BIND 9.3 Released With Commercial Support

darthcamaro writes "Time for net admins to update BIND: version 9.3 has been released. internetnews.com has a story on it where they talk with Paul Vixie, the founder of BIND's keeper ISC. In it he details why after so many years BIND has finally decided to offer commercial support. 'Many of the companies who use our software free of charge have told us that their corporate risk management strategy requires them to have a bona fide support channel for all of their critical operations,' Vixie said. 'In other words we were told that having the best software wasn't good enough, and giving it away for free wasn't good enough, we also had to ensure that commercial support was available or they could be forced to switch to software they didn't like as well just to get support.' The full press release on the BIND 9.3 release is also available."

Wait till the next exploit,,,

[darkjedi521]

Wasn't at one time BIND the IIS of the unix world? This could open them up to a world of problems if/when the next exploit shows up.

Re:Wait till the next exploit,,,

[otis+wildflower]

No, you're thinking of Sendmail.

Re:Wait till the next exploit,,,

[John+Starks]

Exploits are not uncommon in BIND, even today. Take a look at their security alert page, especially the matrix at the bottom. Security problems abound!

It's not clear why people continue to use BIND. It's probably because it's just assumed that it's the only thing out there. But everything from security to configuration is poorly done in BIND. I use tinydns (part of djbdns) instead on all my servers. It's written by Daniel Bernstein, the same guy that wrote qmail. He's got a great track record -- no security holes in any of his software, AND he backs up that assertion with a $1000 prize to anyone that finds such a hole. He makes a better case than I do for tinydns/qmail vs. BIND/sendmail than I ever could.

Re:Wait till the next exploit,,,

It's too bad that tinydns sucks, and is lacking features.

Re:Wait till the next exploit,,,

[morelife]

Security problems abound!

There hasn't been any significant security issue with BIND 9. Period. Your link points to BIND 8 stuff, which you shouldn't be using, specifically for those reasons, and I hope ISC stops supporting it soon, it's due for a quick death.

I use tinydns
Who gives a rat's ass what you use? Like an AC said earlier, and I paraphrase, "too bad tinydns is so lacking in features", when he was trying to be nice.

ISC's BIND is the reference implementation, in the free world anyway. Why don't you shut up and contribute code to it, instead of criticizing?

But everything from security to configuration is poorly done in BIND
Really. Such as.. ??

There are a couple of problems with BIND (out of the scope of this rant) which will eventually get worked out. One of them is with zone transfers. But it only happens to losers who don't understand how to design and deploy a componentized architecture suiting the application at hand.

Anyone who understand DNS, their OS's limits, and software applications can deploy BIND 9 in a frighteningly secure manner.

He's got a great track record

(re djb), Yes, but not necessarily in the DNS world. I don't understand. If it's so great, why haven't more professionals adopted it?

Re:Wait till the next exploit,,,

[Florian+Weimer]

Exploits are not uncommon in BIND, even today.

Critical exploits in BIND 9 still have to show up. The really nasty bug so far was actually in OpenSSL.

It's not clear why people continue to use BIND.

For the full resolver part, their are hardly any alternatives. If you need DNSSEC, your options besides BIND are even more limited.

tinydns is unusable for most people (who aren't masochists) because it doesn't conform to existing standards and parctice. Just speaking the DNS protocol is not enough, you also have to implement some of BIND's quirks, and more important: the software has to be maintained. DNS is still evolving, DJB's software is not. (Some of it doesn't even compile on modern, POSIX-conforming systems.)

Re:First Post?

[Marxist+Hacker+42]

Ok- it was first post, but reading I finally realized- BIND IS OSS! All I need to do is find the time to create my own version, with a nice little PHP web interface to do DNS lookup for teachers to approve sites for the kids server.

Re:Is this a good thing?

> Hopefully the ISC won't turn this into a RedHat situation.. They find that corporate use is profitable, and release a closed-only solution to corporations, while forking the code over to another open source project..

How did this get a "Score 3, Insightful" when it's so completely WRONG?!? All the Red Hat source code is freely available - how "closed-only" is this?!?

Re:First Post?

[NineNine]

Windows Server has a DNS service built in.

NOT "Time for net admins to update"

[strabo]

I really hope that most net admins know better than to update until after the beta is over, and the release version comes out.

BIND 9.3.0 is not released yet. It is at beta 2, which was released two days ago.

Re:First Post?

ISC has a windows version, works great.

ftp://ftp.isc.org/isc/bind/contrib/ntbind-9.2.3/ BI ND9.2.3.zip

(take out the spaces in the url above)

Re:First Post?

[0racle]

Your going to need to learn how to read first. Bind for Windows NT/2000 binary and source, just a little down the page.

Re:This is a simple reality in corporate use

[ChoyLeeFut]

It's worth the money for me to be able to get someone on the phone 30 seconds after it crashes to get my business running again.

30 seconds??

Wow... you've never had to deal with support from Monolithic Corporation Inc., have you? ;-)

Re:Why is this a surprise?!

[operagost]

but I cringed when the launch screen came up with the usual "Not guaranteed for fitness or any purpose" or whatever.

Guess what? The Microsoft EULA (along with most other companies') says the same thing in other words. And you DO pay hordes of money for those without getting any real support, until you pay hordes more. Might as well get the right free product and buy competent support and save one horde.

How the BIND company makes money

[amacleod98]

D. J. Bernstein has a few things to say about this Also see here And here

Re:How the BIND company makes money

[wobblie]

Bernstein is a certifiable loon. He regularly flames people on the bind9-users list, and if there was any doubt that he is a complete DWEEB, read this. He goes to St Petersburg and complains about the hotel and eats at Burger King. Whatever. The guy is a nut. A smart nut, but a nut.

His software also has onerous restrictions on it, and djbdns does not support as many record types and such as bind does. His rantings about bind are full tilt hysterical conspiracy theory level paranoia.

Re:Read your EULA please.

[morelife]

You are, loudly, shooting yourself in the foot.

If you had a critical software problem, and you told the vendor you "won't buy another piece of software from them" you know what you still have?

Your same broken ass software, and a worse relationship with your vendor.

Read your EULAs, ask your lawyer about them, and then go do a little research on the reliability and fix times for problems in BIND, Postfix, Apache, OpenSSL/SSH, etc etc etc.

You'll find that you're better off in many cases with OSS, with many less dollars lost.

Re:First Post?

[dasmegabyte]

So? If he wanted a quality DNS server, he would have asked about DJBDNS.

Dan Bernstein might be an, uh, "colourful" character, but his software is fast, easy to use, easy to admin, and all around better than anything Vixie & crew could offer. Plus this guy's devotion to security is nothing less than astounding. I trust his internet tools wherever possible...shit, i even run an instance of his no frills HTTP server for images.

Comment removed

[account_deleted]

Comment removed based on user account deletion

get rid of it

"Time for net admins to update BIND", install djbdns. Geez people move on... BIND and sendmail
must die...