BIND Is Most Popular DNS Server

bleachboy writes "Last week I completed a new DNS server survey, since D. J. Bernstein's hasn't been updated for years. Not surprisingly, BIND wins. Why is it so hard for alternate DNS servers to gain favor, especially when BIND can be so frustrating sometimes? And yes, I'm shilling."

probably

[greechneb]

probably since most distros (BSD & Linux) include BIND as their default DNS server. People are lazy.

Re:probably

[kinema]

People are lazy.

If laziness dictated what DNS server people ran I find it hard to believe that they would choose BIND. BIND is hardly the simplest DNS server out their to learn, setup and maintain.

Re:probably

[huge]

No matter which DNS server is the default in any distro. All of the DNS admins I know will compile or reinstall the server anyway.

It maybe true that some of the home users running a "server" in the closet may be using the default server of distro, but I think there aren't that many to make a difference.

Re:probably

[bryanp]

probably since most distros (BSD & Linux) include BIND as their default DNS server. People are lazy.

Probably since most retail desktop OS's (Mac & Windows) include IE as their default browser. People are lazy.

(sorry, I couldn't resist)

Re:probably

[missing000]

It may not be "simple", but it is /powerful/.

Do you live in a DOS shell? It's "simple" - so is driving a golf cart or programming in BASIC.

Simple is not equal to good. Very few people would actually chose simple over capable any day.

Re:probably

[kfg]

It depends on what you mean by lazy.

Ever see someone toss a coat on the floor rather than hang it up, and then go back later to hang it up anyway?

Most lazy people create an extraordinary amount of needless labor for themselves and then berate people who have a lot of free time because of their efficiency "lazy."

It's very peculiar.

KFG

Re:probably

[kfg]

pfft, why should you ever go back to hang up you're coat when you've thrown it in a perfectly good spot.

I haven't a clue, but people do.

KFG

Re:probably

Exactly. What is so difficult about setting up BIND for an average site? I was able to set up BIND on Woody by installing the package, reading documentation for 15 minutes and then editing a few example zone files. And I have never ever set up a DNS server before (though I know quite a bit about how DNS protocol works).

Now, I clicked on one of the links in this story and found that to configure tinydns (as an example) you have to learn some strange sendmail-like syntax:
=www.panic.mil:1.8.7.99
@panic.mil:1.8.7 .88:mail.panic.mil.:0
Zpanic.mil:dns1.panic.mil:h ostmaster.panic.mil::72 00:3600:604800:3600

Heh, WTF? I would have to learn this syntax and how it relates to common DNS terminology (A, CN, MX, ...) AND learn what the common DNS terminology means. In the BIND case, I only need the common terminology.

All for all, I'd say BIND is used not only because it's default. It's default and sufficiently easy to use so most people do not feel the need to replace it. As a bonus, if there is a security problem, it is likely to be fixed REALLY fast upon discovery, which is a bit less probable for the other servers (because they are not used as frequently).

Re:probably

[gclef]

No. I'm running BIND because I want "delegate only" zones. When the other DNS servers can handle Verisign's obnoxiousness gracefully like that, then I'll look at moving. Until then, BIND stays on my DNS server.

(ps: If there are any Gentoo folks reading, please get Bind 9.2.3 into portage properly. I got it installed on my machine by hand just fine, but emerge keeps trying to downgrade it to 9.2.2. That makes me unhappy.)

Re:probably

[dsojourner]

As I recall, djbdns has a licence that makes it hard to distribute: everything goes in weird places, and if you distribute the code you can't distribute changes (only patches). ... which might affect whether the major distributions would be interested.

Re:probably

[swb]

An interesting observation. On a related note, I've noticed that a lot of "messy" people seem to know where everything is. I call it the chaos theory of organization; it can often be easier to remember where things are than to spend the effort to put them someplace. So you just put them where there's space, and remember where they went.

My wife has what I call the pro-aesthetic theory of organization; if a room or place appears to be neat, it's organized -- even if the stuff is put away without any regard to an organizational structure (eg, related items aren't in the same cabinet or closet). It's important for the room to look clean, even if in reality its a highly user unfriendly mode of organization.

When you contrast the former and the latter, it's an interesting mix -- on one hand, you have a visual mess but things are relatively easy to find. On the other hand, you have visual neatness, but things are hard to find since there's no scheme (other than size and volume) as to where things went.

As far as laziness goes, I've known neat freaks that never get anything done because the overhead cost of neatness eliminates their time.

Re:probably

[olderchurch]

So I have to learn a more complex syntax. It took me half an hour (not taking the strange M$ lookup into account). The fact that you need to update your BIND software because of security related problems _at all_ is something I do not like. Take for example securtiyfocus' Vulnerabilities archive:
BIND: 24 vulnerabilities (since 1999)
TinyDNS: 0 vulnerabilities

That's what I call a secure DNS server!

Re:probably

[petard]

Not a separate computer, just a separate service. If you're running a public DNS service, you really should allow only recursive or authoritative queries. If you must service both, have the authoritative service listen on a 127.0.0.x IP and have the recursive one query that for the domain in question. But unless you're an ISP, there's really not a good reason to have your public nameserver handle recursive queries.

Here's a bit more discussion of why it's a good idea to split your DNS. But like I said, it doesn't have to be a separate computer, just a different interface :-)

Re:probably

[walt-sjc]

While bind may not be "super simple moron proof", It's also not that frigging hard either. Add on top all the various GUI management tools for it that make it not hard at all. Looking at some of the zones managed by clueless Windows (and linux) administrators using Active Directory or other tools, it's clear that some people need to read the O'Reilly DNS and BIND book. There is more to DNS than the server software - you need to understand WHAT the records do, and HOW to use them correctly. You also need to know how to use tools like dig and nslookup. Bind is only one part of the equation, and it's just not that hard to learn. While there are a lot of options, most people won't need but a few. There are MANY MANY good examples and tutorials.

Bind is also rock solid. It doesn't die. I have servers that run bind that have been running for YEARS without a reboot, and bind has never needed to be restarted. The answer is quite simple. It's not THAT hard, and it works. Why change? Occasionally someone will find a security hole, so you patch and move on, just like everything else.

Re:probably

[painandgreed]

It depends on what you mean by lazy.

Ever see someone toss a coat on the floor rather than hang it up, and then go back later to hang it up anyway?

That's not laziness. That's called "time management".

Re:probably

[rthille]

Well, to be fair, you don't have to learn the syntax to get started, DJB created command line programs to do the 'normal' things like 'add-host' 'add-ns', etc.

I had trouble figuring out BIND's zone-file format when I first installed it. But the main thing I had trouble with was trying to figure out which packets I wanted my DNS server to be sending out.

DJB talks about not using CNAME, but it took me a long time to understand why.

Re:probably

[dasmegabyte]

So why not use tinyDNS...which is both simple AND powerful, AND fast, AND secure.

A good answer is "because the syntax is occasionally inscruitable." another would be "because DJB expects you by default to conform to HIS way of doing things, which is quite different from the bind way."

But if you don't already know the BIND syntax...and you want a DNS server you will NEVER have to think about...tinyDNS is goddamn fabulous. So is qmail. The combination of the two means the only things *I* think about on my webservers are Apache, Tomcat and Courier-IMAP (which loves to crap out unprovoked, once every three months or so).

