Slashdot Mirror

Then, if the DNS server is unable to get a reply from any of the DNS servers in the active cache, it looks for an expired version of the same record, giving that to the end user. Since expired records are not accessed that often, they will usually get cleaned out when our list of allocated records fill up and we throw away records which have not been recently accessed.

OK, this would take a week for me to do for MaraDNS. I have actually been thinking of something myself; you are lucky that you caught me at one of the rare periods when I am actually adding features to MaraDNS.

BTW, MaraDNS can already set the maximum number of records in the cache, and the minimum TTL for records. But, as the idiots replying to you pointed out, setting a minimum TTL of one year is probably not a good idea. A minimum TTL of one day, however, may actually make sense.

- Sam

I have single-handendly written a working recursive DNS server without getting paid for my work. There is a reason why there are only three of us in the entire world; DNS is that bad. Actually, it is a good deal worse than you can imagine.

Let me put it this way. Writing a DNS client (or a non-recursive DNS server) is sort of like Highlander I. Entertaining, really. You think to youself "Hey! That was easy! A recursive server can't be too bad!"

Well, writing a working recursive DNS server is like watching Highlander II. Suddenly, just as Highlander II changes your outlook on the entire Highlander franchise, writing a recursive DNS server changes your outlook on the entire DNS protocol.

But, hey, don't take my word for it. Dan, one of the other three of us, feels the same way. Thomas, the last of us, has made no statements either for or against DNS. If we were to review recursive DNS the same way Rotten Tomatoes reviews movies, DNS would get a 0%; possibly a 33% if Thomas secretly loves DNS and hasn't told anyone. By any standard, that makes for a bomb that should have tanked at the box office.

Alas, it didn't. And so we are stuck with a horrible mess of a protocol today.

- Sam

The question is: Who is going to develop such a protocol? I have heard a lot of mumbling for a DNS replacment; I have seen little actual action done to make such a replacment. If such a protocol gets developed, I most assurably will be one of the first to implement.

What real solutions do people have to the fragile root servers issue (these days, the fragile .com servers issue).

- Sam

To make a long story short (and the flame war got ugly), Craig feels that a DNS server needs to support the legacy BIND zone file format. Dan, obviously, does not; he feels that it only matters that one can transfer the zone file over to the new format (losing all comments in the zone file in the process).

Now, I will side with Dan here. Keep in mind that my viewpoint is rather biased, being the person responsible for the MaraDNS server, a server which Craig uses but feels is "poorly written code". Now, the only specific that Craig went in to when pointing out that he did not like my DNS server is that fact that, like Dan's TinyDNS, MaraDNS has no support for BIND's zone file format.

Now, with all due respect for Dan, I think he should not knock a gift horse in the mouth. The fact of the matter is that the code for MaraDNS is open; if support for BIND-style zone files is important to Craig, I suggest that he start coding it himself. I will gladly accept code which can read BIND-style zone files and make it part of MaraDNS.

I am not saying that BIND style zone file support is unimportant. However, I think Craig should be a little more courtious in requesting this feature than badmouthing MaraDNS on the Debian ISP mailing list.

I am sure he is an excellent system administrator; I really wish that he would start up a serious open-source project so that he understands how we OSS coders feel. I think it would make him interact with us in a more mature fashion; and save both him and the developers he flames some grief.

- Sam

P.S. I know Craig already knows this, but there is a non-BIND DNS server which supports BIND style zone files called NSI. It is on the list of DNS servers on my web page.

To make a long story short (and the flame war got ugly), Craig feels that a DNS server needs to support the legacy BIND zone file format. Dan, obviously, does not; he feels that it only matters that one can transfer the zone file over to the new format (losing all comments in the zone file in the process).

Now, I will side with Dan here. Keep in mind that my viewpoint is rather biased, being the person responsible for the MaraDNS server, a server which Craig uses but feels is "poorly written code". Now, the only specific that Craig went in to when pointing out that he did not like my DNS server is that fact that, like Dan's TinyDNS, MaraDNS has no support for BIND's zone file format.

Now, with all due respect for Dan, I think he should not knock a gift horse in the mouth. The fact of the matter is that the code for MaraDNS is open; if support for BIND-style zone files is important to Craig, I suggest that he start coding it himself. I will gladly accept code which can read BIND-style zone files and make it part of MaraDNS.

I am not saying that BIND style zone file support is unimportant. However, I think Craig should be a little more courtious in requesting this feature than badmouthing MaraDNS on the Debian ISP mailing list.

I am sure he is an excellent system administrator; I really wish that he would start up a serious open-source project so that he understands how we OSS coders feel. I think it would make him interact with us in a more mature fashion; and save both him and the developers he flames some grief.

