Slashdot Mirror
Open Source BIND Alternative Launches
bednarz writes "A group of experts on Tuesday released an open source alternative to the BIND DNS server. The new software — dubbed Unbound 1.0 — is a recursive DNS server. From its first prototype in 2004, Unbound was designed to be a faster, more secure replacement for BIND. Unbound supports DNS security extensions (DNSSEC), which authenticate DNS lookups but are not yet widely deployed because they rely on a public key infrastructure. Unbound was released to open source developers by NLnet Labs, VeriSign, Nominet and Kirei."
We use powerdns_recursor which seems very similar, and is very good.
...a DNS-Server.
Taken from here: Unbound is a validating, recursive, and caching DNS resolver. Huh, frontpage-information is always quite hard to get.
I've been using djbdns as my BIND alternative for the last couple of years, and I've been very happy with it. Technically it was pretty straightforward to build/install. The only consideration seems to be whether you like the djb way of doing things (I do!) and the few Freedom wrinkles in the license. :-)
http://cr.yp.to/djbdns.html
Kurt
Java seems like a logical way to go with this, considering the great track record of other Java web technologies (Tomcat, Jetty, etc).
Is there anything out there?
Their page does not render correctly on IE7. The main paragraphs are partially hidden by the right hand pane.
If they cannot even code their web pages to work with the main web browser out there then I cannot trust their claims of their implementation of DNS being so secure.
This posting makes it sound like bind9 is not sufficiently open/free. That is not correct, and kdawson should do a better job of editing to prevent biased postings like this.
Bind9 is licensed under the ISC license, a BSD-like license. The full text of the license follows.
-molo
Copyright (C) 1996-2001 Internet Software Consortium.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Using your sig line to advertise for friends is lame.
Anything with Verisign's named attached to it?
I came, I conquered, I coredumped
Because this new delegate-only option in bind is making me miss out if i typo a domain.
Both pieces of software are released under the same open source license, namely BSD.
On top of that, given the history of security problems in this line of software I would wait a while before deploying Unbound on anything serious.
Especially given the fact it sells its self as being more complex and big than its predecessor.
All your base belong to BIND.
I use a perhaps not-well-known alternative called ldapdns, which used to be based on the DJBDNS code. It gets its DNS information from LDAP, which is very, very nice -- I can make a change in LDAP and the change is instant as opposed to making a change to the BIND stuff, which I then have to restart BIND, etc.
My blog
but what if I like bondage? What would the Internet be without a little (okay, well, a lot) of bondage?!
Dan Bernstein's public demeanor makes Theo de Raadt look like Miss Manners. I'll stick with bind, thanks. It just plain works and I'm not stuck with an angry maintainer for updates. :D
This is one of the best: http://www.maradns.org/
weirdest thing I ever saw: scientology advertising on slashdot.
it's way user friendly, & did we mention that it's also an absolutely free alternative to watching everything we're familiar with go/be taken away? let your conscience be yOUR guide. you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.
http://news.yahoo.com/s/ap/20071229/ap_on_sc/ye_climate_records;_ylt=A0WTcVgednZHP2gB9wms0NUE
http://news.yahoo.com/s/afp/20080108/ts_alt_afp/ushealthfrancemortality;_ylt=A9G_RngbRIVHsYAAfCas0NUE
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A
is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.
http://video.google.com/videosearch?hl=en&q=video+cloud+spraying
dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster. meanwhile, you can help to stop the bleeding (loss of life & limb);
http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html
the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'. the creators will prevail. as it has always been.
corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7
as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way. the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available. 'vote' with (what's left in) yOUR wallet, & by your behaviors. help br
DNS is one of the bottlenecks to come. For nearly every ISP, DNS traffic grows faster than the overall traffic.
i'm doing a lot of consulting for large ISPs on DNS problems. BIND is good for small and medium ISPs but bad for large ones (as resolver, as primary or secondary nameserver).
