors.midco.net. . .ftp.oregonstate.edu. . .kde.oregonstate.edu. . .download.uk.kde.org. . .
download.at.kde.org. . .download.at.kde.org. . .ftp.eu.uu.net. . .ftp.tiscali.nl. . .ftp.du.se. . .
ftp.solnet.ch. . .ftp.rutgers.edu. . .ftp.rutgers.edu. . .kde.uk.themoes.org. . .kde.us.themoes.org. . .
ftp.de.kde.org. . .ftp.de.kde.org. . .ftp.gwdg.de. . .ftp-stud.fht-esslingen.de. . .ftp-stud.fht-esslingen.de. . .
ftp.uni-kl.de. . .download.au.kde.org. . .ftp.roedu.net. . .ftp.fi.muni.cz. . .ftp.fu-berlin.de. . .
ftp.tu-chemnitz.de. . .sunsite.informatik.rwth-aachen.de. . .filepile.tiscali.de. . .ftp.tuniv.szczecin.pl. . .ftp.tuniv.szczecin.pl. . .
sunsite.icm.edu.pl. . .sunsite.cnlab-switch.ch. . .ftp.se.kde.org. .

The bigger issue to me is language choice. GTK has bindings for almost every commonly used language. Qt doesn't support much besides C++. I prefer the extra flexibility of GTK for that reason.

Qt has bindings for several languages, including Java, Perl, Python, C, Ruby and C#.

I once heard the C binding is not very useful for using it from C, but it is intended to be used as a foundation for bindings to other languages. Does somebody know if this is true? Has somebody tried to use Qt C binding?

I once read an example Java program that used Qt/Java and it looked good.

here are bindings for C, Perl and Python.
here are bindings for Java.
here are bindings for C#
here are bindings for Ruby.

Thomas Dolby (She Binded Me With Science)

bLinded, it's not that kinky, it's also not a BIND reference

Windows and IIS were the most convenient platform for our corporate web site given our .NET product focus. You can visit Eric's Eric's personal web site, which was running Apache last time I checked.

On Wednesday 15 October 2003 02:31 pm, Mike Hoskins wrote:
>> i'd prefer to see the feature stay, but possibly have the operation
>> reversed as someone suggested (include list vs. exclude list). it's a
>> little harder to shoot yourself in the foot that way, but it is also more
>> inline with KISS/POLA IMCO. i.e. it seems less astonishing (to me) to
>> specify "what you want" vs. "what you don't want".

If you haven't read: www.isc.org/products/BIND/delegation-only.html, please do, as you will see that we have always (almost from the beginning) have had two ways for taking care of this issue. It's up to the administrator to decide which option to use, if any at all. FWIW, we are always reviewing the list of TLD's in the root-delegation-only example, and will update the list as appropriate. (Remember - administrators can edit the list to their hearts content if they disagree with what we list)

So don't blame bind, or its multitude of admins.

BIND means : Berkeley Internet Name Daemon

Berkeley Internet Name Domain

Blocking single IPs is soooo... pre-verisign-ish... I can only urge everyone to upgrade their nameservers!

Click here for info: ISC BIND delegation-only


zone "aero" { type delegation-only; };

zone "biz" { type delegation-only; };

zone "com" { type delegation-only; };

zone "coop" { type delegation-only; };
...

zone "zw" { type delegation-only; };

and the fact that some of the most important services on the Internet run on Open Source Software

Let see now, one of the 13 root name servers, sure you don't need those?

Plenty more examples if you just get your head out of the sand and look around you

Now at a station near you !
Windows : Linorg Projeto Brasil ISC | IndianaU | BinaryCode | ibiblio.org | PAIR | SecsUp | Telentente | Umbc Vienna UT

Linux : IndianaU | ISC | BehrSolutions | BinaryCode | ibiblio.org | pair | SecsUp | Telentente | Umbc Vienna UT Belnet | KULeuvenNet CVUT Sunsite FUNET

Now at a station near you !
Windows : Linorg Projeto Brasil ISC | IndianaU | BinaryCode | ibiblio.org | PAIR | SecsUp | Telentente | Umbc Vienna UT

Linux : IndianaU | ISC | BehrSolutions | BinaryCode | ibiblio.org | pair | SecsUp | Telentente | Umbc Vienna UT Belnet | KULeuvenNet CVUT Sunsite FUNET

Its not like we can redeem the bandwidth for $$. kernel.org is probably plugged into some backbone at a friendly ISP and costs essentially nothing to run.

That relatively guaranteed 250Mbit access to the source is not something I'd easily give up.

The New York Times's site is useless under my browser of choice for reading Slashdot articles, lynx (and anyone who yells "Use a different browser, then!" is missing the point). I can fill out the cute little questionnaire, register, use the login and password specified... and the damned site bounces me back to the login page anyway. I refuse to play games, and I refuse to use Mozilla (bog-slow) or MSIE (requires reboot into MS-Windows) just because a site doesn't want to deal with a perfectly good browser on the level. Most NYT articles eventually show up on Google News, anyway, and those that don't are typically redundant to other articles that do show up on Google News.

The best solution short of carpet-bombin Verisign corporate headquarters is to use one of the actual "fixes" for the problem like the Bind 9.2.2rc3 patches. This patched version of Bind and the appropriate config lines causes bind to ignore all lookups in the GTLD servers that return something other than a delegation. This prevents the lookups from returning 64.94.110.11 and ensures that the proper NXDOMAIN value is returned instead.

ISC has already released a new version of BIND that can be configured to ignore wildcard data from root servers. More info is at http://www.isc.org/products/BIND/delegation-only.h tml. I, for one, will install it.

Here's info on new versions of BIND 9 from ISC. Works for me.

>Elementary. The more people use their connections, the more bandwidth you have to buy from your upstream.

I don't buy into that explanation. Comcast is large enough that they should be peering with ISP's directly instead of purchasing bandwidth. Generally under a peering agreement there is no cost to either party if the traffic load between them is symetrical. Furthermore they own their own infrastructure from the physical layer on up, so they aren't getting hosed with loop costs from the local bell. Not to mention they have money coming in from catv subscription and catv advertising. The broadband side of their business doesn't exist in a vacume. This entire thing stinks of a false dilemma.

Get the latest version of BIND to block that Verisign junk. go here
Now all it needs is support for the Evil-Bit in TCP/IP

The Internet Software Consortium (ICS), which makes the Berkeley Internet Name Domain (BIND) software (runs most domain name servers) has already released a patch to block "site finder":
http://www.isc.org/products/BIND/delegation-only.h tml
I just still can't believe Verisign thought they could get away with this.

The Eponymous Mallard
"If it quacks like a duck, it's the Eponymous Mallard."

The Eponymous Mallard
"If it quacks like a duck, it's the Eponymous Mallard."

Check it out...

BIND delegation-only patch:

In response to high demand from our users, ISC is releasing a patch for BIND to support the declaration of "delegation-only" zones ... This can be used to filter out "wildcard" or "synthesized" data from NAT boxes or from authoritative name servers whose undelegated (in-zone) data is of no interest.