Slashdot Mirror

" Theres a core group in charge of what goes and what stays."
Actually, in Linux it's the same (f.e. Torvalds, Cox, Tosatti).

So, where the BSD team is some 10-20 people who can all get in a room and hash out details and come out with a coherent ports system, or a standard place to put software (apache goes in /var/www? Wtf patrick?), the Linux world is far too big to do that. Hell, we can't even document stuf coherently -- everything has its own man page, readme, manual, plus linux documentation project. Compare to FreeBSD's Handbook.

This is a weakness in the Linux system of cooperation. It's also a strength. Just as no one can take control of the whole thing and fix it, also nobody can break the whole thing. Even if Linux and Cox between them decided to sabotage Linux, they couldn't, whereas one guy with cvs commit privileges on cvsup.freebsd.org could give himself a root shell on every BSD box on the planet. (Okay I exaggerate -- he'd get caught, probably, but that's only because most of the people working on BSD are good guys.)

. .

If I read this correctly, the reason why the EU local registries don't have their own root servers, and hence control over service levels is a historical issue.

Excerpting from the Internet Software Consortium's page, linked above - and please allow me to state that such a reference is anecdotal rather than given fact,

We then discussed potential candidates and found no volunteers in the AsiaPacific region, none in Africa and only one in Europe.

The "one in Europe" btw was NOT Nominet or another registrar, it was a guy working for LINX, the London INternet eXchange.

There's good reason for this, as late as the early 1990s, Europe was still thinking that X.500 was the way forward, and a large amount of resources from universities, telcos and local standards agencies was devoted to "interoperability" testing of X.500 directory services. What really happened was the standards lagged the implementations so badly that vendors and implementors went ahead and did their own thing, creating, as anyone who has dealt with X.500, a nightmare for inter -vendor interoperability. That created the space in which the InterNet and DNS / BIND could flourish. FWIW, LDAP is a (nor precisely, so please don't flame me, too large a subject for absolute accuracy here) derivative of X.400, itself a cut down form of X.500. Novell's eDirectory, which runs some of the largest sites (CNN.com, AOL messenger services) is itself a souped up LDAP implementation.

You can find a brief overview of X.500 and what the "authorities" in Europe were up to as late as 1990 and beyond in this history of X.500

I'm British born myself, but this all seems to me to be Euro - Whining. Particularly the UK's Nominet making an issue of this is absolutely BS. Nominet has, IMO, very sharp practises. If you "buy" a domain in the UK (domain.co.uk) via an ISP, Nominet maintains a "tag" linking your domain to the "provding" ISP, until another ISP takes it over. Domains _never_ go back into circulation when they expire. Nominet refuses, on the whole, unless you threaten or cajoule them with considerable effort, to "release" your domain because it states it will not get involved in contractual disputes between you and your ISP. Most UK ISPs make contracts which lock you in to your services and charge a considerable and hefty severance fee, usually buried in the small print. You _can_ get a "Neutral Tag" applied to a UK domain, if you pay GBP £80 for two years, which fee goes back to the ISPs who are members of Nominet, which is a for profit company, limited by guarantee, a rare form of UK company which offers very lax statutory reporting. Even though you _can_ do all this, I've had several clients now who've complained to Nominet, e.g. when their ISP is TU and no longer provides service, and Nominet tells them anyway that they can only deal with an ISP who is a member of Nominet. Obviously that's BS. But you can't register a domain in the UK for .co.uk and run your own DNS and maintain it under your own authority without a *lot* of expensive hassle, and possibly an attoney. You could hire me, of course, but this kind of work sucks, so I wouldn't offer it generally.

Sorry for that rant against Nominet, but it's Crocodile Tears time again and minus several million points for the Brits, as per usual.

Please follow the links above, investigate yourself . . .

"The worst an Outlook virus could do on Linux is take out the account of the user who clicked on the attachment."

Sure, because there have never been privilege elevation flaws in common unix software, have there?

It also lays out a plan for non-crt use via alphanumeric display and keypad. No mention of a mouse.

NEWSFLASH: In addition to the BT courtcase against Prodigy, they also have sued Mikulas Patocka and Distributed Computing Group of the University of Kansas.