It doesn't work very well with Cache above 1GB and the multithreading is not very efficent. Startup (for servers with 100K zones) is very slow, restart (after changing the configuration) is risky if you decreased the number of masters for a secondary zone (core dump). The readability of the code is far from perfect and it doesn't seperate different functions very well (e.g. you cannot easily replace the caching algorithm). The handling of slow or dead servers could be improved too...
So, i personaly welcome the new contender in the OSS nameserver arena ;-). Let the games begin...
The best results (up today) i got with Nominum ANS and CNS. It's neither FOSS nor cheap but really, really fast. We replaced at one customer 4 overloaded BIND systems (3 Ghz Dual Xeon, 4GB RAM, 2 BIND processes per system) with CNS on the same hardware (but only 2 systems) and the load barely reached 10%.
Sincerely yours, Martin
Using DNSSEC it is possible to send out special replies to known or not yet known users. In that way authorization based on DNS is possible. This will also open possibilities to use ENUM how it is supposed to.
Support Eachother, Copy Dutch Property!
I can't decide if that should be a new emo superhero or a BOFH-themed ceiling-cat variant.
"Angry Maintainer is watching you masturbate." "Eww." "Why do you think he's angry?"
Am I missing something, when did BIND not qualify as Open Source?
Slashdot Barbie says "research is hard".
My initial thoughts before RTFA...
1) Why re-invent BIND? Which has been beaten up so much over the past decade that it's now (probably) pretty secure with most of the bugs worked out. Plus there are lots of resources out there that can be used to solve problems or help with setup questions.
2) OTOH, options are good, it prevents a mono-culture and makes it harder for exploits to take out everything.
Of course, in this particular case, they haven't re-invented BIND. They've simply developed another DNS resolver which can't be authoritative for DNS records. So what's the draw of using BIND for your authoritative servers and then using something different for your resolver servers?
I use Microsoft. Its vendor lock-in strategy surpasses every bondage artist's skill and administering Windows boxen makes my inner masochist cry from glee. And pain, of course.
They also eat cute little puppies, which is fine with me as I'm a cat person.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
Plain and simple.
Well that that is not a very high bar. Writing a better DNS server than bind is very welcome but not actually a daunting feat. I did this several years ago as an undergrad. I had set out only to modify BIND 8 only to find the source is a big ball of spaghetti code. It then became pretty obvious why there were regular exploits.
As long as you don't GPL them.
djbdns is abandonware. It hasn't had an update since 2001, and you can believe in perfect code that doesn't ever need updating if you want to, but I don't. DJB's crazy licensing meant that only patches could be distributed, not modified sources or binaries, which effectively killed any community support. Now that it's public domain it's possible for someone to pick it up and start maintaining it again, and I'll wait until that happens before using it again. I can live with DJB's complete disregard of filesystem conventions and stuffing a whole lot of new top-level directories for no good reason into the system, and creating a bunch of unnecessary new management daemons (daemontools). But not maintaining his own software makes it a no-go, especially something as crucial as name services.
we will end no whine before its time
I understand they may be experts on Tuesday, but they know jack shit about the rest of the week.
AT&ROFLMAO
If you need a small and simple authorative DNS server, i suggest
# apt-get install nsd
Simple to install. Simple to configure.
According to the homepage, it can handle big loads too.
http://www.nlnetlabs.nl/nsd/
public domain as of december
Unbound is a DNS resolver, not a server. PowerDNS will do both. As a server, it's technically offtopic, but...
I love the fact that there are pluggable backends. More than that, I love the pipe backend. I realize this is an "everything looks like a nail" scenario, but I actually wrote a PowerDNS->REST client with that, and then a Rails server behind it.
Slow? Sure, but I can always setup a slave -- either someone like DynDNS, or another PowerDNS server with a faster backend (MySQL, Postgres, maybe even SQLite?)
Overkill? Sure, but I can't get over the fact that I've written a DNS server in Rails.
Don't thank God, thank a doctor!