Re:probably

[linzeal]

If you want logical organization you are going to have to label where everything goes, that has been my exp with past live in gf. Get a label maker and put labels on the bottom of drawers and on the inside of cabinet doors for each shelf and section of drawer. For large bulky items like christmas decorations put them on storage containers on at least 2 sides so that when you store them you can see what is in there.

This is a fun weekend project as you get to walk around your place with your SO and figure out 'exactly' where things should go.

Re:probably

[bugnuts]

It may come standard on 99.9%, but it's only used by 70%, vs 15% tinydns. Plus, the source is not available on 99.9% of the distributions -- it's almost always a binary. E.g, I have NEVER seen sun distribute the source to it in their distributions.

Lots of people would've eyeballed tinydns for bugs, which IIRC (and I might not), is not available in binaries. Plus, the security is guaranteed!

The djbdns security guarantee
I offer $500 to the first person to publicly report a verifiable security hole in the latest version of djbdns.

Re:probably

[mysticalreaper]

I know the problem, and i have a solution

A) the maintainer is a dink, and won't upgrade, plus the interested parties seem to like to whine and complain about weird craziness and misnamind of files (both problems non-existent IMHO) instead of upgrading. There's a bug about the compile problem, solaris only, as i remember. Why is it out of x86 then? Exactly. Gentoo was once great for being more current than anyone, but has been slipping, sometimes severely, as in this cae.

B) use the -U flag. like so "emerge -Upv world"

That -U is upgrade-only. I use it all the time, that way portage doesn't downgrade. Also, yes, 9.2.3 has been out for something like 8 months now, using 9.2.2 is starting to look downright silly.

Re:probably

[tigga]

So why not use tinyDNS...which is both simple AND powerful, AND fast, AND secure.

You may use it at home.. That's it. I would not call powerful DNS server which does not have idea about zone-transfer requests, inverse queries, non-Internet-class queries (queries list from DJB's page).

As for qmail - it's pretty inconvenient to patch it every time I need any new functionality. Qmail is pretty simple and doing complex things is quite frustrating with it.

De Facto

[the_mad_poster]

Becuase no matter what ridiculous flaws it has in it, it's the de facto standard by which all other (frequently superior) systems are measured. People figure "gee.... I wanna learn DNS servers", they think BIND. They think "gee.... I wanna learn SMTP servers". They think sendmail.

It's the same flawed system that supports Windows, but executed to a much greater extent. People are familiar with it, so despite the fact that BIND and sendmail are absolute abominations, they get used.

The geeks bitch about people using Windows even though "such far superior" systems exist as alternatives, but we keep using the horrendous abortion that is BIND even though there are superior alternatives that are free. I guess we can't stand the taste of our own medicine, hm?

Re:De Facto

[Tet]

People are familiar with it, so despite the fact that BIND and sendmail are absolute abominations, they get used.

Sigh. Y'know, I really should get used to sendmail FUD on Slashdot, but here I am feeding the trolls anyway. I use sendmail because it's better than the alternatives, and it's far from an abomination. I'm not going to claim the syntax looks good at first glance, but then most perl programs look like line noise too, yet the Slashdot crowd doesn't seem to have a problem with that. When other MTAs can match Sendmail's flexibility, then maybe I'll consider switching. But not before.

Re:De Facto

[robslimo]

...no matter what ridiculous flaws it has...

Did you see the version results for BIND? There are some really ancient ones out there. 1.971% are version 4.9.3 to 4.9.11

I haven't checked any vulnerability databases on it, but that seems pretty old... too old to have patches available?

Re:De Facto

[winchester]

False arguments. At least the possibility for people to run other software in full compliance with the published standards (RFC's), thus providing full interoperability exists.

With windows, you do not get that choice... either you use what Microsoft provides you or you don't use it at all. There is no choice. On Unix, there is.

Re:De Facto

[Psiren]

When other MTAs can match Sendmail's flexibility, then maybe I'll consider switching. But not before.

I haven't used sendmail in years, having switched over to exim a long while ago. Out of interest, what does sendmail offer you that exim doesn't?

Re:De Facto

[stephenbooth]

There's also the fact that, due to it's current dominance, if I buy a book about DNS it probably assumes BIND. Therefore in a lot of people's heads BIND = DNS. Heck, for that very reason if I had to set up a DNS server (I'm not a networking expert) I'd select BIND as then I know that there's going to be examples in a book I can adapt to suit what I want to do. If it's not my core area then I don't want to have to spend hours learning how to configure a system, I just want to copy something out of a book and for it to work. Looking at the MyDNS site that has a second strike against it, it requires MySQL. Not only do I have to learn to setup and configure the product I actually want but I also have to learn another unrelated product! At least BIND uses text files, I know how to edit those.

Stephen

Re:De Facto

[Total_Wimp]

When other MTAs can match Sendmail's flexibility, then maybe I'll consider switching.

I think you hit the nail on the head. These big, some would say bloated, systems end up getting used because they're flexible. Others are constantly writing 3rd party stuff that specifically use these systems.

Case in point: Microsoft ADS is very DNS dependant and the only DNS they support besides Microsoft DNS is BIND. BIND may, or may not be the best DNS out there, but because it's the standard people are building their systems to, it is almost certainly the most compatible and, by extension, the most flexible.

TW

Re:De Facto

[SWroclawski]

Please tell me something Sendmail does that Postfix doesn't.

I'd argue Postfix is more modular, more simple to configure, more respectful of system resources, more secure and more flexible than Sendmail.

Re:De Facto

[Apreche]

True that. But in addition, because it is the de facto standard, its what they teach college students in IT classes. I'm a CS major, and I know quite a few IT majors around here. If you asked most of them to set up a DNS server they could. If you asked how they would say "the bind command". Because they are all windowsy, they don't realize bind is a piece of software that is replaceable. They were taught how to do things a certain way, and they don't know to do it differently.

Not all IT majors are that dumb, some of them deserve some credit.

The other problem is that old pain in the butt standard programs like bind and sendmail are feature complete. Because they are old and used by tons of people they have all the features in them, workin properly. It may be a horrid pain in the ass to make them work, but it can be done. And while there are many nice new alternative programs that serve the same functionality in an easy clean fast way. You'll be hard pressed to find one that can do everything. I can't tell you how often Who will use a piece of software that they know is terrible, will admit to it being terrible, even complain about it being terrible, because it is the only one with a single feature that is necessary. Made up Example: One website someone visits often only works in IE. They love Firefox, but its too much of a pain to visit that one site.

There's some guy out there using bind who wants to use something else, but can't because he needs one tiny feature that nothing else has. This is a major weakness of Open Source because since software is under constant development and bug fixing and security hole patching is priority, few programs ever become feature complete.

Re:De Facto

[CrankyFool]

After about ten years of using Sendmail (I was using Sendmail back when you had to understand rulesets and how to hack LHS/RHS of rules), I switched to Postfix. I am happier than a pig in mud for a whole bunch of reasons and consider Postfix a superior MTA.

I have at least one acquaintance who, on his very large enterprise, runs Sendmail at the edge (and Exchange internally, but that's not his choice). Why? Because that way, he doesn't need to worry about separate patch management for his MTA -- Sun makes sure his MTA is up to date, and he doesn't have to document "this is how to install the MTA" separately.

Is he using an inferior MTA? I believe so. So does he. But the ways in which Sendmail is less good don't affect him nearly as much as the way in which it is better -- by lowering maintenance costs (or, really, just rolling them into the ridiculous amount he pays Sun -- though he could get the patches for free, of course).