BT explained this curious move with "We can't sue Netscape or the Mozilla-group because they use the mouse to navigate with. Actually, most people don't even know why there is a huge plate with funny symbols in front of their monitor. But these two webbrowsers use the keyboard to interact with the user and that's exactly why they are a fine target for our lawyers"

Country domains

I wonder when we'll see http://goatse.va ?

If this turns into another microsoft bashing party, some people need to get a clue. This isn't Microsofts fault, I don't see a database server as something that should have a pretty wizard or wonderful config tool. And Microsoft is not the only database server out there that has no password by default. First off the top of my head would be MySQL. Every install I have ever done of MySQL has always been followed up with the setting of the "root" password. If the administrators of internet accessable systems can't take the time to set passwords on all their services admin interfaces then they deserve what they get. If this were some backdoor that would work no matter how much care the admin took to secure the service then great. Lets get pissed at Microsoft and bitch a little. But don't forget that stuff on the other side of the fence is no better. How long has the BIND source code been available to look at? And how often in the past have there been AMAZINGLY big holes in BIND? Instead of doing nothing but bitching about the problem, lets try and come up with some solutions and get the word out on safe programming/administration practices.

• By default, tinydns does not hand out referrals to questions it is asked about zones it does not control. I believe that this violates the spirt of the RFCs, if not the letter.
• By default, tinydns does not support the use of TCP at all. This most definitely violates the spirt of the RFCs, as well as the letter (if a DNS query via UDP results in truncation, you're supposed to re-do the query using TCP instead).
  Indeed, if you want to support TCP under tinydns, you have to configure an optional program called "axfrdns", which was intended to handle zone transfers, but also happens to share the same database as tinydns, and can handle generic TCP queries.
• The suggested method for copying contents of DNS zones is rsync, scp, or other remote copy tools. The DNS standard method of zone transfers (query type "axfr") is only supported as an additional, disrecommended method.
  The problem is that if you make a mistake and munge the database and then rsync or rcp that to the backup servers, you're totally hosed. Contrariwise, if you use the standard zone transfer mechanism, then the zone transfer should fail if the master is munged, and the slaves should keep a good working copy for a while and give you time to notice that the master is munged and needs to be fixed.
• Without a patch from a third party, tinydns does not listen to more than one IP address. If you have a multi-homed server, you have to apply a patch from someone other than they author, before you can get it to listen on more than one address/interface.
• Without a patch from a third party, tinydns does not support the standard "NOTIFY" protocol of informing secondary nameservers that the zone has been updated, and that they need to check the SOA serial number and download a new copy (if they don't already have it).
• Without a third party patch, tinydns does not support standard SRV records (which are intended to ultimately replace MX records, as well as perform similar functions for services other than mail).
• Like tinydns, dnscache will not bind to more than one IP address without a third party patch.
• Because they are separate programs, you can't have both tinydns and dnscache listening to the same IP address(es) on the same server.
  While this is not the recommended mode of configuration, some sites don't have the luxury of having separate authoritative-only and caching/recursive-only server(s), and need to mix them both on one machine (or set of machines). With the BIND 9 "view" mechanism, this is relatively easy to do. With djbdns, this is impossible.
• There aren't even any patches that can get djbdns to implement TSIG, Dynamic DNS, or DNSSEC, nor are they ever likely to be created (my understanding is that the author is strongly opposed to them).
  Unfortunately, as time goes on and more and more people are doing things like IPv6, VPNs based on IPSec, or people just care about being able to cryptographically prove that their servers are handing out the only correct information and that the clients are able to cryptographically verify this fact (think: electronic banking), these kinds of features are going to become ever more commonplace.