Maybe you can give me a list of all the bugs filed against djbdns? The security prize is still up for grabs. If it ain't broke, don't fix it.
I have to agree with his software not having any sane install path. And though daemontools may be unnecessary, I'm sure djb has some ego-centric reason why existing management daemons are insufficient with a hint of truth to it.
Isn't it funny how Dan Bernstein is the only guy to develop a bulletproof mail and DNS server, yet all he gets is criticism for his work?
Maybe he didn't want his sources modified because nobody else seems to be able to write secure software, and he doesn't want his name on a security bulletin for someone else's Qmail/DJBDNS mistake.
Tell me again how many mail and DNS servers have had zero security holes?
Not that it matters anymore, as these have all been placed in the public domain.
One might request new features in these applications, but patches are often to fix bugs.
If there haven't been any official patches since 2001, maybe it's because there haven't been any bugs.
DJB my not agree with the GPL and may like to do things in a very non-standard way, but damn, the proof is in the product.
Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
kdawson is one of the worst offenders of shitty, incorrect, or biased summaries and is one of the worst editors. ever. anywhere.
True, there has been only one security hole I can recall, where a correctly-formed "packet of death" cleared the recursive cache. The result is like a DoS attack. There was a third-party patch released, but then there's the same old problem of having to manually apply the patches, and knowing which third-party patches to trust. But it's not just bugs or security problems that make it a no-go for me- it's out of date as well.
It doesn't support IPv6, or SRV, NAPTR, or RP records and other new record types, and the root servers list is hardcoded and out of date. It also has problems with correctly tracking domains that move. Yes, there is a workaround for supporting new record types with some config file tweaks, but really now- that's the sort of thing that a maintainer should be handling, and adding native support for. 7 years of no maintenance is like dog's years in software time.
we will end no whine before its time
It's not about "servers" vs. "resolvers". All DNS Servers ARE servers. That's where the confusion comes from! It's really not that complex, though. In fact, the concepts are familiar to anyone who knows the difference between a web server and a web proxy.
The most important kind of DNS servers -- the ones that make up the DNS hierarchy -- are called AUTHORITATIVE servers. These are what actually provide information about domains' hosts. You set one up when you're serving DNS for a domain (an internet domain, a lan domain, or both).
RECURSIVE (not "resolver") DNS Servers, on the other hand, are more like caching proxies. They don't know anything by themselves. Instead, they accept DNS queries, consult the worldwide hierarchy of DNS servers for them, and then pass the answer to the client that made the request. Often, they'll cache that request for a certain time, in case any other client asks the same thing. You set one of these up when you want to cache requests within your organisation for efficiency reasons, or when you want to bypass your upstream so-called DNS servers (which are actually recursive servers/resolvers) for some reason.
The main thing to watch out for is setting up a server that's supposed to be authoritative for your internet domain, answering queries about it for the world, but is ALSO a recursive server, which answers queries about any other domain too.
Who would trust a new DNS server for production use until it has been around for some years.
I made the mistake of trusting djbdns for an important deployment until I started to realize limitation after limitation caused by djb's mental illness. (similar to the qmail story, I guess).
Microsoft DNS was pretty scary - although now I see real networks built around it. They convinced people to switch because of the vague threat that they might break other DNS server's ability to co-exist with Active Directory. But it worked and an alternative DNS server managed to take over significant market share very quickly.
To defeat BIND, Microsoft also provided both a GUI and a command-line interface to alter records.
That's why it being public domain helps, but there's still the problem of either dealing with DJB or forking it.
Sounds like you need the solution applied by the Invisible Hand Society. Government is part of the market and if the government hasn't been deposed it's because the cost of deposing it is still higher than the cost of government interference, therefore there is no such thing as government interference. (TANSTAGI)
If the Angry Maintainer doesn't make you decide it's easier to fork than deal with him, then the Maintainer isn't Angry enough yet.
You kids these days. In my day I had to write my own mail server as a shell script running out of inetd! Now you get to choose between Angry Maintainers!