- Sam

P.S. I know Craig already knows this, but there is a non-BIND DNS server which supports BIND style zone files called NSI. It is on the list of DNS servers on my web page.

I'm with family, but they are pretty low-key so pleanty of time to code away.

- Sam

On the downside, the module (for the Lucent winmodems) was originally released for the 2.2.x kernel. It was never updated by Lucent, but some people on the net figured out how to change the headers so it works with the 2.4.x kernels.

If it becomes impossible to use this module with 2.6, and it looks like the changes to the module interface are large enough to make the module completely incompatible, I have a few choices:

• Stick with an older Linux distro which uses a 2.4.x kernel.
• Wipe Linux and use Windows. [1]
• Spend over $100 for an external modem (I'm a college student, so no).
• Drop out of school for the next semester, and abandon my current open-source project so I have the time to develop an open-source driver for win modems. I want to graduate ASAP, so alas no.

Then again, Lucent may force people to use older drivers for newer versions of Windows, like XP. Then again, Windows 98 is still supported (name one Linux distribiution which came out in 1998 which is still officially supported), and it should be possible to use a Win98 driver with XP.

I agree that it's a good start. I would also add in links to vsftpd's design & implementation documentation; see here, here, and here. For what it's worth, Maradns's string library is worth examining as well.

For my application, I have made a special string library which is resistant to buffer overflows. Instead of a string being a simple pointer to a string of characters, terminated by a null, a string is a structure with the following information:

• The current length of the string
• The maximum possible length for the string
• The encoding of the string
• The length, in octets, of a single piece of data in the string

Some other practices:

• Only give static strings to anything which accepts format (%s, etc.) strings.
• Do not use signal handlers; or use them with the utmost care.
• Do not use the system() call.

- Sam

Another option, if one does not need recursive caching is posadis. There is also pdnsd, which only provides recursive DNS service.

Security history of various DNS servers:

• Bind 4 and 8: multiple remote root shells
• Bind 9: Denial of service vulnerbilities found
• MaraDNS: Denial of service vulnerabilities found
• Posadis: remote shell
• pdnsd: remote shell

This is why I run MaraDNS.

Maybe I just haven't bothered to look hard enough,

Like maybe an actual search?

but I didn't know there were any other Open Source name servers out there.

You mean, like these?

• CustomDNS
• DENTS
• djbdns
• dnsmasq
• DNSJava
• dProxy
• MaraDNS
• MyDNS
• pDNSd
• Posadis

djbdns doesn't count and we both already know that

Ah, I see. It's not "Open Source" software because it isn't published under an "Open Source" license, right? (sigh) Dan Bernstein is a total security freak. He doesn't trust ANYBODY. He especially doesn't trust anybody to distribute modified, binary versions of his software, ruining his reputation when one of their "enhancements" results in a security hole. This already happened once when a Qmail add-on was discovered to have a security problem, and thereby tarnished Qmail's otherwise perfect security record.

So he ONLY authorizies distribution of his ORIGINAL source code. No modifications allowed, except as diffs to the originals. And if you apply those diffs and something breaks, don't blame him; blame the author of the diff.

You might disagree with Dan; he's a hard-nosed, inflexible so-and-so. But he's got style, and his programs are a beautiful model of efficiency.

The Open Source community could use a few more people like Dan.

and we both already know that so don't bother with beating that dead horse.

Such Style! Such Wit! Such Argument! Such Rhetoric! Such Unquestionable Authority!

Such a sterling example of my sigfile:

My experience porting my application to various unices is that porting from Linux to Mac OS X is a no-briner; the toolchain to build programs on the both unices is the GNU toolchain, and is almost identical.

The only Unix I have had a hard time porting to is Solaris; then again, I have not tried porting my application to other prorpietary unices like HPUX, Ultrix/OSF-1/whatever they call it these days, AIX, etc.

- Sam

What my DNS server does is mandate an ACL (list of IPs allowed to make recursive queries; this can be set to "all hosts on the internet" if desired) if recursion (talking to other DNS servers) is enabled. Recursion takes a lot more work to do than authoritative requests; it is best to limit access to this.

Unlike Dan, I feel that a DNS server should be both recursive and authoritative because it allows one to customize the resolution of certain hostnames. The idea is similiar to /etc/hosts, but also works with applications which ignore /etc/hosts and directly perform DNS queries. For example, I was able to continue to connect to macslash.com when a squatter bought the domain and changed its official ip; I simply set up a zone for macslash.com, and made MaraDNS both recursive and authoritative.

