Domain: tinydns.org
Stories and comments across the archive that link to tinydns.org.
Comments · 23
-
Re:Use djbdns (aka tinydns)
I really wonder if you're incapable or just unwilling to understand. You have lost this argument long ago because you're not making a point!
Well, but if you so want I will iterate again:
There is no "frequent mishandling" in the "non-root management of daemons" in either daemontools or djbdns. Please quote your "significant security issues" with that because to my knowledge there have been no security issues with djbdns ever. Also please define your term "mishandling"?
Remember, one of the design goals for djbdns was to provide a more secure alternative to the horror that is BIND. According to its security track record it succeeded so far.
Furthermore djbdns is considered by many to be *much* more managable and configurable than BIND. Just compare the configuration mess in BIND (especially the awkward zones format) to the data-format in tinydns that I quoted in my earlier mail. Ultimately this boils down to taste and preference but in no case is it a point to be made against djbdns - much rather one to be made against BIND. Just ask some people who have used both (I have).
Documentation? Again?
Djbdns comes with an exhaustive manual and a truckload of community documentation.So what remains of your argument? The packaging. We can agree on that but that has nothing to do with security and is probably not the driving factor when choosing an DNS impl.
PS: Work on your reading comprehension. The post you replied to was not mine and the statement "better than bind" that you pulled out of context clearly compared the two on the basis of security problems and bugs, in the same friggin' sentence! That seems like a reasonable assertion to make when comparing djbdns (zero bugs, zero security issues) to BIND (an emberassing number of bugs and security issues), don't you think?
-
tinydns patch to ignore sitefinder
http://tinydns.org/djbdns-1.05-ignoreip2.patch
Turns A records for certain IP addresses back into NXDOMAIN results. -
Automate finding and ignoring wildcards in domains
I wrote a script to automate the detection of wildcard domains, go ahead and download it. It requires the djbdns tools in the path (dnsqr and dnsq). It generates a list of all wildcard domains suitable for the djbdns wildcard ignore patch.
-
Re:djbdns violates multiple RFCsCare to back that up with facts? Interestingly enough, you might want to look at this page.
In any case, if you don't like how djbdns behaves by default, you can always go to http://tinydns.org/ and see what's available.
-
Re:Netsol costs more.I also use TinyDNS, and others of the DJBDNS tools.
- It is safer than BIND
- It is simpler than BIND
- It includes a tool for restarting if there is a problem (not that I've seen any other than my own errors)
-
demystifying djbdns
There is no shortcut. You need daemontools because it relies on "service" for monitoring, logging, and rudimentary host based access control where applicable. Just READ THIS and follow the instructions. Take the time to understand what the difference is between dns-cache and tinydns. Do yourself a favor and install axfrdns if you install tinydns. If you are going to do authoritative nameserving, read up on all the goodness HERE. I've taken the time to install the VegaDNS administration front end and it's pretty neat. The most useful patches so far that I've used for tinydns are the round-robin dns patch, the errno patch (to get the bastard to rpmbuild on ES 3.0 but I think debian is still using fred flintstone's glibc so you should be cool) and the patch for the new zone transfer method that BIND 9 uses. If you aren't needing to mess with authoritative domain hosting, you probably only need DNScache. It's awesome stuff. Good Luck!
-
Sounds like a good reason to use djbdns insteadhttp://cr.yp.to/djbdns.html
It's nowhere near as difficult to set up as BIND, it's more secure than BIND, and there's a patch available to block Verisign's wildcard lookups. I've been running the patched version at home and at work since shortly after Verisign added the wildcard records and haven't had issues with any DNS queries.
-
djbdns (dnscache) patchHere is a site linking to a patch for dnscache users. I'd prefer a hack along the lines of what [groan] ISC has implemented, but if verislime were to delegate and then spoof, ISC's hack would stop working, while the dnscache patch would simply require a bit of administwiddling and then keep right on working.