With respects to my fellow sysadmins here -- obviously, some of you are vastly superior to me in all matters technical -- we really should know by now that sometimes, we make technical decisions for reasons that are not purely technical. The reasons people choose Sendmail over Postfix are usually in that sort of category, as well as the reason people choose BIND over other DNS servers (BTW, BIND is also the default DNS server on Solaris).

I don't see this as a huge problem, except for (I guess) people who take it personally that not 'enough' people use the software they developed with great effort (though I don't see Wietse complaining "more people should be using Postfix!"). Unlike the Windows situation, it's not like the fact that, likely, most people I communicate with use Sendmail means I'm forced into using Sendmail. UNIX-based MTAs (Sendmail, Postfix, qmail, exim, other custom MTAs) mostly seem to be fairly standards-compliant, much like DNS servers (go ahead. Point out some obscure thing that 99% of people don't use where BIND doesn't follow the spec, just so I can laugh at you). So BIND and Sendmail dominate? Fine. I'll still run Postfix and ... well, BIND. Who cares?

Re:De Facto

[daviddennis]

As others have said, I think the main reason people use BIND is that it's in all the examples in the standard books (mainly O'Reilly) we use to learn.

I was unaware DNS servers really needed much in the way of features for most people. In fact, I thought it was about the simplest thing in the world - get a request, look it up in a table and return the results. Not exactly rocket science, and the BIND configuration file's pretty ugly looking if my memory serves.

I think overcomplexity is one of the biggest problem with the software world as it is today. It's worst on Windows, of course, but Sendmail and BIND are proof that Unix has similar problems too.

D

Re:De Facto

Out of interest, what does sendmail offer you that exim doesn't?

For me, operational changes that would require programming in exim, but require only tweaking sendmail.cf.

Example: I recently added some anti-spam rules to restrict the HELO of connecting mailservers. If it's malformed, or matches against a blacklist of 'known bad' signatures, I reject the mail. In sendmail, this was trivial (err, well - as trivial as hacking your sendmail.cf can be :o)

I'm not saying it's for everybody - it requires a very high level of knowledge - but it's safer (no worries about buffer overflows in code I add myself, etc.) and simpler than modifying the program itself.

Re:De Facto

[the_mad_poster]

Yea, ok Tet. I'm a troll and that's FUD. It's not like sendmail really is a total piece of shit.

Don't give me shit about Perl either. I can write totally unreadable code in C, Perl, Python, PHP, VBScript, Vb6, C++, Java, shell scripting, and QBASIC. I can also write clean code, readable code in all of them.

It's not FUD, most Slashdotters just have their heads so far up their own asses that it just looks like they sit on top of their necks. Morons around here bemoan Microsoft for its shitty security, then they run out every other day to patch BIND or sendmail. Even assuming you're the 1 in 20 person who actually has a need that only sendmail can meet (which I doubt you are given the odds), the fact that you would suggest that saying sendmail has shit poor security is just "FUD" just serves to prove the point that you're just another one of the idealogical nutjobs that frequent this place.

Give it a rest. It's not FUD because it's true. Sendmail blows a left donkey's swollen nut when it comes to security, usability, and reliability. Just deal with it. While you're at it, ask yourself if you even really need sendmail, or if you're just too lazy to make the switch to something that actually works.

Re:De Facto

[the_mad_poster]

Nice try, but my real world experience proves you to be wrong.

Holy shit... you're a real gem...

MY experience is that people who use sendmail might as well just generate their configuration files using /dev/urandom. I guess MY real world experience proves YOU to be wrong, so now you're going to stop using sendmail, right?

I also like how the guy that you responded to got pinned as a troll. See, on Slashdot, the fact that sendmail is a total piece of security shit doesn't matter. All that matters is that MICROSOFT programs have lousy security.

I suspect this is because 95% of the people on Slashdot that actually talk don't know shit about computing, but they spit the same old idealogical mind dumps that appear in every Microsoft/Linux/SCO article and get excellent karma and mod points. Then, they run around and mod down anyone who doesn't say exactly what they were saying before. I mean, god forbid an intelligent post appear that doesn't exhort the many virtues of OSS! After all, with a license like GPL/BSD, it HAS to be good..... right?

Re:De Facto

[walt-sjc]

what does sendmail offer you that exim doesn't

As someone who used to run sendmail (from the late 80's to 2002 before switching to exim) it gives you native support for UUCP!! It also gives you good brain excercises so you can do things like complex regular expressions, the US tax code, etc. :-)

Seriously, if you really need to customize sendmail, you need to understand the rewrite rules in depth which are quite bizzare to someone not familiar. Adding additional functionality like sql DB lookups for virtual users with SMTP Auth, etc. can be a challenge for even the more seasoned sendmail admin. Once you get beyond the simple soho stuff, sendmail becomes quite awkward to work with. Sendmail Milter's is a horrible interface. Add on message archiving, spam / virus filters, special handling for certain addresses / domains, etc. and exim really starts to look good. Unless you are a full time mail administrator, you probably have better things to learn than sendmail syntax, and that's the bottom line.

Bind is no sendmail. Bind's syntax is actually quite clean - more like apache or exim than sendmail. There are no bizzare ruleset's to learn - it's more like defining a structure in C.

Re:De Facto

[Oopsz]

Think about using Bind. Bind9 was a rewrite of the server from the ground up, and has proved secure. If you wanted to use sendmail, I'd tell you to go look up postfix or exim, but Bind isn't evil. It's remarkably straightforward to set up and admin, the configuration syntax is simple, and the server is stable as hell.

Re:De Facto

[ahodgson]

djbdns supports zone transfers. The tcp server accepts AXFR commands, and axfr-get implements a client-side transfer into a djbdns-format zone file.

Re:De Facto

[daviddennis]

Well, I meant that was what a DNS server does. It gets a request, and looks it up in a lookup table. That's all most people running DNS servers really need.

You're over-complicating things for simple applications if you use the software meant to distribute DNS over an entire network of servers for your single web site which just needs to receive a request for www.amazing.com and return an addresss.

D

MyDNS

[Havokmon]

I've played with it.. it's defintely a nice DNS server.

But what I really want is something like EasyDNS provides: Aliases. I want to be able to 'clone' whole domains, because they're all going to the same place anyways based on the hostname.

Maybe EasyDNS just wipes out all the duplicate hostnames, and writes new records for them between the web interface and the backend when a host is changed or added..

Re:MyDNS

[boaworm]

You should try PowerDNS. It's entire records are located in MySQL database tables, enables very easy update/modify/add/delete scripts. Performance is great :-)

Re:MyDNS

[Havokmon]

Bind provides easy data replication, that's how you make secondary dns servers :-)

Yeah, but I'm already replicating MySQL - so what's another table? :P

I can understand why some people would what to have dns information in a SQL database, but personally I feel that it's just adding a not piece of software that could potentially fail. Trust me, you don't what your dns to fail.

Ahhh. Actually, I run an email service. So I already have MySQL servers that need to be up 100% of the time. In fact, I'd wager that most websites would also run some type of SQL, and need to be up 100% of the time. So it's a natual fit.

Plus, DNS is cached. So depending on your traffic, odds are pretty good that you'll have your server up before your hostname's cache expires - and if necessary you can concentrate on what's probably a bigger problem than DNS ;)

That's like...

