BIND 10 Development Now Fully Underway

darthcamaro writes "A decade after work first began on version 9 of BIND, the widely deployed open source DNS server, work is now fully underway on its successor, BIND 10. '"One of the goals for BIND 10 is to allow people to customize and extend without too much trouble," Shane Kerr, BIND 10's program manager at the Internet Systems Consortium (ISC), told InternetNews.com.' Sounds good right? Only problem is that it's going to take a bit of time until BIND 10 is actually ready for production — potentially as long as five years!"

Meanwhile...

It happened that a group of self-important sociopathic millionaire "Free Republic" Teabaggers went John Gault. Yet the world continued to spin. The self proclaimed "geese that lay the golden eggs" gave up their source of golden eggs for naught, learning afterwords they were not the golden geese.

Re:Meanwhile...

That's because Barack Obama shits diamonds. Once we move to a barack obama shit-based economy, we'll be set.

Uh oh

I sure hope the bugs aren't backwards compatable

Re:Uh oh

How to read a changelog:

fixed = broken differently
optimized = subtly broken
re-written = i have no idea what i am doing

Re:Uh oh

[Randle_Revar]

new feature = completely untested

Excellent..

Can the steaming hunk of horse shit that is BIND be redesigned so that it doesn't need to be patched, then chrooted/jailed and finally virtualized before being placed on the public internet? That would be great.

Re:Excellent..

[Intron]

Here's the entire code for Bind 1:

grep $name /etc/hosts

Re:Excellent..

[characterZer0]

Here's the entire code for Bind 10:

wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz

Re:Excellent..

[GGardner]

You jest, but this one line program is incredibly buggy!

Re:Excellent..

[Minwee]

I tried to install it, but it responded to every query with "Bind 4 is buggy. Use my code instead!", "Zone transfers should be done with rsync!" or "Worship me, mortal!".

I tried to read the man page to see how to fix that, but was greeted with nothing more than a lengthy rant about how the man system was outdated and needed to be replaced with something painfully convoluted which violated at least sixteen different Internet standards, five state laws and no less than two commandments.

I went to the author's web site for more information but found only a condescending diatribe about how web browsers were bloated and shouldn't be used for anything important. Eventually my interest in testing that new product faded away only to be replaced by the slightly sickened feeling that comes from sitting up all night watching informercials so I just gave up.

I do hope that future releases can address these rather obvious and simple problems as I suspect that there is some useful code buried in there somewhere.

Re:Excellent..

[chdig]

BIND always has been buggy, and full of security issues as well. I've been running djbdns for years, and while the install is definitely not straightforward, I went with it mostly because BIND was even less straightforward to install.

Two months ago, the first ever security vulnerability was found in djbdns -- an extremely minor one that barely affects any servers, yet it was the first ever, in the entire history of djbdns. This speaks extremely well of the design of the set of tools that make up the djbdns system.

Really, with almost a decade of essentially flawless operation behind djbdns, and millions of domains being served by it, I have to question why BIND is relevant moving forward.

five years!

[Jonah+Hex]

potentially as long as five years!

Why the emphasis on how long it will take? I've had pieces of shit that took longer than that to get ready for "production".

Re:five years!

sounds painful.

Re:five years!

[TheLink]

Maybe you need more fibre to speed up the production?

Paul Vixie?

[oldhack]

What happened to the god of BIND and DNS?

Re:Paul Vixie?

[Ethanol]

He's the president of the company that's doing the work.

Re:Paul Vixie?

[Nethead]

Isn't that vix.com?

Re:Paul Vixie?

[oldhack]

Oh. Well, that makes me feel ... less old.

Re:Paul Vixie?

[rs79]

Paul's doing fine, he and Brian Reid are working together at ISC these days. Brian, if you recall, is the guy who originally funded Paul to take the Berkely B-tree stuff and turn it in to usable software (*) while they were at Digital. They also do some load testing stiff on dns servers for the nsf. You can poke around and find their papers if you look.

(*) for some definition of "usable". I use djb which annoys them both no end.

Re:Paul Vixie?

[wkcole]

Isn't that vix.com?

No. vix.com is Paul's personal domain. isc.org is the Internet Systems Consortium, which he heads. ISC is a non-profit that is the custodian for BIND, the reference DHCP implementation, and a few other bits of open source software. It would be at odds with reality to confuse and conflate the two. This is particularly true in regards to actually "doing the work" for developing BIND, since Paul explicitly stayed out of the v9 code, and has publicly referred to the v4 and v8 code as evidence against his programming skills.