  Note that, with the advent of BIND 9, you can create a caching-only server that will validate cryptographically signed records, and all clients can benefit even if they do not themselves implement any of the new DNSSEC features.
• There are a number of things that djbdns does which I believe to be outright bugs. However, the author of this package simply refuses to accept that his code could be anything less than 100% perfect, and while he claims to have a "bounty" that he will pay for any bug that is found, in reality he is the one that gets to define what he accepts as a "bug", and has repeatedly demonstrated a tendancy to openly refuse to accept some purported bug, but then to quietly fix the code with future releases.
  So, let's look at some of these bugs:
  • When an IQUERY is sent to a djbdns server, it will respond with opcode set to QUERY. (it should simply copy the opcode, not make something up).
  • DNSCACHE (the caching server) does not respond to queries with the RD bit clear in the query. (Instead of simply answering from cache without recursing the dns-tree).
• One argument frequently used to support the use of djbdns over BIND is performance. Upon further investigation, this claim simply does not hold water.
  Benchmarks published by Rick Jones have clearly shown that BIND can scale up to at least 12,000 DNS queries per second, and there is every indication that BIND 9.2 will be able to go considerably higher. The best benchmarks available for tinydns indicate that it can handle at least 500 queries per second, but that is the highest number reported. Other people on the bind-users mailing list have indicated that they have performed their own (as yet unpublished) benchmarks of tinydns, and that it had notable performance problems that BIND did not suffer.
  The best published benchmarks from the author for dnscache report a query handling rate of less than one million records over a 4.5 hour period of time, which works out to an average of less than sixty-two queries per second. Even if you look at numbers of queries per CPU second, the best numbers they can provide are 13.7 million queries over a four week period of time with 128 minutes of CPU time used (an average of slightly less than 1784 queries per CPU second).
  Compare this with the requirement from RFC 2010 "Operational Criteriafor Root Name Servers" (since obsoleted by RFC 2870 "Root Name Server Operational Requirements") is that the machine and software in question be able to handle at least 2000 queries per second, and be scalable to levels higher than that. Indeed, recent reports have indicated that a.root-servers.net (considered by many to be the "primary" root nameserver) is currently handling around 12,000 DNS queries per second at peak.
  Preliminary benchmarks published on the bind-users mailing list have indicated that, on the same hardware, there is little or no performance benefit to using dnscache as opposed to BIND 9.1.2, and when these tests are re-run with BIND 9.2, I'm sure that it will come out even faster.
• Unfortunately, a lot of the reasons the author gives for running djbdns instead of BIND are related to problems in older versions of BIND which have been fixed or are largely non-issues in later releases of BIND 9.
  For example, he makes a big point of tinydns being better than BIND, because while the process is starting up, it still answers queries. While previous versions of BIND would not answer queries during startup, this is no longer a problem with BIND 9.
  Dan also makes a great deal of the fact that the djbdns tools run as a user other than root, and in chroot() environments. While the "monolithic setuid root" situation was an issue with older versions of BIND, even more recent releases of BIND 8 could be easily run as a non-priviledged user in a chroot() environment, and this is the preferred method of running BIND 9.
  Contrariwise, one of the legitimate big complaints about older versions of BIND is that they implemented zone transfers in a separate program. If the database was large, then the fork()/exec() overhead was large, and the system could seriously thrash itself to death as it copied all those pages (for systems without copy-on-write), only to immediately throw them away again when it fired up the named-xfer program. With BIND 9, this problem is solved by having a separate thread inside the server handling zone transfers, and no fork()/exec() is done. However, tinydns/axfrdns goes back to the fork()/exec() model that was so greatly despised.