[Simon+Carr]

"air is most popular substance to breathe". :)

That being said, PowerDNS is pretty awesome as a master, very nice for front end interface building.

Not necessarily the best for all...

[Piranhaa]

Personally, I use one called djbdns. It's extremely small and basically bug free! The author actually will pay $50,000 to whoever finds the first exploit in it or something. If you don't need all the extra power that bind offers, this is a much better way to go. Less memory and space required, meaning cheaper systems may run it better. Even the config file can't be simpler!! cat /etc/tinydns/root/data .pnet:10.0.3.33:a:259200 .10.in-addr.arpa::ns.pnet: #Define hosts & aliases =pollux.pnet:10.0.3.1 =altair.pnet:10.0.3.2

Re:Not necessarily the best for all...

You mean, $500.

Re:Not necessarily the best for all...

[Russ+Nelson]

Uhhhhhhh, sorry, Anonymous Coward, but you don't get away with that accusation without more details than that. There have been no security lapses in tinydns or dnscache. Weasles is actually spelled Weasels. Googling for djbdns fraud gets me nothing. Honest up, dude!
-russ

Re:Not necessarily the best for all...

[Russ+Nelson]

Actually, your zone file looks like this:

.pnet:10.0.3.33:a:259200
.10.in-addr.arpa::a.ns.p net:
#Define hosts & aliases
=pollux.pnet:10.0.3.1
=altair.pnet:10.0. 3.2

Re:Not necessarily the best for all...

[Christianfreak]

I use djbdns as well. Very simple, very easy to use. I actually run about 100 domains off of it.

I can't say that I really like the separate cache/dns server but I've gotten used to it. I just wish my cache would immediatly pick up changes in my DNS. And I wish it was better documented.

Re:Not necessarily the best for all...

[geniusj]

As another testimonial, I use djbdns for over 900 domains and over 100,000 RRs. We receive about 300 queries/sec with tinydns using about 2% CPU and about 800K of memory. I love the rsync method of syncing dns data, it works especially well for Dynamic DNS (which is something I provide).

As an aside, long ago, ODS (the service I run) ran BIND. At the time BIND used 90+% CPU consistently. Mainly because of the constant dynamic updates being sent to BIND via the update daemon. It also used about 50MB of memory or so (back in 1999 or therabouts). The switch to djbdns came shortly thereafter and I haven't looked back. Granted, djbdns cannot provide immediate dynamic updates because of its use of CDB. However, I find that every 30 seconds proves to be sufficient, especially when the 'secondaries' get updated immediately as well (thanks to rsync). Building the cdb is also remarkably fast, with it taking 0.55 seconds to hash the cdb with over 100k records.

Overall, I'm quite happy.

It is the default, and not hard to understand

[hattig]

Unlike sendmail which can scare people away just with the configuration file, the BIND zone file layout and other stuff isn't hard to learn.

So people use what came with the box, what their book on "DNS & BIND" uses, and so on.

Also, everybody else uses it!

Re:It is the default, and not hard to understand

[Nohea]

I really like BIND 9 - easy to use, the most features, plus a full rewrite since BIND 8.

DNS servers are low on resource usage anyway, so switching to a leaner daemon would always be a niche product (like Apache alternatives).

The only motivation for switching is the exploit issue. With the rewrite, its less of a case, and everyone should be keeping up to date w/security patches anyway.

You really see which DNS does heavy lifting.

[Inoshiro]

Ratio of BIND domains serviced to installs: 24,335,752 / 340,345 = 71.5 domains/server.

Ration of MS DNS domains to installs: 2,165,143 / 101,781 = 21.27 domains/server.

Ratio of TinyDNS domains to installs: 5,405,266 / 12,130 = 445.6 domains/server!

Despite only having 2% of the installs, TinyDNS serves 15% of all domains on the internet. Obviousy it is very capable, and has few to no exploits available for it. Why don't more people use TinyDNS if it's so capable?

Because they haven't read how easy it is to setup!

Re:You really see which DNS does heavy lifting.

[James+Youngman]

Despite only having 2% of the installs, TinyDNS serves 15% of all domains on the internet.

Maybe that just means that TinyDNS is popular with domain squatters.

I think that the best definition of "heavy lifting" is not the size of the installed base or the average number of domains per server, but instead the total number of queries served. Those numbers of course are hard to estimate.

Re:You really see which DNS does heavy lifting.

[Florian+Weimer]

Despite only having 2% of the installs, TinyDNS serves 15% of all domains on the internet. Obviousy it is very capable, and has few to no exploits available for it. Why don't more people use TinyDNS if it's so capable?

tinydns is unmaintained software. It does not compile out of the boxon modern systems. You don't have a license, so you can only do with it what your local copyright law permits (which may or may not be enough). The zone file format of tinydns is non-standard. The answers it generates are often excessively verbose (e.g. redundant NS records). Third-party documentation suggests a configuration that violates recommendations of TLD operators and most ISPs, which means that you have to redo parts of it once you receive your first delegation.

And so on. Go ahead and use BIND alternatives for authoritative name servers, but try to avoid tinydns.

Re:You really see which DNS does heavy lifting.

[PlusFiveTroll]

TinyDNS is popular with admins that have lots of domains because there is one configuration file for the domains, the default bind way sucks if you have any number of them, and I have domain entry scripted so it takes seconds to add a new domain. Not having to restart TinyDNS when your domain file is changes is a big plus too. I manage around 150 domains with the average of 3 per customer, hardly squatting.

Re:You really see which DNS does heavy lifting.

[Florian+Weimer]

RFC 1035 (STD 13) describes the format of zone files (which are called "master files" in this document).

Re:You really see which DNS does heavy lifting.

[Florian+Weimer]

It does compile out of the box on modern systems. I use it for 5 different domains that I administer. The latest time I set it up, it was on a Gentoo Linux box, I just had to emerge the package and was good to go.

In this case, you don't use the official version of tinydns, but a modified one which contains random patches. Others have patched GNU libc to increase interoperability with broken applications such as tinydns, too.

It is maintained, but the author doesn't see a pressing need for any changes to its functionality. It's simple, secure, and does everything an authoritative dns server should do correctly.

The official version does not support IPv6, for example.

I don't know what third-party documentation you're referring to, but most people just read how to configure it from the djbdns official site at http://cr.yp.to, which suggests no bad configurations.

The way serial numbers for zones are automatically generated by tinydns is not universially accepted.

Re:You really see which DNS does heavy lifting.

[JianTian13]

Umm, Florian, couple of questions here:

1) Unmaintained? Well, if it's feature complete (does what the author and its users need), and hasn't been shown to have any serious bugs or exploits, what's to maintain?

2) Doesn't compile out of the box on "modern" systems? Excuse me, but doesn't OpenBSD 3.4 count as modern? I sure didn't have to do anything special to get it working there. Got an example?

3) Non standard zone file format? Well, for me the tinydns format is a helluva lot more readable, and less error prone. No serial number incremeting, no missing closing braces, etc.

4) Can't really say anything about the length of the answers returned, so I have to defer to you on that. But can you show me which 3rd-party docs tell you to do something "that violates recommendations of TLD operators and most ISPs"? Are we talking about this site? Or someone else?

I'm not one of DJB acolytes here; I just was able to understand DJB's docs and examples a lot faster than any of the BIND howtos I saw, and it looked like there would be fewer pitfalls. And yes, on the license thing, I'd like to see him release it under something more permissive, but for now:

A) It does what I want, and
B) I can satisfy myself that the software's reasonably secure.