It is easy to find a handful of people who seem to think that Paul Vixie is a Mephistophelean figure and that ISC is just a sock puppet for him, but you can also find people who will insist that Queen Elizabeth runs the global drug trade or that Barack Obama is a Muslim.

Re:Paul Vixie?

[oldhack]

Hey, I do happen to know that the queen is just this grandma. You know.

Fix LDAP Integrated Zones.

[Zombie+Ryushu]

Please, Please Please fix the Bind LDAP SDB Backend to allow LDAP Integrated Zones to Dynamic update. LDAP zones are useless right now because DHCP can't update it!

Re:Fix LDAP Integrated Zones.

[oodaloop]

Uh, yeah. What he said!

Re:Fix LDAP Integrated Zones.

[uassholes]

If you hate it so much, why do you use it. Pay out your ass for some Microsucks shitware knockoff instead.

Re:Fix LDAP Integrated Zones.

Too bad AD and Windows DNS runs circles around BIND. Last time I checked, LDAP integration worked flawlessly for the Win32 variant. Pretty sad, considering the guys who wrote BIND have been coding for years.

Seems that Torvalds must have a pretty big dick. It obviously hit a nerve in the back of your throat and caused you to reflexively spout off that senseless garbage you mistake for reality. Next time, just swallow like a good little fanboy.

Re:Fix LDAP Integrated Zones.

[ritcereal]

Read the man page for the dhcp3 configuration for 'on commit', 'on release', and 'on expiry' where you can run code to update your LDAP backend with whatever language you want. There's no reason you can't already do this.

Yeah

Whatever he said.

5 years and then some

[glitch23]

because after BIND 10 is done all the distributors must package it for their specific customers. This includes appliance vendors that utilize BIND. Speaking of appliance vendors, the article mentions that DNSSEC could eventually be enabled by possibly clicking a single button in an interface but that will be dependent on the interfaces put on top of BIND. I guess if BIND 10 has its own interface then that could work well but appliance vendors put their own GUI on top of their implementations of BIND and it may not always be as simple as a single button click.

Re:5 years and then some

[Tenebrousedge]

I am extremely offended by your signature. We are a nation of religious tolerance, first and foremost. Secondarily we can be said to be a Christian people, but there are significant minorities of other belief systems. One of the most important parts of having a constitutional republic (in general) and the separation of church and state clause (in specific) is to prevent such minorities from the 'tyranny of the majority'. We must not allow the erosion of rights for any segment of our population, else we can no longer consider ourselves citizens of a free country.

Do note that while there is mention of God in our currency etc., there is no mention of Christ--nor should there be. Also, the values that formed this country weren't terribly Christian: excellence in warfare and technology, the 'pioneer spirit', the 'manifest destiny' philosophy. If we owe anything to Christianity for our government and/or culture, we owe just as much to the ancient Greeks, and the thinkers of the Enlightenment. And if we consider the ultimate expression of Christian morality to be found in Matthew 22:34-40, then it's hard to believe that a nation with our history of racism, prejudice, and warfare to be at all Christian, no matter how strongly we might profess it. Indeed, most people claiming to be Christians here wouldn't know Christ's teachings if they bit them.

If you somehow feel that minority religions are wrong, please work to change that in some way that does not involve our government or legal system. If you want a theocracy, go to Iran.

Re:5 years and then some

The signature never states that minority religions are wrong, only that what Obama said is incorrect and an outright lie. In fact, he has since updated his statement of the country's religious viewpoint to say that the USA is now a Muslim nation. Do you prefer that version?

I'm not sure why you think I want a theocracy. There is a difference between a government instituting and enforcing a religion (such as that in Iran) and a government supporting the people's religion, rather than silencing it much like the proponents of the "separation" of church and state would prefer. Silencing religion is a violation of the freedom of religion because it tells the citizens they are not allowed to have a religion in public. The Iranian government enforces a state religion and if you go against that you can be punished. The USA supports the Christian religion as most of the population is Christian however, if you do not partake in that religion you are *not* punished. *That* is the difference. If some people had their way, there wouldn't be any religion at all. Those are the people who want to take away freedom of religion, under the guise of the separation of church and state, and they are the people you should be afraid of.

If we are a nation of religious tolerance then why are Christians being silenced for their beliefs? Why are the 10 Commandments not allowed to be displayed on gov't property? They aren't there to force non-Christians to follow them as a set of religious rules or to become Christian; no law exists which say you must convert to Christianity. So why are there people who won't tolerate them to exist when their public display is not hurting those who complain?