Patch 'em up and move 'em out...
-
Re:Bug your ISP
There is a patch for djbdns, but they're not official so I wouldn't reccomend blindly using them.
What would you call `official patch for djbdns', one released by DJB? Forget it.
;) There are no `official' patches for any djbware.The ignoreip2-patch with ignoreip-update posted on dns@list.cr.py.to seem to be the Right Way for now.
-
Re:very cool.. dnscache?
-
For TinyDNS / dnscache users
Russell Nelson has a patch for tinydns which does the same thing.
He also notes that several other TLD operators for the same thing and has another patch that allows you to do the same thing to several naughtly tld operators at once.
-
For TinyDNS / dnscache users
Russell Nelson has a patch for tinydns which does the same thing.
He also notes that several other TLD operators for the same thing and has another patch that allows you to do the same thing to several naughtly tld operators at once.
-
For TinyDNS / dnscache users
Russell Nelson has a patch for tinydns which does the same thing.
He also notes that several other TLD operators for the same thing and has another patch that allows you to do the same thing to several naughtly tld operators at once.
-
Re:Bug your ISPInteresting that BIND only runs 80% of DNS servers, what is the other 20% made up of?
Well, there's TinyDNS, djbdns and MaraDNS, just for starters. And whatever those Windows folks use on their server OS.
Interesting to note that djbdns has already been patched to workaround the Verisign nonsense
.... -
Re:very cool.. dnscache?
Sure, Try here
-
Re:very cool.. dnscache?
Yep, the patch for dnscache by veteran Russ Nelson is here:
tinydns.org/djbdns-1.05-ignoreip.patch -
There's a patch for DJBDNS
to return NXDOMAIN again. You can find it at http://tinydns.org/djbdns-1.05-ignoreip.patch
Use at your own risk, I haven't tested it - yet. -
Re:Correction (need resolver workaround)
A better patch can be found here.
--
Eric Ziegast -
done!
-
Another User-Mode Linux hosting service
There's another option, too:
Bytemark Hosting offers Linux virtual machines via User-mode Linux.
Bytemark supports Open Source with contributions to Debian and discounts for Open Source developers.
Debian is one of the distro options. Primary DNS on Bytemark's DNS servers is included (running djbdns, win win). -
Re:Escape
Find a vulnerability and you're not even allowed to release a fixed version!
That's assuming you ever find one. qmail's withstood the security guarantee since 1998. djb tends to write fairly good software... Besides, people are allowed to release unofficial patches to djb projects and quite a community has grown up around additional features. See qmail.org and tinydns.org.
There hasn't been a djbdns release since 12-Feb-2001 [freshmeat.net] and the project is bound to go stale sooner or later if djb does not renew his interest.
Oh come on. If something works well and implements the standards, why should you bother to add more gimmicks? "If it ain't broke, don't fix it."
-
Re:Too late ...
djbdns does have IPv6 support, thanks to patches by Felix von Leitner - get them from www.tinydns.org
IFXR is an incremental method of zone transfering, which is completely useless if you use something like rsync and ssh. djbdns stores all of its zone data in a highly efficient CDB file. All you have to do to update your secondaries is to push the CDB file out. If you use rsync, then only the differences get pushed, the file gets updated atomically, and you're laughing.
If you use djbdns consistently, you have absolutely no need whatsoever for AFXR or IFXR. If you do secondary with other BIND servers then you'll need to run an AFXR process, unfortunately.
-
Too late ...
I'm hoping BIND9 is a complete, utter rewrite, with no code from BIND8 still remaining.
If it isn't, then it's way way too late - switch to Dan Bernstein's djbdns instead. Read the security guarantee and weep in relief. Notice the exceedingly small memory footprint. The lack of core dumps. That you can get rid of AXFR completely and just use rsync+ssh to transfer to your secondaries.
Check out tinydns.org which has migration tools from BIND which im playing with atm.