That's enough for me. I was just hoping you could clarify some of what you'd said... Thanks!

Re:Dynamic DNS

[Russ+Nelson]

Why not?? He's replaced the other major ISC-associated software. Plus you know there must be security holes in dhcpd.
-russ

Reasons why DJBDNS is not more common

[James+Youngman]

1. Its config file syntax is even more human-unfriendly than BIND's
2. It doesn't allow free reign to set the records up exactly how you want (trivially for example, it forces you to adopt a mandatory naming convention for MX records - though the convention is pretty sensible)
3. It doesn't support caching, so you need a separate server for that (this is actually good, but it does add to the overall amount of work required to set up a set of DNS servers)
4. Some people find DJB difficult to get on with and/or were turned off by the whole problem around (non) distribution of modified versions of qmail, and so avoid DJB's other offerings

Re:Reasons why DJBDNS is not more common

[embo]

Its config file syntax is even more human-unfriendly than BIND's

I've got to disagree with you when I can parse a zone file like this:

while (<STDIN>) {
$line = split(':', $_);
for $line[0] {
if (/Z/) { # Zone file }
elsif (/+/) { # A Record }
elsif (/\@/) { # MX Record }
etc. etc. etc.
}
}

All you need is this page to understand the entire format of any zone file: http://cr.yp.to/djbdns/tinydns-data.html For BIND, I need the entire manual. Maybe it's just me.

Re:Reasons why DJBDNS is not more common

[ajs]

Some people find DJB difficult to get on with and/or were turned off by the whole problem around (non) distribution of modified versions of qmail, and so avoid DJB's other offerings

I have to say that this is the largest and most insurmountable reason for me against using either his DNS server or his mail server.

I was a big fan of his back in the days of UUCP, but his unwillingness to let distributions of BSD, Linux, etc. modify and distribute his software (without some kind of source-based patching hack sans binaries) was a snub to all of us who have contributed to open source software over the years, and a clear indication of a lack of concern over the larger needs of his audience.

Let me be clear: he's WELL WITHIN HIS RIGHTS, and he's even going out of his way to distribute his stuff, which is great. But to say "I'm going to play ball with you, but only if you use my ball, and in the following ways" doesn't fly for me. There are many good alternatives to his code, and they all have their own advantages and disadvantages. Thanks for playing, though.

BIND is like weeds!

[whitelabrat]

How the heck do you get rid of BIND? It's everywhere unless your a MS Windows shop that is ruled by DDNS... but most folks I know won't expose DDNS directly to the internet, cause you know why... BIND often acts as an intermediate.

I know there are better alternatives out there, but why aren't they more popular?

- When you insult a troll, he wins.

sendmail shows this to be true

[millahtime]

The fact that sendmail is also frustrating, is default install on Linux and BSD, and is the most popular for mail shows that this theory is pretty much true.

I also know I am amungst the lazy ranks.

Re:sendmail shows this to be true

[dekemoose]

Wrong. Bind and Sendmail are defaults because they are the most prevalent. They are the most prevalent because they've been around a long time. Sendmail was the MTA of choice on UNIX years before Linux was common, ditto Bind for dns. Since they have the history, there are a lot of people skilled with using both of these packages, despite the "difficulty" setting them up.

Re:sendmail shows this to be true

[idiotnot]

Many Linux distros have ditched sendmail by default, and NetBSD now ships postfix in the base system. In fact, the only big linux distros that I can think that still ship sendmail by default are slackware and redhat/fedora.

I *hate* bind with a neverending passion. I still use it because I'm not ambitious enough to change the environment I've got.

Is it laziness? No, not really. It's just not wanting to mess things up. I did recently move a large mail server off Irix/sendmail to FreeBSD/qmail, and, while it worked pretty much as I wanted it to, wasn't a one-day task.

Re:sendmail shows this to be true

[grahamlee]

sendmail...is default install on Linux and BSD

Oh? I appear to have Postfix as the default MTA on my SuSE and Darwin/BSD machines, not sendmail. The only machine I own with a sendmail default MTA is running NeXTSTEP 3. It didn't come with the m4 macros for editing sendmail.cf - now editing *that* was a fun half hour.

Re:sendmail shows this to be true

[stilwebm]

It's worth noting that as of OS X 10.3, Postfix has replaced Sendmail as the default MTA. NetBSD is integrating it in to the base install and letting the user decide between Sendmail or Postix, the default being neither is enabled at startup. Both use BIND 9 as their named by default, however.

Re:sendmail shows this to be true

[random_static]

as has been noted, postfix seems to be edging out sendmail as the default MTA in most distros.

i don't think the situation is all that analogous with DNS servers, though. sendmail is and always was an unbelievable mess to set up and maintain; the mere fact that a bunch of m4 macros was considered an improvement on the config system that preceded them should tell you something. (if it doesn't, you haven't had much exposure to m4. count that a blessing and keep away from the thing.)

by comparison, BIND versions >= 8 are simple, straightforward and eminently sensible both to configure and to keep running. as well, BIND's had its share of security problems, but nothing has nearly as awful a security track record as sendmail, not by a long shot.

finally, the cricket book is about half the size of the bat book, maybe less. i don't know about you, but that tells me BIND is a smaller, easier to learn system than sendmail.

The reason DjbDNS hasn't been updated in forever..

[Sevn]

Is because it has been done forever. Instead of the exploit a year phenomenon you have with Bind, there haven't been any yet. When Bind can take 10,000 requests per second on a dual Xeon box (used for MAPS) and not melt into a smoky plastic dog treat, let me know. Don't get me wrong. Djb is slightly, well, he comes across as a bitter man with something to prove. And I can't stand qmail. But he hit the nail on the head with DjbDNS. I've got nearly 240 domains with a combined total of over 125,000 records hosted with no problem.

Why they keep BIND around

[reaper]

• It's in practically every distro by default
• Not a whole lot of people really need the hassle of installing another DNS server
• It is the standard by which other implementations get judged
• It supports just about every obscure feature known to the DNS world
• If you know how to hack the config files, it makes manually setting up tons of vhosts dirt simple
• The name is just so powerful
• Certain other dns server authors(*cough*djb*cough*) always manage to piss off too many people, even when they are proposing a superior solution to a problem.

One Ring

[soloport]

"To rule them all.
And in the darkness BIND them."

Like, Duh... So obvious.

Re:One Ring

[stud9920]

One Token ring ?

Hasn't been updated in years??

[embo]

...since D. J. Bernstein's hasn't been updated for years...

Maybe because it hasn't needed updating.

http://cr.yp.to/djbdns/guarantee.html

Re:Hasn't been updated in years??

Maybe because it hasn't needed updating.

He meant the *survey* hasn't been updated, not the software. Even if it wasn't obvious from the language (and I think it was!) it should have been obvios from the link.

Re:Hasn't been updated in years??

[Lxy]

Maybe because it hasn't needed updating.

a qmail user are you? :-)

Re:Hasn't been updated in years??

[WoodstockJeff]

What needs updating with DJBDNS is DJB's attitude. If he'd allow binary distributions, I'm sure several major Linux distros would make it the DEFAULT DNS server for workstation installs, and optional for server installs.

As it is, I read the "quick how-to" files on setting your system up to work with djbdns, and find them far more confusing than BIND zone files and configuration files ever were. You don't just have to worry about one program - unless you're ONLY running the caching server.