I'll say this to end my response: do not confuse a gov't supporting the people's religion with a gov't *enforcing* a religion. Enforcement leaves no room for rebellion and, if there is a hint of religious tolerance in this country, it is the fact that Muslims and other religious minorities are not persecuted for being non-Christian. They are allowed to rebel without punishment. That is the present situation even with our currency stating "In God We Trust" and some cities still being able to display the 10 Commandments. That shows we can support a religion without enforcing that same religion despite complaints to the contrary. Oh and that public support for a religion, it has existed for over 200 years. Did you know that long ago Congress actually held church services in the Capitol?

Feature parity

[TopSpin]

Please try not to leave behind useful features. Yes, misfeatures should be abandoned. Sometimes mere obsolescence can move a feature into the misfeature column. However, merely uncommon or obscure != "mis". It requires a pragmatic grownup to detect the difference.

The feature set begins with BIND 9. Too many major revisions of fundamental systems fail to achieve feature parity and long after the "new" is production solid the user base remains stratified into the (neglected) old and the (indifferent) new.

You must know that after the (entirely reasonable) half decade is spent to produce 10 it will take years to migrate the majority of the user base. The justifiably conservative nature of the BIND user base is such that dropped functionality will retard adoption dramatically. Better to provide parity with BIND 9's feature set and remove one excuse to sit on 9 till 2020.

Put it on the list of goals, near the top; "Feature Parity with BIND 9". Make it clear that the user base can take this for granted; if BIND 9 can do it, BIND 10 can do it.

I think you'll find if not a lot more support, at least less resistance. I know you will cut the migration period dramatically.

Re:Feature parity

[pklinken]

Congratulations on your 753rd post.

Re:Feature parity

[moniker127]

Good lord! 2020! We're supposed to have rocket cars by then- why would we need DNS?

Re:Feature parity

[fractoid]

Do you REALLY want to assign your rocket car's IP address by hand? O.o

Re:Feature parity

[yahwotqa]

This DNS thing... I don't think it does what you think it does.

Re:Feature parity

[fractoid]

Yeah, I somehow misread and thought we were talking about DHCP, but I didn't get around to posting a correction. :P Consider it corrected to:

Do you REALLY want to refer to your rocket car by a numerical IP address? O.o

How about making it simpler?

[Bondolo]

For a program who's core functionality is name -> number why is the configuration guide heavier than my tombstone? If the future of every Internet standard is to become as complicated as DNS after 35 years then I sincerely believe that the Internet is doomed. 114 RFCs (not counting 20 or so additional obsolete RFCs), WTF? DNS RFCs

By the way, SMTP and IMAP folks, you're way ahead of the game. Your stuff is already reached the point of sublime unusability past which no fully compliant implementation is possible. Well done!

Re:How about making it simpler?

[timeOday]

It does seem like the destiny of every software package is to become gradually overwhelmed with features. Nothing is worse than upgrading your system and finding the configuration format for apache or exim has changed.

Re:How about making it simpler?

[Just+Some+Guy]

For a program who's core functionality is name -> number why is the configuration guide heavier than my tombstone?

Mainly because it's required to do so very much. Yes, my named.conf is very complicated. I don't know how much simpler you could make split-zone DNS for about 30 zones, including masters, slaves, and some dynamic updates. Oh, and TSIG to authenticate request between each pair of servers. And reverse zones. And IPv6. And recursion (but only for one of the views). I mean, it's sort of like Apache's httpd.conf. Sure, it gets twisty, but what could you leave out and still be able to configure the same functionality?

Re:How about making it simpler?

[Cyberax]

BIND is PITA. It's not modular.

I've switched my entire infrastructure to djbdns and I'm glad I did it.

For example, I don't need TSIGs because djbdns uses plain rsync over SSH (which utilizes my PKI) for zone transfers. Dynamic updates are performed using simple shell scripts.

Everything is pretty simple.

Re:How about making it simpler?

[metamatic]

If you don't need the complicated functionality of BIND, you shouldn't use it.

For instance, DNS caching for a home network can be done using something far smaller and simpler, such as pdnsd.

Re:How about making it simpler?

[Just+Some+Guy]

For example, I don't need TSIGs because djbdns uses plain rsync over SSH (which utilizes my PKI) for zone transfers. Dynamic updates are performed using simple shell scripts.

That's the kind of simplicity that makes life much more complex. Our master BIND at work accepts updates for the LAN from Windows desktops. Whenever they get their DHCP lease, they say, "hey, user23.lan.example.com is now at 10.0.0.8". BIND dutifully updates its records and relays that message to the slave BINDs. Contrast with your setup: does djbdns even accept dynamic updates like that? If so, what happens when updates start to come in faster than rsync can copy them to the slaves (I can imagine some pretty large zones with tens of thousands of machines) - do you just accept that they're only synced every x minutes and call it good? What if you want to push those updates to your registrar's hosted DNS?