Suffice it to say that there is absolutely nothing that djbdns does that I believe can't be done at least as well (or considerably better) with BIND, and there are no security benefits it provides that cannot be provided at least as well (or much better) by a proper installation of a modern version of BIND.

I believe in the "security through diversity" scheme as much as anyone, but I'd take root nameservers running a program written in Bourne shell over djbdns. Hell, I'd rather fall back to using HOSTS.TXT than use djbdns.

Unfortunately, the other alternative of DENTS is also unsuitable for use as a production nameserver.

Show me something that is sufficiently better than BIND (and open source), and I'm sure that everyone will quickly gravitate towards it. Until then, BIND is the best we've got.

I could say the same to you... Research...

Remember the hole in BIND from the beginning of this year? Big as a truck? If I recall correctly it was a TSIG related buffer overflow that made it possible to run code at the same priviledge as BIND (often root)...

A system with that problem was remotely available.

Go check http://www.isc.org/products/BIND/bind-security.htm l and, as always, Securityfocus is a great resource to use when investigating security flaws.

You are (thus far) right about BIND 9 though.

Bind has supported IPv6 records since version 4.9.4 (which is pretty damn old). DNS isn't the problem with IPv6. It's really getting the IPS's and backbone providers to bother implimenting IPv6.

Down here in Australia, nearly everyone is stuck on 56k. ADSL costs A$95 a month for 256kb/64kb with a 3GB a month cap. Ouch. Even worse, cable is only available in two cities in the entire country.

Firstly, I set up a junkbuster proxy on my box. Getting rid of all those stupid banners really does help, especially when I'm reading sites like *shudder* CNet or *shudder**shudder* ZDNet, with ther huge middle of the page Flash modem-killers. This feeds into a Squid caching proxy; it really does seem to help a fair bit. Thirdly, I run a BIND caching DNS server. Of course, there are plenty of other DNS servers around, but BIND is the one I saw first, so that's what I'm using.

Overall, with a bit of fiddling, it makes being stuck on a 56k suck slightly less.

Then of course you should also thank those guys who implemented DHCP.

djb fixed all the BIND security flaws long ago. It is called djbdns.

According to http://cr.yp.to/distributors.html, the djbdns license does NOT allow modification of the source code (even when the product is released under a different name) and therefore breaks freedom 1. Besides, BIND 9, despite the name, is not based on the BIND codebase at all; it's a complete rewrite and shouldn't have the same security holes.

Looks like another reason to use djbdns, which has a $500 security guarantee and is supposedly a lot more efficient than BIND.

For RedHat users, here's how to apply the fixes:

Download the appropriate RPMs to fix BIND.

At a shell, as root, type rpm -Ui package -- package of course being the name of the RPM.

I am currently working on a US government web site. (OK, it's a state web site, but they are holding us to the federal rules because they know they're next...) Here's some practical advice:

1. Read the W3 Accessibility Initiative to get an idea of the concepts of making the web accessible. Contrary to popular opinion, the web is for everyone.
2. Use Bobby, a free automated tool written in Java that can check your entire site for accessibility problems. It categorizes problems based on priority level, checks pretty much everything listed in the WAI, and tells you what you still have to check manually that it can't check automatically.
3. Read the W3 Techniques for Web Accessibility to get an idea of how to implement the changes. Contrary to popular opinion, HTML 4 has many features specifically for blind/deaf/disabled users.
4. Test your site yourself. Use Lynx to see what your site looks like to the blind. Do all your images have meaningful ALT tags or LONGDESC tags? Do your tables have SUMMARY tags? Is your navigation usable without Javascript or Flash?
5. Set your text size to maximum to see what your site looks like to visually impaired users. You are using relative sizes for your fonts and percentages for your table widths, aren't you?
6. Turn off your speakers to see what your site looks like to the deaf. If you have audio feeds, do you also have transcripts? If you have video feeds, are they closed-captioned?

It's not rocket science once you know what you're doing. Personal anecdote: I applied the same principles to my own web site, even though I didn't have to and my friends told me I was wasting my time because "nobody uses Lynx anymore." In the first week, I got 10 Lynx visitors.

-M

You're smart; what haven't you learned Python yet? http://diveintopython.org/

I don't think .NET has been released yet, though. As for the "open source hype", well, I am using open source technology exclusively on our systems at work and it has been an extremely successful venture. To give you some idea, we have up to 5,000 mail accounts running on exim, 3,000 shell accounts, run an industrial strength DNS system, industrial strength, internally developed network management systems running on Zope/Python, and a staunch news server all running off an 8-node MOSIX cluster.

Among the best code examples in open source are those written by or lead by a single insightful programmer. Two that come to mind immediately: Perl (Every source file has an orthogonal but relevant epigram), and InterNetNews

--

If you want to make sure kids aren't seeing dirty pictures, make them use lynx. Ditch the GUI entirely. People may whine that now the web is hard to use, but this is, after all, just an extreme version of what filters are already doing. Removing content from the web.

Ever since domain space became valuable, there are so many special interests circling it that it's not funny anymore. It's pretty ugly, actually. Consensus building has been pretty impossible because people with dollar signs flashing in their eyes shout louder, and the people who are just plain kooks shout the loudest. That's hurt a lot of the development of DNS in the last few years. The one weapon we've always had against this is caution, and a recognised authority.

Can you explain this for me? How has commercial interest in domain names hurt development of DNS? bind is a recognized defacto standard for running DNS practically. Those developing it (ISC) could do what they like practically and we'll all follow their lead. And if you're talking about the root server structure, sorry - I don't agree there either. Read DNS and BIND set up some root servers of your own, and you'll see what I mean. It's not rocket science to systems administrators.