This doesn't mean I'm not looking at alternatives... I dislike having to restart all the servers every time I add a domain, and having to restart the master every time I modify a domain, with BIND.

Re:Far from accurate

[crimoid]

He used fpdns which is a well-known and accurate tool. http://www.rfc.se/fpdns/

qmail: never a security lapse.

[Russ+Nelson]

The question is whether the flexibility is worth the security cost imposed by the extra complexity required to get the flexibility. I say no, and run qmail. It's the only MTA that has never had a security lapse. (actually, Courier might not have had one either, but who runs Courier?)
-russ

Re:qmail: never a security lapse.

[spacey]

I second that raised hand.

Went qmail->courier. A bunch of things the suite as a whole does makes it even easier to setup than postfix. I.e. I can set up virtual users and a virtual domain and have the mail server and lda and imap and pop3 server etc. etc. etc. all work from the same auth database with the same schema, whether the database is ldap, mysql or postgres with very little tweaking.

-Peter

If DJB were..

[jayminer]

If DJB were not such an ass, his software would be on everywhere now. He is smart, you can feel that. But come on, he thinks that if he has thought about something, it's right and it cannot be disproved. You simply can't. He won't accept a thing.

Look at where daemontools installs itself, and of course the other thingies from him, like djbdns and qmail. The default directories cannot be changed (/service, /package etc.), and if you change them from the source, you violate his license!
He's still refusing to fix the extern int errno; problem, because he thinks that it is not a problem. (Everybody should follow his standards, not glibc or anything like that) He still does not apply QMAILSCANNER patch into qmail. You need to go and get netqmail for that, or apply the patches it provices manually. You cannot distribute a patched qmail, therefore you cannot distribute a proper qmail package for your distribution without begging him!

djbdns assumes that you have a.ns.yourdomain.com b.ns.yourdomain.com etc. The add-ns program does not even get any argument about that. (Of course, you can edit the files manually).

And as far as I know, many distributions kicked his software out, including several *BSDs.

Re:If DJB were..

[arcade]

Normally I don't like AOL! -messages, but I really want to echo what you say. I used to love qmail back in '98, and love the rest of djb's software too.

After working with his software for some years, I've come to senses. His software is excellent, but he don't maintain it. He maintains that you have to apply a host of third party patches. You cannot modify the sources and redistribute them.

In the long run, it sucks.

Postfix and Exim are my current favorite MTA's. BIND is just the standard dns server. I've considered looking into djbdns - but I'm afraid that I'll burn myself if I try it. I don't trust DJB and his software at all - after watching how qmail has detoriated through non-updates during the last 6 years.

Re:If DJB were..

[quantum+bit]

How's postfix's security record? i.e. Can I set up a postfix server, then go on an 18-month holiday and be confident that my box will still be working when I get back (like I can with qmail)?

You can be very confident that it will be. Postfix uses privilege separation, runs as its own user account (not root), and is designed with a chroot environment in mind. It's also very componentized and designed so that a breach in one component can be isolated without a risk to the others. To the best of my knowledge, there has never been a remote code execution vulnerability in Postfix.

The last major security problem was a year ago and was just a DoS possibility. Even qmail has DoS problems. Before the DoS, in 2002 there was a problem that might allow someone to use Postfix to portscan another system (no risk to the system running Postfix). Both of these were in the older 1.1 version. The 2.x series, released in 2002, has never had a security problem bad enough to warrant an advisory for.

The only other thing I could find is djb ranting about a Postfix problem that has been fixed for over 6 years.

Re:If DJB were..

[Paul+Crowley]

What you can do with it is second only to sendmail

In what way is it behind sendmail? Genuinely curious...

Re:If DJB were..

[random_static]

postfix certainly has a lot more configuration than qmail. (or what i remember of qmail - it's been a few years now, for me.) but it's not really that hard of a configuration, at least not if you use any non-bernstein software. unless you've thoroughly soaked in dan's one-line-per-file, all-machine-parsable, damn-human-readability configuration syntax kool-aid, postfix is fairly ordinary as Unixish config files go.

the only real quirks are that postfix uses about a dozen different files for different purposes / subsystems in the herd of daemons that make it up, and that a few of 'em have to be "byte-compiled" into berkeleyDB format to improve access speed before the daemons proper will read 'em. getting used to these is no harder than getting used to djb's, shall we generously call it, unusual mindset on what makes a config file good.

and, frankly, several of djb's config files look a lot more like sendmail.cf to me than any of postfix's ones. it's the same machine-readability-über-alles principle in 'em both, if you ask me. postfix generally doesn't play that mindgame on you, certainly not nearly as much.

The alternatives

[Florian+Weimer]

The alternatives have not-so-subtle incompatibilities with BIND and existing practice, are not proven in the field, or are unmaintained by the original developer. In fact, BIND is often deliberately incompatible with its previous versions, so it shouldn't be too hard to beat it in this area, but apparently it is.

tinydns, which was mentioned by the story submitter, is unmaintained, like most (if not all) software that Mr Bernstein has ever released. (This is especially problematic because Mr Bernstein refuses to license the software for a fork.) It does not even compile on modern systems, and it uses a non-standard zone file format. In the days of BIND 4 and BIND 8, all that pain was probably justified, but with BIND 9, things are rather different.

In my experience, in the area of caching full resolvers, BIND 9 simply lacks serious competition, feature-wise, and in terms of ease of administration and interoperability. For authoritative-only servers, RIPE's nsd is an alternative, but BIND 9 is typically not such a big trouble that running two different name servers is really needed.

Re:The alternatives

[quantum+bit]

qmail was recently forked into something called 'netqmail' that integrates the most popular, bug-fix packages that are out there.

...which can only be distributed as a set of patches against the original code. This means no binary packages, either. djb's license forbids the distribution of modified versions. qmail is not open source. It's actually a lot closer to Microsoft's shared-source license.

Re:The alternatives

[Florian+Weimer]

Um .... tinydns doesn't need to be maintained, because people aren't finding security holes or bugs in it on a weekly basis.

tinydns doesn't even compile on modern GNU/Linux systems. Surely this is a bug in tinydns, isn't it?

Re:The alternatives

[Florian+Weimer]

Which modern systems are those exactly? I've never had any trouble getting it to compile...

Systems with a recent version of GNU libc.

When you say unmaintained ... surely that's just because there's been nothing to change about it? Are there outstanding bugs?

It's not bugs, it's lack of features: IPv6 support, CIDR support for dnscache configuration, maybe even DNSSEC even you want to give it a try.

Re:The alternatives

[Florian+Weimer]

Yes, I know that DNSSEC has its drawbacks, but so far, DJB has only argued against it, without providing a real alternative (or even fully describing it).

Others offer (well, sort-of) working DNSSEC implementations, which might be a reason to use these implementations instead of tinydns. Of course, the overall need for DNSSEC implementations is pretty low on the current Internet, even though everyone wants a secure DNS (kind of a chicken-and-egg problem).

Because it works.

[morten+poulsen]

BIND - like Sendmail - is popular because it works. They might be ugly, buggy (as in security problems), whatever, but they are old and people know them.

Re:Far from accurate

[Iamnoone]

Please explain how you managed to fingerprint DNS servers.
The same way you fingerprint OS's via there ip stack. Unusual queries and how the server reacts to them.
http://cr.yp.to/surveys/dns1.html is one among several fingerprinting methodologies.