SMTP servers have IP restrictions at the application layer because this gives people some idea why they can't send email to a given host. A firewall restriction gives a vague "connection timed out" message in the bounce email message; application-level filtering allows the bounce message to say something like "You're from a known Spam-friendly ISP; go away".

- Sam

I only noticed it because I use my own DNS server to resolve requests; and pay close attention whenever I see any problems resolving host names (there is the possibility of it being a bug with my software).

The person who orchastrated this attack is not very familiar with DNS. Attacking the root name servers is not very effective; all the root servers do is refer people to the .com, .org, or other TLD (top-level-domain) name servers. Most DNS servers remember the list of the name servers for a given TLD for a period of two days, and do not need to contact the root servers to resolve those names. While some lesser-used country codes may have had slower resolution times, an attack on the root servers which only lasts an hour can not even be felt by the average end user.

In the case of MaraDNS, if a DOS (denial of service) is happening against the root servers, MaraDNS will be able to resolve names (albeit more slowly for lesser-used TLDs) until every single root server is sucessfully DOS'd.

- Sam

In fact, the Rijndael designers were considering changing Rijndael's S-box during the AES process. NIST, however, for not entirely known reasons, did not allow the Rijndael designers to do this.

Now, as it turns out, the Rijndael designers have designed some other ciphers after Rijndael. These ciphers have different S-Boxes. In fact, the Rijndael designers revised ("tweaked" as they call it) each cipher to have a representation which is easy to implement in hardware; most of the die space used when implementing Rijndael on an ASIC is implementing the S-box.

The ciphers in question are Whirlpool and Anubis (Anubis uses an involutional S-box which might possibly make it weaker). In fact, my software project does not use Rijndael proper as a psudo-random-number-generator; it uses a Rijndael variant with the "tweaked" Whirlpool S-box.

- Sam

P.S. I should also mention Khazad, named after the bridge Gandalf fights balrog at, which uses Anubis' S-box.

People would complain to Network Solutions about spammers having obviously bogus WHOIS information (such as phone numbers of --- --- ----), and their reply was that "WHOIS information is ot guaranteed to be accurate".

I think the response is that, if a given set of WHOIS contact information is bogus, and people complain about the bogus information, Verisign should pull the domain in question until they update the information to have legitimate contact info.

A spam-friendly domain without real WHOIS contact information should be pulled until the information is updated. People should be held more accountable for what they put up on the internet; non-bogus WHOIS contact info is a start.

- Sam (Pot. Kettle. Black. I've moved since signing up for my domains, and have not updated the WHOIS contact info)

I find that I write better code when I first put out a basic sketch of the design. Basically, the data structures used, the names and arguments for the functions, and what the functions do. Once this is sketched out, I go about actually writing the code in question. I will generally actually making up more functions than what I sketeched out, and will change some of the arguments that the functions receive.

I find that the code I write while designing the strucutre is more bug-prone and difficult to maintain; "play it by ear" is not a good way of working for projects of any significant complexity.

Since Slashdot has zapped signatures (in the defulat config), I will referer people to my main software project. This project is my most ambitous project to date; it currently has over 24,000 lines of code (including comments).

My experience with looking at the source code for projects is that the main problem is not how people comment the code, but that people generally do not comment their code at all.

- Sam

I've been very pleased with it.

I can not comment on how easy it is to use because other developers on the team have been using it instead of myself.

- Sam

As an aside, why is it that Solaris advocates have this big need to hide their identities? Most Linux advocates here have a link to their home page so I can actually get a chance to know the person I am debating. What is it that Solaris people have to hide?

- Sam

I find it very interesting that you feel that using Linux means doing without gaming nor coding. Let me guess: You live in the United States (more details on why I have this theory below).

Linux has had a large number of games ported to it; I believe Loki ported 20 or so before going under. I find that this is enough games for me to waste far too much time playing; my open source coding project would not be in its current state if I spent any more time playing games on Linux; and I only have two games which I regularily play on my Linux laptop. I have not had time to finish either game.

As for coding, I find the coding environments of Linux extremely usable and powerful. For example, the Perl interpreter allowed me to create, within one day, a new unified documentation format for all of my program's documentation when people who translate my documentation requested this.

When someone says "Linux does not have a usable coding environment" what that person is saying, in effect, is "I am not willing to take the time and effort to learn the excellent coding environments the Linux has". Which I find very strange.

Programming, after all, is not like playing a video game. Programming is a discipline which takes time and effort to learn. The effort to learn, say, the Emacs environment or the most common Vi commands, is trivial compared to the effort required to learn how to write a usable and maintainable computer program.