1. ISPs will start advertising which of the conflicting roots they prefer: "We serve ICANN names!" "We follow AlterNIC!" etc. etc.

While this may be true for the standard alternative it isn't for this one. And besides, we've gone through this anyway at a different level - Operating Systems like Windows. "This application supports Win95 only" You upgrade and move on. Are we supposed to hinder progress just so those who want to live in the past can get what they want?

2. Users won't understand a word of this

Maybe not all, but I think that you are discounting what the average user knows nowadays. Besides, things will evolve to allow users to get where they want regardless of which alternative they choose - again, I point out this solution which allows access to both even when both exist in separate root structures.

(Cont'd in next message from me)

Chris

Open DNS Technologies

http://www.isc.org/products/DHCP/dhcp-v3.html

The following links are some that i've come across. They are rather interesting at times:

A how-to for stealing someone's domain name, which was a ddresed in the article. Furthermore, the specs for these protocols and implementations can be found here and here. There was also a critical interview calling for the implementation of these more secure systems in order to prevent the holes in the current system..

The following links are some that i've come across. They are rather interesting at times:

A how-to for stealing someone's domain name, which was a ddresed in the article. Furthermore, the specs for these protocols and implementations can be found here and here. There was also a critical interview calling for the implementation of these more secure systems in order to prevent the holes in the current system..

After all these years, BIND still hasn't fulfilled the vision of open-source, first spoken by Eric Stallman Raymond, and later realized by Linux Torvalds.

Definition of Open Source given in ESR's Jargon File.

Download Bind 8 Sources

Finally, the contents of the LICENSE file in the current BIND distribution:

## Copyright (c) 1993-2000 by Internet Software Consortium, Inc.
##
## Permission to use, copy, modify, and distribute this software for any
## purpose with or without fee is hereby granted, provided that the above
## copyright notice and this permission notice appear in all copies.
##
## THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
## ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
## OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
## CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
## DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
## PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
## ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
## SOFTWARE.

I didn't bother to C&P their address, which I'm sure is somewhere on their webpage.

How do the definition and the current BIND license (which I think we can expect to carry over to BIND9) not jibe? In fact, it's not just Open Source, it's Free Software as defined by RMS.

After all these years, BIND still hasn't fulfilled the vision of open-source, first spoken by Eric Stallman Raymond, and later realized by Linux Torvalds.

Definition of Open Source given in ESR's Jargon File.

Download Bind 8 Sources

Finally, the contents of the LICENSE file in the current BIND distribution:

## Copyright (c) 1993-2000 by Internet Software Consortium, Inc.
##
## Permission to use, copy, modify, and distribute this software for any
## purpose with or without fee is hereby granted, provided that the above
## copyright notice and this permission notice appear in all copies.
##
## THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
## ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
## OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
## CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
## DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
## PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
## ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
## SOFTWARE.

I didn't bother to C&P their address, which I'm sure is somewhere on their webpage.

How do the definition and the current BIND license (which I think we can expect to carry over to BIND9) not jibe? In fact, it's not just Open Source, it's Free Software as defined by RMS.

The official Bind 9 page is written, just not linked, yet.

Found 'em - ISC has the release notes up now. They also have the BIND 9 Administrator's Reference available as a pdf; though it looks like the same docs come with the distribution in html & man format.

• Thread safe so it can run on multi-processor machines
• Plugs into several back end databases so it will be easier to support large domains
• Support for IPv6. The future is nearly here!
• Several protocol enhancements like IXFR, DDNS, Notify, EDNS(0,1) and improved standards conformance.
• A host of other features, see this for more.

According to the ISC Bind plans "Support for alternative back end database" is part of Bind 9. I hope that means I can add a MySQL database backend, and cgi the whole thing.

I was able to find ISC's plans for BIND 9, but not any realease notes - anyone made them available online yet?

Internet Explorer. IE started life as Mosaic, one of the original browsers. Like all of the origninal browsers, Mosaic was open source. Microsoft bought the browser idea from its Open Source inventors.

