Slashdot Mirror
Open Source BIND Alternative Launches
bednarz writes "A group of experts on Tuesday released an open source alternative to the BIND DNS server. The new software — dubbed Unbound 1.0 — is a recursive DNS server. From its first prototype in 2004, Unbound was designed to be a faster, more secure replacement for BIND. Unbound supports DNS security extensions (DNSSEC), which authenticate DNS lookups but are not yet widely deployed because they rely on a public key infrastructure. Unbound was released to open source developers by NLnet Labs, VeriSign, Nominet and Kirei."
Both pieces of software are released under the same open source license, namely BSD.
On top of that, given the history of security problems in this line of software I would wait a while before deploying Unbound on anything serious.
Especially given the fact it sells its self as being more complex and big than its predecessor.
It's also very small, extremely fast, highly modular, and extraordinarily robust. It could take the load of a root name server, if you had the bandwidth. It actually approaches the almost-mythical status of "bug-free software"; I certainly would be surprised by any remaining security or stability issues being discovered in it.
The man himself can often come across as arrogant - but you can't deny with djbdns he's written extraordinarily stable, virtually bug-free code that he has now (along with almost all of his other work) explicitly gifted to the public domain. He deserves a little credit for that, imho, and djbdns certainly deserves being considered alongside any other DNS server.
When Theo is wrong, he *immediately* launches personal attacks, never once admitting the reality of the situation. (Linux devs were "inhuman" because they posted a GPL violation in a *public* repo to that repo's mailing list.)
What colour is the sky in your world?
We use PowerDNS recursor at a large german DSL ISP and i simply must say it totally rocks. When we - which you can read as 'i' btw. ;-) - were still on BIND9.(3|4) i had crashing named processes at least once a day, never had a single crash of a pdns_recursor process that wasn't my own fault until this day. Also the PowerDNS community is a nice bunch of people. Come visit us at #powerdns on IRCnet.
;-)
\o/
As for unbound, yeah it sure looks interesting but don't trust the benchmark, that one simply doesn't look like they used 'real' DNS traffic for it. If you're a recursive DNS Admin you'll know how ugly things are out in the wild.
"morning is a state of mind
Neither is open source better thean comercial nor is comercial better than open source. It all depends on the use. As i wrote, if you are a small ISP or a medium ISP and (e.g. 5K Zones, 10K DNS requests per second) BIND suits your needs. If you have 100K zones and 100K DNS requests per second, i doesn't. I mentioned Nominum because it's the best solution i have seen till today and i will benchmark Outbound against CNS and not BIND. Beating BIND is IMHO not a challenge....
I personally hate BIND, and BIND is open source, but some secret sauce being twice as fast? I don't think so.I'm not in the secret sauce business ;-). I speak numbers and statistics. E.g. CNS is for high loads 10-20 times more CPU efficent than BIND as caching nameserver on the same hardware. The cache handling of BIND 8/9 really, really sucks :-(. A customer doesn't pay 80K $ just on my say so (unluckily). They run tests and to prove the business case.
Remark: 90% of my customers run BIND and are happy with it. I do OSS and comercial software in a happy mix. Ideology is not my thing. Use the software (FOSS or comercial) that's better for the problem.
Regards, Martin
Why do you need updates? I think that's one of djb's point: that if the software is written well, it doesn't need to be updated, and thus you don't need to form a relationship with the author.
Don't piss off The Angry Economist
Never in the history of Slashdot has a comment been more deserving of the response "You must be new here".
Bogtha Bogtha Bogtha