The accuracy of the sample set is extremely questionable.
If you RTFS, he didn't take a sample, he used all the name servers. There aren't that many (which in itself is a interesting commentary on the true size of the internet) - for the .com, .net, .org, .info, and .biz TLDs 37 million domains -> 1 million name server names -> 646,524 unique name server IPs.

The interesting part is is the 27 percent that can't be fingerprinted. My guess is that they would follow a similar pattern to the fingerprintable ones but their firewalls block some of the unusual queries.

Re:Dynamic DNS

[BK425]

You've got to be talking about some other ISC. The ISC I know is a non profit, they make the open source BIND product by paying some of the guys who wote (pretty much with volunteered time to) the open standard for DNS. It needs help IMHO but vendor lock in it isn't.
It's really cool to see someone remaking it with a real database behind it, anyone who's made/makes major system changes has had LDAP problems and at the very best it is a marvle of 1960 db design. But... the "can even do AXFR to other servers" thing in the frill portion of his web site description is worrisome. AXFR is part of the DNS game, if you'r not going to play with other servers... well the whole point of the way DNS works is a -distributed- name system. How would you distribute load without standard zone transfer protocol? Far from a frill IMHO.

licencing issues with djbdns

[ozzy_cow]

The reason bind, not djbdns is includedi with every distro is because djbdns can not be distributed in modified/binary form . I don't really agree with it, but hey, thats how Dan J. Bernstein wants it.

Anyway, compiling djbdns is mad easy (unlike qmail) check this out

I use djbdns anywhere I need DNS server.

By that argument

[mrhandstand]

Windows is the most popular desktop environment!

Here at /. we all know how THAT article would go over!

Seriously, I have nothing against BIND. But you should always that there are liars, damn liars, and statictians.

Re:Far from accurate

[Sique]

Yes and now. Every chemical analysis is basicly guessing, because no substance presents itself: Hey, I am Carbonbihydroxide! There are several tests which can give you a quite conclusive set of clues, what substance you are looking at. "Quite conclusive" in this case means: Better than 0.999999... probability.

That's the same way server fingerprinting works. Run several tests, and each of them increases the probability for one and lowers the probability for others. It gets quite hard to modify a server in a way that it responds exactly like another one (error messages, timing, matchting between OS type and DNS server: You won't find WINS running on OpenVMS that easily.)

Of course it's not definitive. But it gets very close to several nines in probability.

We Tried BIND, but....

[buzzoff]

BIND just wouldn't work. It worked at first, until I dumped a bunch of hosts into my zone (only a couple thousand, which isn't much in the grand scheme of things). After it stopped working I happened to get in touch with some of the developers. They just kept telling me to upgrade to the next release.

Some of the problems? Sometimes the CPU would peg at 100% like the program was in a loop, the server would quit resolving after about ten minutes, and the server wouldn't replicate.

My zone files were standard and by the book. The particular developer I was talking to the most (generally) tried to blame the A records I had added (without knowing which ones). I quadruple-checked the entries, all of which followed the RFC. I reinstalled the program, tried it on totally different servers, etc. The problem persisted.

After screwing around with BIND for two weeks I gave up. I switched over to MSDNS. Guess what? The EXACT same file that wouldn't work with BIND worked with MSDNS. This was BIND 9.2. We've been running MSDNS for a few years now with hardly any issues. We ran into some cache pollution once, but once I checked the stupid box to prevent it the problem went away.

Its a pain having to mess with the registry for simple tasks, but I guess its worth it for a working product. We're building everything programatically just like we were for BIND. Microsoft did good when it decided to use flat zone files. If only they would make everything so simple...

Re:We Tried BIND, but....

> This was BIND 9.2

That was probably the problem! BIND 9.x is much(!) worse than BIND 8.x at reading config files. We converted 19,000 domains over to 9.x last summer, and it took us about 8 man-months to do it. We even bought a support contract from the ISC. Their (useless) reply was always to just attempt to start BIND then try to decode the error logged, rinse and repeat. That's unbelievably tedious when you have over 200,000 lines worth of config files, and the error messages usually are very vague or just plain wrong. They worked just fine with BIND 8.x! Some of the files hadn't needed changing since last 1995! This was an upgrade that should have taken an afternoon, but because of the regression in the parser in BIND 9.x, it took about 320 times that long. A big FU to the ISC for so horribly messing-up the config file parsing in BIND 9.x!

They use BIND for same reason others use Windows

[Secrity]

I believe that most people use BIND because it is already used by most people. For the most part, people are afraid of being different. There are some things the people just use blindly even though there may be superior alternatives available; such as BIND, MS Windows, MS Office, Sendmail.

BIND is ***MORE*** frustrating than SQL???

[swordgeek]

Seriously, MyDNS requires an SQL database. This is NOT a way of making things easier!

I've never understood what problem people have with BIND. It's as simple as it could possibly be. Everything makes clear sense. The config files are plaintext. It's backwards compatible almost to eternity. I use it because it's the best solution, not the only one.

Re:BIND is ***MORE*** frustrating than SQL???

[demon]

Yeah, except for the fact that (a) it's then incredibly difficult to allow customers to manage DNS on their own - something that I've come to really appreciate (we have several customers who host their DNS with us, but want to manage their zone contents themselves), and (b) the way that software like cPanel does it is not a good solution (we have one customer who handles his own DNS on a box running cPanel, and I'm regularly having to fix that for him). Also, (c) the half-way solutions of making a database, and using a bunch of scripts to regenerate the zone files periodically is always a mess - if the scripts should break, updates don't get applied, but if they do, hand-editing the zone files isn't a viable option.

I use PowerDNS for our DNS servers at work, and I and our customers are very pleased with it. We have a frontend (that I wrote) that integrates with our billing system, so users can log in and make changes to their domains, and have them take effect immediately. They never have to worry about trailing dots, domain serial numbers, or getting the SOA format right, not to mention multiple CNAMEs assigned to a single name (which will cause BIND to throw the zone out) or other mistakes like that - our frontend prevents errors like that. It's made DNS provisioning and management so much easier - provisioning is error-free now. Why would anyone want to use BIND? Seriously?

Some other reasons

"Why is it so hard for alternate DNS servers to gain favor ?"

Can be rewritten as:

"Why people don't switch to djdns (which install in stupid places, is mostly unmaintained, is written by an offensive asshole, and that you cannot fork/modify) ?"

or

"Why people don't switch to MyDNS (that just reached version 0.11, indicating that it is really stable) ?"

Jezus. What are people thinking ? He versions his software as 0.11 and then complains publically on /. that people don't want to use it for the most core function of the Internet.

External DB

[geohump]

One small reason your DNS server (MyDNS) isn't catching on is that it requires an external DB server process to be set up and running on the system.

I took a look at your system with the intent to try it out but I stopped as soon as I saw that requirement.

True, Its not that huge an extra requirement, but it is an extra step and an extra external dependency.

Adding an internal db (like dbm) to your system so that its self contained would increase the likelyhood of adoption for MyDNS.

Having to run a fairly costly, (In terms of system resources), 3rd party DBMS system in order to have an active DNS server seems a little upside down to me.

Re:External DB

[Nohea]

I use BIND 9. I have a homebrewed DNS SQL db w/all the zone info, and run a perl script to export and generate all the bind zone files.