Apache. This is the direct descendant of the original web server (it too was open source), and it dominates the web. Microsoft has tried to copy Apache's functions, but has had a tough time keeping up with Apache's pace of innnovation.

sendmail . Essentially all of the email that goes across the internet does so thanks to sendmail. The orginal (open source) developers now also run a company, but the orignal accomplishments all happened open-source.

BIND The Internet works on IP addresses (eg. 135.23.43.121). Any time you type a URL (letters) into your browswer, you are using BIND. This was invented open source (the B is for Berkely).

TCP/IP These are the two protocols (among others) that make the internet possible. In a sense, they define what is "internet." Developed and implemented open source

Eric Raymond addresses "creativity" issues in his essays.

F.root-servers.net claims to be the busiest with 260 million queries/day running on twin ES40 COMPAQ alpha servers.

Sounds like a whole lotta 'dot' to me.

----------------------------------------------

I couldn't get through when using www.slashdot.org, but when I tried slashdot.org it worked. There seams to be alot of name server dropouts on the net lately. You guys need to keep your name servers code up to date. The Bind that comes with RedHat 6.1 on the CD has a known root exploit that is actively being exploited. You need to upgrade to BIND 8.2.2 patchlevel 5.

I couldn't get through when using www.slashdot.org, but when I tried slashdot.org it worked. There seams to be alot of name server dropouts on the net lately. You guys need to keep your name servers code up to date. The Bind that comes with RedHat 6.1 on the CD has a known root exploit that is actively being exploited. You need to upgrade to BIND 8.2.2 patchlevel 5.

Hunnr,

Have you been to The Internet Software Consortium?

This could be a proxy issue, but, it is a cumbersome system, I will admit. I recently moved my main domain server, reconfigured my DNS on several, installed new backup, and, had to post at least 15 DNS Agreement changes to Internic before it finally fell into place.

3 weeks later, things are finally falling into place, but, it is clearly an untransparent process, and, DNS errors can be tragic.

For more details on this process, I'll be glad to lend my experiences.

Regards,
Van
================================================ =========================
Linux rocks!!! www.dedserius.com
================================================ =========================

You know, all this game stuff is nice and good. But all I want is to get DHCP to fucking work. Is that too much to ask? Can't get it to work with cable modems, can't get it to work with my stupid dorm room, this sucks.

I really hope someone reads this and's like "yeah, i had the same problem, here's what to do".

But it won't happen. Goddamnit, I'm so pissed off about this. Search on the internet, all I get is people saying "yeah, you need to add the -h for hostnames, that'll work". Well it doesn't. And also, I can't put the network info (ip, gateway, ect) in manually and get it to work either.

Does anyone think it could be a problem with my ethernet card??? After more than 6 months of this, I've exuasted alot of options. The dhcp server is isc.

When I boot freeBSD, it sends out DHCPDISCOVER messages, gets a reply, but sends a DHCPREQUEST right back out to the broadcast address, and not the dhcp server's address.

DHCP works fine on windows 98.

What am I doing wrong, I'm really desperate. I'm also sorry for posting this offtopic stuff to slashdot, but someone has to have come across something like this.

Paul Vixie: the author of BIND and the founder of the Internet Software Consortium.

Not only Bind, he's also done a much improved version of cron wich made it into many UNIX distributions (the so called "Vixie-cron", type mancron|grep-ivixie to see if it's installed on your system).

But I want to extend this to the whole crew of the ISC:

They're not only producing and maintaining

• BIND,
• INN and
• DHCP for UNIX,

• NetBSD,
• Sendmail and
• Xfree86.

Oh, and they run one of the root name servers.

And they do a lot of other things for us (Some mirrors, archives, surveys...)

Thank you, ISC!

As far as I know, there are three major dhcp clients for linux: pump, dhcpcd and dhclient (those two names are not very imaginative and often confused, as stated in dhclient documentation).
I was never able to obtain ANY information from my cable modem with pump or dhcpcd. I've tried tweaking the configuration files and the command-line without success.

Then I found dhclient. It worked instantly like a charm ! No configuration file needed, no command-line: I've just started it from the command-line and it worked. I'd recommend it to anybody.

AFAIK, most (but not all) distributions come with pump or dhcpcd. I suspect this is an obscure licensing problem (dhclient is free and open-source, but not GNU, I think).