The problem with refusing to implement one standard is that each of your users has to invent their own incompatible workaround. Yes, TSIG and dynamic DNS and IXFR are difficult to code. They're also RFC standards that let my servers talk to their compliant peers without having to roll out an extra parallel PKI like you've had to do.

Re:How about making it simpler?

[Cyberax]

"Whenever they get their DHCP lease, they say, "hey, user23.lan.example.com is now at 10.0.0.8". BIND dutifully updates its records and relays that message to the slave BINDs."

Yes, djbdns can process dynamic DNS updates (via special plug in). Yes, it can then relay records to slaves _or_ you can make multi-master replication (if your master is down).

"If so, what happens when updates start to come in faster than rsync can copy them to the slaves (I can imagine some pretty large zones with tens of thousands of machines) - do you just accept that they're only synced every x minutes and call it good?"

rsync is incremental protocol. _EXACTLY_ like IXFR used in BIND. So there won't be much difference.

"What if you want to push those updates to your registrar's hosted DNS?"

djbdns supports AXFR.

"They're also RFC standards that let my servers talk to their compliant peers without having to roll out an extra parallel PKI like you've had to do."

You miss the point - any self-respecting organization _already_ has PKI. But BIND _forces_ to create yet another security hierarchy, with completely different administration tools and security model. Also, AXFR and IXFR are clear-text and do not support encryption.

And the worst of it - you can't customize BIND without patching source code. No wonder, that ActiveDirectory and Novell Directory Services do not use IXFR/AXFR for zone transfers.

Personally, I switched to djbdns when I found out that I can't have a hidden DNS slave which can correctly work with views (i.e. I wanted a recursive resolver for my LAN with replicated zone). BIND just doesn't support it. I was able to script it with djbdns in ~2 hours.

Re:How about making it simpler?

[Just+Some+Guy]

rsync is incremental protocol. _EXACTLY_ like IXFR used in BIND. So there won't be much difference.

That's not quite right. IXFR is implemented in BIND as a journal playback (O(1)), but rsync has to examine the entire database for changes to propagate (O(n), where n = number of records in the zone).

And the worst of it - you can't customize BIND without patching source code.

How do you customize djbdns without patching source code?

Personally, I switched to djbdns when I found out that I can't have a hidden DNS slave which can correctly work with views (i.e. I wanted a recursive resolver for my LAN with replicated zone).

What do you mean exactly? You've already made your choice and that's cool, but I'd be willing to bet that BIND does actually support that feature.

Re:How about making it simpler?

[Cyberax]

"That's not quite right. IXFR is implemented in BIND as a journal playback (O(1)), but rsync has to examine the entire database for changes to propagate (O(n), where n = number of records in the zone)."

Yes, you are right. But in practice, rsync works fast enough even with zones with hundreds thousands of hosts.

With djbdns I can easily try to use SVN or git for zone updates.

"How do you customize djbdns without patching source code?"

djbdns is incredibly modular. It's a collection of small utilities, each doing a separate job.

"What do you mean exactly? You've already made your choice and that's cool, but I'd be willing to bet that BIND does actually support that feature."

No, it doesn't. It works only if I disable views. I checked BIND source to be sure.

Re:How about making it simpler?

[Just+Some+Guy]

Yes, you are right. But in practice, rsync works fast enough even with zones with hundreds thousands of hosts.

OK, but it still doesn't address the problem of when to trigger a sync. Do you run it from a cron job, or can you script it from the dynamic DNS update program? Actually, I guess you could relay the update request out to the slaves and not worry about syncing it often. Is that possible?

With djbdns I can easily try to use SVN or git for zone updates.

That's not a bad idea.

No, it doesn't. It works only if I disable views. I checked BIND source to be sure.

What I meant was that I didn't understand what you were trying to do and so can't confirm or refute it on my own.

Re:How about making it simpler?

[Cyberax]

"OK, but it still doesn't address the problem of when to trigger a sync. Do you run it from a cron job, or can you script it from the dynamic DNS update program? "

You can script it (I use a cron job, because I don't need fast updates).

"Actually, I guess you could relay the update request out to the slaves and not worry about syncing it often. Is that possible?"

Yes, there's actually a plugin which uses SMTP/POP3 to broadcast changes (which is a neat idea, IMO). It's also easy to pipe notifications through SSH.

"What I meant was that I didn't understand what you were trying to do and so can't confirm or refute it on my own."

Ok, it's a bit complicated. I have a master DNS in USA which hosts my zone and I also have a LAN in Ukraine.