It is sometimes convenient to be able to do updates using SQL. However, there is no dependency on the DB server for serving DNS - a very mission-critical service.

1. if the DB server dies, DNS will hum along normally.

2. If i get hit by a truck, any unix sysadmin can ignore the SQL DB and hand-edit the zone files.

Re:bernstein

[Lorphos]

He's also terribly arrogant :-( He often has his reasons for rejecting proposals, but not always and he's very bad on communications.

Re:MyDNS/MySQL

[ScytheBlade1]

Random question: am I the only one who loves MySQL to death, but thinks that it's also horribly overused for EVERYTHING?

I mean....yes, it's incredibly fast. Scalable. Low overhead. But when everything from e-mail to DNS depends on MySQL....it gets a little sickening :P

You don't need a datbase server for everything, no matter how it is that you can say "I run my DNS servers off of a MySQL database." It's still way overused.

I USED to use djbdns...

[D'Arque+Bishop]

Like the subject says, I USED to use djbdns for my home DNS server. After a while, when I upgraded the OS on said home DNS server, I got rid of djbdns and moved to BIND. Why, you may ask?

1) I didn't like the fact that I had to use two separate IP addresses for caching and domain hosting. Maybe there was a workaround for it, but at the time I didn't know what it was and it frustrated me to high heaven that I needed two IP addresses on a box that I would have liked to have only used one.

2) The log files didn't print out timestamps in any kind of human-readable format. If I want to see what my system's doing, I don't have time to run the timestamps through some kind of translator.

3) Due to a directory existing where axfrdns didn't expect one in the log directory (and it was a name that it didn't even use), axfrdns did not work at all. I didn't find that out until a power issue brought the DNS server down and the secondary servers didn't have the correct DNS information. Once I removed the directory, axfrdns started working again.

4) Believe it or not, I find BIND zone files to be a bit more readable than tinydns's zone files. It also helps when I'm not forced to name my domain name servers a.something-or-other in the zone file. (Why add a CNAME or A for the one you want to use in the first place?)

5) daemontools.... ugh. Let's not even go there.

Go ahead and mark me as flamebait or what you will. If djbdns works for you, great. But for me, I found djbdns to be much more frustrating than BIND, and since I've migrated over to BIND I haven't had a bit of problem.

Just my $.02...

Re:I USED to use djbdns...

[peyote]

Not flamebait, just ill-informed.

1) djbdns uses separate IP addresses for caching and content-serving for security. Google on BIND and cache poisoning.

2) The timestamps are in machine-readable form for good reason--they are easier to parse in, e.g., a statistics package. If you want to see what your system "is doing" right now, why do you need a human-readable timestamp? If you need to see what your system "is doing" over time, what better way than a statistics package? You "don't have time" to pipe "tail -f /var/log/dnscache/current" through tai64nlocal to get a human-readable timestamp... yet you have time to post silly arguments to /.?

Besides, if you were all that hot and bothered about it, why not just switch from multilog (the logging daemon, which is NOT a part of djbdns) to splogger and send your log messages to syslog (or into oblivion, same difference sometimes)?

3) I've never had this problem. Of course, if everyone else used djbdns instead of the Buggy Internet Name Daemon, axfrdns would be obsolete. rsync+ssh is the way to go. ;-) But honestly, I find your comment to be unmoving: "I did something wrong, and axfrdns broke. Therefore, axfrdns sucks." Whatever.

4a) Of course BIND's zone files are more readable. Like the timestamps in the log files, the zone files are meant to be machine-readable to encourage web or script frontends.

4b) You are NOT forced to name your authoritative servers anything. You obviously did not read the Fine Manual. (Hint: it's right here.)

5) What's wrong with daemontools? Unlike inetd, I've NEVER had exhaustion attacks with programs managed by daemontools. I find it all quite elegant.

I will NEVER go back to the monstrosity that is BIND. djbdns is so much more flexible, intelligent in its design, and it just RUNS. We're approaching 20k DNS records in our database... may not be much, but djbdns handles it all without blinking.

Switched from BIND to MSDNS?

[Nonesuch]

We Tried BIND, but.... (Score:2, Interesting) by buzzoff (744687) on Friday June 04, @08:46AM (#9334123) BIND just wouldn't work. It worked at first, until I dumped a bunch of hosts into my zone (only a couple thousand, which isn't much in the grand scheme of things). After it stopped working I happened to get in touch with some of the developers. They just kept telling me to upgrade to the next release.

I've never seen a problem such as you describe in running BIND under UNIX.

After screwing around with BIND for two weeks I gave up. I switched over to MSDNS. Guess what? The EXACT same file that wouldn't work with BIND worked with MSDNS. This was BIND 9.2. We've been running MSDNS for a few years now with hardly any issues. We ran into some cache pollution once, but once I checked the stupid box to prevent it the problem went away.

Based on this, I'm guessing you were running BIND under Win32, then switched to MSDNS under the same Win32 system?

Personally, when I first encounter massive performance problems on a dedicated production-critical service, I would have contacted the developers and asked them what platform they recommend for running a dedicated server, and switched the base OS to the platform they best support.

Based on the above philosophy, I've ended up actually running more MS-Windows servers in the data center, as many speciality software vendors preferentially support Windows 2000 over UNIX-like systems. And of course any time you run two different applications from two different vendors on the same Windows box, antime a problem is encountered with Vendor A's application, as soon as the support engineer discovers that another package is running on the same box, Vendor B's application immediately becomes the root cause of the problem :)

Re:Feature Complete?

[symbolic]

This is a major weakness of Open Source because since software is under constant development and bug fixing and security hole patching is priority, few programs ever become feature complete.

Hm..I consider most software to be an evolutionary process. You start out with a need, you write the software, and then someone else sees a little bit further out and says, "gee, I like what you've done, but it would be so much more useful if it [insert most wanted feature here]". I can't think of a single piece of software I've used that had everything I wanted. I don't think there will ever by one, either. It's like the bear and the mountain - each new version is another mountain, and once we get to the other side, we're apt to see more things we'd like the software to do for us.

Why I keep using it...

[Mustang+Matt]

I see people bash bind and praise djbdns, but I personally have never had a problem with bind. It was relatively easy to setup and it's relatively easy to maintain and has a decent amount of power to it. Granted, I'm just doing simple tasks of dns for sites and nothing very complicated.

I'm not oppossed to switching but given that my time is already crunched, I will probably keep using bind so I don't have to spend the time learning how to setup djbdns.

Now if some huge security hole was discovered that affected me directly and there was an actual need to switch, I would spend the time and do it.

Until then I'll probably keep using bind since my distro gives me the choice to choose my dns server.

BTW, this same post could be used for sendmail.

Re:dude, tinydns syntax is WAY better

[NoMercy]

by actually using the words instead of symbols? Also you neglect the ::'s and :'s which is probably even more confusing when youve got IPv6 addresses thown in too :/

Why am *I* using BIND?

[cduffy]

Simple: support for views, and licensing that allows redistribution.

I absolutely, positively require view support, which nobody but BIND that I know of supports. TinyDNS might, but I can't so much as consider it due to the license; we're distributing servers with a fairly custom software environment, and DJB's terms make that a no-no. (This is also why we're using runit rather than daemontools).

Support views in something that supports pulling info (not just zone info, but definition of what the zones are, what the views are, what the ACLs are, etc a la named.conf) directly from a database and I'll be happy as a clam. 'Till then, I run BIND.