Root-server switches from BIND to NSD

← Back to Stories (view on slashdot.org)

Root-server switches from BIND to NSD

Posted by ryuzaki0 on Tuesday February 25, 2003 @05:01AM from the invulnerability-through-diversity dept.

A Sorry End writes "It appears that one of the 13 root-servers, the core of DNS name resolution, have moved away from BIND to NSD since wednesday, Feb 19th, 2003, which is a Good Thing. Since the 26th of october 1990, all root-servers have been running BIND. According to this message, this change was designed to increase the diversity of software in the root name server system, the lack of which is widely considered to be a potential vulnerability. The nsd software has been designed from scratch specifically as an authoritative name server. It has no design commonalities with bind, the currently prevalent DNS implementation. In addition to that nsd provides a significant increase in the performance reserve of k.root-servers.net. NSD was developed at NLnet Labs in coorperation with RIPE."

9 of 251 comments (clear)

Min score:

Reason:

Sort:

Open Source by Greedo · 2003-02-25 05:06 · Score: 5, Informative
From their site:
NSD is an authoratative only, high performance, simple and open source name server.
But further down:
The betas and releases of NSD are distributed under freeware BSD license, however we require the alpha testers to:
- test the software within reasonable timeframe
- provide NLnet Labs with feedback and bug reports in a timely manner
- not disclose the source to any third party without NLnet Labs concent [sic]
- destroy obsolete versions of the alpha code on request
So, I'm wondering, when this comes out of beta, will it still be open source? Running diverse software on the roots is probably a Good Thing, but security through obscurity isn't, so I hope they aren't trading one kind of vulnerability for another.
--
Tuus crepidae innexilis sunt.
1. Re:Open Source by copterdoc · 2003-02-25 05:37 · Score: 5, Informative
  
  You can find the source here:
  http://www.nlnetlabs.nl/nsd/index.html
2. Re:Open Source by Anonymous Coward · 2003-02-25 05:48 · Score: 5, Informative
  
  nsd will remain open source.
  
  Daniel Karrenberg
  daniel.karrenberg@ripe.net
Verisign using ATLAS, not BIND by GeorgeK · 2003-02-25 05:08 · Score: 5, Informative

As of last year, Verisign has been running ATLAS, instead of BIND, for DNS. See the story here.
1. Re:Verisign using ATLAS, not BIND by Greedo · 2003-02-25 05:19 · Score: 5, Informative
  
  VeriSign is replacing an open source software package called Berkeley Internet Name Domain (BIND) with its own proprietary technology. Dubbed ATLAS, for Advanced Transaction Look-up and Signaling, VeriSign's proprietary software will be installed in its 13 DNS server sites around the globe this summer and will go into production mode in the fall.
  Well, I guess one of those 13 server sites (I assume they mean the roots) isn't running ATLAS now, is it?
  
  And again with the proprietary software! Verisign has a bad enough reputation already. Now they expect us to trust the security of their closed software ... great.
  
  --
  Tuus crepidae innexilis sunt.
2. Re:Verisign using ATLAS, not BIND by Matty_ · 2003-02-25 06:03 · Score: 5, Informative
  
  The server which is getting the new software is k.root-servers.net, which is managed by RIPE in London, UK. It handles DNS for the "." (root) domain.
  
  Verisign does not run this server, but they do have their own DNS servers which handle DNS for TLD's such as "com" and "net" -- and is totally seperate from the root servers. I am sure all of those systems are still running ATLAS.
  
  (Of course, if I recall correctly, VeriSign does manage one of the 13 root servers. I think it is a.root-servers.net, but I may be wrong.)
Re:New vulnerabilities by cmburns69 · 2003-02-25 05:13 · Score: 5, Informative

But previously if you learned of a BIND vulnerability, you could hijack ALL of the root servers, redirecting 100% of requests to your site. Now, if there is a single vulnerability in either system the hijacking could only affect a portion of the system, not the entire internet.

An online Starcraft RPG? Only at

--
Online Starcraft RPG? At
Dietary fiber is like asynchronous IO-- Non-blocking!
Re:Specs on BIND Vs NSD by etcshadow · 2003-02-25 05:19 · Score: 5, Informative

Well, the biggest difference has got to be that the two are built for completely different purposes.

BIND is a general purpose name server for use anywhere in the hierarchical dns scheme. That is, in simplest terms, it accepts requests from below, and either serves them or passes the query up (hierarchy = tree).

NSD, according to what is being said is for *authoritative servers only*. That is, it only serves requests, it never passes them up (because it only runs at the nood nodes). It may be true that they intend to make it a general purpose name daemon in the future, but at least for right now, it just simply does not do all of the different things that bind does. One might guess that, because it does fewer things, it does them better, but I sure as hell don't know that to be the case.

--
:Wq
Not an editor command: Wq
Re:Specs on BIND Vs NSD by Anonymous Coward · 2003-02-25 05:37 · Score: 5, Informative

If you download the source tarball from the NSD site linked in the article and expand it, you'll find a DIFFERENCES document. It's a summary of observed differences between BIND 8.2.2-REL and NSD 1.0.1 written by Daniel Karrenberg at RIPE.

I'm scanning through it right now, and it looks like the main differences are:
NSD is Authoritative only. It doesn't pass requests to other servers.
NSD is quieter in the sense that if you send it a request which it refuses (like an update), it simply returns a Refused message and not the content of the update request. BIND does. This is considered a weakness in BIND that could make it susceptible to DoS attacks.
There are a number of different interpretations of the RFCs between BIND and NSD which I don't understand.