You can get dhclient from http://www.isc.org/products/DHCP/dhcp-v2.html. It should fix your problems instantly !

Stéphane

Actually, just because Paul is stepping down as head maintainer and the lead architect, doesn't mean that ISC is stepping down. The Internet Software Consortium was founded by Vixie, but is much bigger than just him.

Also, there are no more expected releases of BIND 8.x, with the exception (obviously) fixes. The development of BIND 9 has not included a single line of Vixie's code - and it is written COMPLETELY from SCRATCH - no legacy BIND 8.x code in it. He has spent his time recently finishing up with BIND 8.2.2, and is leaving BIND 9 to a new team.

Paul was quoted as saying: "It's a thing of beauty. I have not got a single line of code in BIND 9 - and I hope that's not the reason that it's a thing of beauty." :) He went on to explain that it was because he was able to maintain the 8.x code by himself, since he knew it so well. It would have taken a couple of people to do it otherwise, and it was a matter of priority - so he did that, and let the others focus on BIND 9.

- strabo

Ever hear of DNSSEC?
RFC 2065
It is supported as of BIND 8.2:
BIND 8.2 highlights

fwiw, bind 4.9.7, although officially depreciated, was ported to NT in may of 1998. the isp i used to work for used it as their primary dns. its available from the ISC ftp site here.

--Siva

Keyboard not found.

Zone transfers aren't secured in this respect. Data within a zone is cryptographically signed, so that you can be sure that it really is valid, and someone hasn't been able to spoof you, etc....

This way you can also be sure that when you ask for "fred.yourzone.org" and the answer is that the next valid label is "george.yourzone.org" that not only does "fred.yourzone.org" not exist, but that there are no other labels that exist between that and "george.yourzone.org", so "frederic.yourzone.org" doesn't exist (and you don't need to ask about it), nor does "fredbert.yourzone.org" (and you don't need to ask about it either), etc....


The zone transfers are secured in the same way they always have been -- by the authoritative nameservers restricting what IP addresses it will respond successfully to AXFR (or IXFR) queries.


Follow the links from http://www.isc.org/view.cgi?/products/BIND/docs/co nfig/trusted-keys.phtml to learn more about DNSSEC and how it works.

can be attained with this link. I urge you to wander around the site too for more stuff on the Domain Survey.

It was a past time of mine back in 92 and 93 to download the *entire* host list from these people. It was 20 mb or so at that time!

Now there's *at least* 56 million hosts around. That would be like, huge.

Let the good times roll? Bah.

The Internet was a good idea, but commercialism ruined it.

can be attained with this link. I urge you to wander around the site too for more stuff on the Domain Survey.

It was a past time of mine back in 92 and 93 to download the *entire* host list from these people. It was 20 mb or so at that time!

Now there's *at least* 56 million hosts around. That would be like, huge.

Let the good times roll? Bah.

The Internet was a good idea, but commercialism ruined it.

"Sure "it can be done in Linux". But it is not available as a standard feature in Linux, you have to search the web to find a script and hack it into your system". Please research before you make comments like these. If you go to ISC's home page you will find that their DHCP daemon has the feature to update the standard BIND 8.x daemon with dynamic addresses. It is not an obscure script that is hard to find on the net; nor is it difficult to implement (hack it into your system). If you weren't familiar enough with BIND you shouldn't have made your "authoritative" comment in the first place.

DHCP Distribution: Version 3.0

Current Version: 3.0b1pl0

Version 3 of the ISC DHCP Distribution adds conditional behaviour, address pools with access control, and client classing. An interim implementation of dynamic DNS updates for the server only is included, but is not supported. The README file contains information about how to enable this - it is not compiled into the DHCP server by default.

Features in upcoming releases, starting with 3.1, will include the final asynchronous Dynamic DNS Support, DHCPv4 16-bit option codes, asynchronous DNS query resolution, DHCP Authentication, and support for a DHCP Interserver Protocol and live querying and update of the DHCP database. I don't see why they say it doesn't exist on UNIX. There are also perl scripts that do the job.

The ISC is the International Softswitch Consortium. Check them out at www.isc.org.

Very few large projects are being "mostly developed for free by mostly unpaid people". In many cases (and a happily increasing number), someone is paying them to work on the projects.