My general experience is that Europians are generally more willing to take the time and effort to learn the language of Linux; most of the people who are helping me out with my open-source project are from Europe. I think this is because most Europians have had to learn one or more foreign languages; learning a foreign language makes one intently aware of the time and effort needed to accomplish something truly worth accomplishing.

Programming code is not like watching "Allie McBeal" on TV; my general experience is that people who need automated tools to generate code write code that is inefficient, difficult to read, and unmaintainable.

Linux is not a charity case

The free software foundation is, in fact, a charity.

- Sam

Then again, Linux boxes running VSftpd and any DNS server besides BIND 4/8 (like This one, or this rather shameless plug) are safe from remote root exploits.

- Sam

In general I agree that bugs are a fact of life, like death and taxes. However, there are coding styles that can minimize the number of buffer overflows in code:

• One can create a special string library which is resistant to buffer overflows (strings being structures which a "maximum length" value). For example, my DNS server uses such code to minimize buffer overflows (the string library is documented in man pages).
• One can write code in a style where the possibility of the code being placed in an "unknown state" is minimized.
• One can avoid strings wherever possible

It is possible, with today's knowledge of security issues, to code in a style which makes these kinds of security holes very unlikely. Look at Dan Bernstien's code. Look at Chris Ferret's VsFtpd.

This is why I feel that Solaris is slowly dying: Becuase Solaris has, for whatever reason, lost the motivation to replace their codebase with the features that a modern Linux system has. Some Solaris administrators are so afraid of change that they don't want to replace the Solaris userspace with the vastly superior Linux userspace. Like Eric Raymond said to the idiots that think making Python a requirment to build the kernel is a bad thing, progress happens.

- Sam

Lots of people have:

DJB DNS

Custom DNS

MaraDNS

Posadis (though I've no experience with it yet)

The list goes on and on.. hit Freshmeat.net for some possibilties.

And, yes, I agree that Dan is free to do as he wishes with his code. The current license, for better or for worse, however, will stop it from being adopted by any of the major distributions.

- Sam (Since Dan ain't gonna change his license, back to coding my alternative to BIND and DjbDNS)

[...]it lacks essential freedoms such as publication of modified versions[...]

For the record, I feel that:

• Dan is a brillant programmer who has not had to make any changes to Qmail in the last three years--since Qmail has not had one security problem of note ever. The only reason Dan has to make changes to DjbDNS is because of the way the BIND developers makes changes to how they interpret the vaguely-worded DNS RFCs.
• Dan does give away his software, and he does allow people to freely use it and freely separately distribute patches for it.
• While I do not completely agree with Dan w.r.t. the license he chose, I feel Dan has valid concerns about Linux fragmenting the way Unix fragmented. His license stops Qmail or DjbDNS from fragmenting.

Anyway, I removed the acceptance ceremony from the 2.1 license, in the hope that this would satisfy the FSF. Unfortunately, the FSF's response to the 2.1 license (see above) seems to suggest that they have changed their position once again, and are now requesting other changes in the license. I'm very, very tired of this, so on to the next question!

The main reason I chose to to GPL my latest open source project--the MaraDNS server--was because I knew that there were some incompatibilities between the GPL license and the Python license. As long as the GPL may make it impossible to make a python module out of my code, I am not going to GPL it.

Instead, I made MaraDNS public domain. BTW, I use Python-style syntax for the mararc file MaraDNS uses.

BTW, isn't it against the license for Python to have a gdbm module, since gdbm is GPL and not LGPL? And, is it not inappropriate to have Python KDE bindings or use Python in KDE programs?

- Sam

Anyway, I removed the acceptance ceremony from the 2.1 license, in the hope that this would satisfy the FSF. Unfortunately, the FSF's response to the 2.1 license (see above) seems to suggest that they have changed their position once again, and are now requesting other changes in the license. I'm very, very tired of this, so on to the next question!

The main reason I chose to to GPL my latest open source project--the MaraDNS server--was because I knew that there were some incompatibilities between the GPL license and the Python license. As long as the GPL may make it impossible to make a python module out of my code, I am not going to GPL it.

Instead, I made MaraDNS public domain. BTW, I use Python-style syntax for the mararc file MaraDNS uses.

BTW, isn't it against the license for Python to have a gdbm module, since gdbm is GPL and not LGPL? And, is it not inappropriate to have Python KDE bindings or use Python in KDE programs?

- Sam

I am working on that particular issue. MaraDNS is a public domain DNS server that I have been working on for the last two months. Currently, MaraDNS has roughtly the functionality of TinyDNS--it works as an authoritative DNS server, but not as a caching DNS server.

A 1.0 release should come out in early June. Look at the roadmap on the MaraDNS web page.

- Sam