I want to set up a DNS in my LAN which has a copy of my master zone so we can survive Internet outages without disruption of work. Of course, I don't want this DNS to be authoritative for my zone.

So I tried to set up a configuration with two views: internal and external. Internal view hosts a slave zone and performs recursive resolving. External view only listens for NOTIFYs for the slave zone.

BIND pulls the slave zone and keeps it in sync, no problem.

But it doesn't use it to resolve queries from my LAN! Instead, it forwards requests to my zone's nameservers. Even though it has a full copy of my zone.

If I disable views then it all works just fine, but it means that I expose a recursive DNS resolver to the whole world.

Re:How about making it simpler?

[Phroggy]

Admittedly I've never set up multiple views, but something about that definitely doesn't sound right.

Do you mean to say that the recursive resolver on the LAN view is forwarding all queries to your zone's nameservers in the US, or do you mean that it's forwarding queries for your domain to your zone's nameservers while resolving everything else exactly the way you want it to?

If the former, you've obviously misconfigured it, because it wouldn't do that if you didn't tell it to.

If the latter, that definitely seems a little odd - it would make sense if you were really running two totally different nameservers that don't share data, but this is one server offering two different views. Still, if this is really what's happening, perhaps the solution is to treat it like two different nameservers, and set the LAN view to explicitly forward queries for your domain to the external view. Is that possible?

Like I said, I haven't done it, so I don't really know how it's supposed to work, but what I'm thinking is, your LAN view is behaving exactly the same way any other random nameserver should behave: by checking to see who's authoritative for your domain, and querying those servers, instead of using the authoritative data it already has locally. It's easy to set up a forwarding zone that will override this behavior, and maybe that would work here, even though it seems like there should be a simpler way.

Re:How about making it simpler?

[Just+Some+Guy]

But it doesn't use it to resolve queries from my LAN! Instead, it forwards requests to my zone's nameservers. Even though it has a full copy of my zone.

Phroggy's right: that's definitely possible. I do this at home where I slave my office's zones in the "private" view.

Re:How about making it simpler?

[Cyberax]

Yes, it's the latter.

BIND tries to resolve names in my zone just as usual (i.e. by asking authoritative nameservers), even though it has a complete copy of my zone.

Setting up two nameservers would work, but it's incredibly clumsy.

Also, I was able to automate some other tasks with djbdns. Particularly, handling of split-view DNS for another zone.

Re:How about making it simpler?

[Cyberax]

Is your office's BIND slaved to master? Or justs hosts a master zone in the private view?

The latter works fine, I used it all the time in BIND before I migrated to djbdns.

Re:How about making it simpler?

[Just+Some+Guy]

Home, you mean? I slave the office zone in the private view.

Re:How about making it simpler?

[Cyberax]

Have you checked that it really works while you're offline? If it does, then can you send me named.conf, please?

Re:How about making it simpler?

[Just+Some+Guy]

I can't actually verify it from here at work, but really, it's just a slave zone inside the private view.

Re:How about making it simpler?

[Cyberax]

Yes. So do I:
=====
view "internal" {
                match-clients {127.0.0.0/8;192.168.20.0/24;};
                recursion yes;

        zone "somezone.net" {
                        type slave;
                        file "/var/cache/bind/somezone.net";
                masters {xxx.xxx.xxx.xxx;};
        };
};
=====

Doesn't work.

Re:How about making it simpler?

[Just+Some+Guy]

That's the beatenest thing. I don't have any idea why it wouldn't.

Re:How about making it simpler?

[Cyberax]

The problem is here (view.c, row 1176):
=========== /*
                  * If the zone is defined in more than one view,
                  * treat it as not found.
                  */
                zp = (zone1 == NULL) ? &zone1 :
                result = dns_zt_find(view->zonetable, name, 0, NULL, zp);
                INSIST(result == ISC_R_SUCCESS ||
                              result == ISC_R_NOTFOUND ||
                              result == DNS_R_PARTIALMATCH);
===========

And I have to define this zone in the external view as well, for NOTIFY support.

Frankly, I don't understand the reason for this behavior. It can be disabled easily, but I'm not brave enough to modify BIND9.

Let us hope they take a few design hints

from the great Ahusan.

Modular design?

[omuls+are+tasty]

So they finally figured out that djb was right; it took them mere 10 years. If he only didn't have such a... personality. Maybe we would've had something sane by now.

Re:Modular design?

[e9th]

You know, it's a shame that djb couldn't play well with others. qmail & djbdns show that he really understood SMTP & DNS. Unfortunately, his dogmatism, odd coding style & disdain for comments, and his weird license (until he PDed them) kept both those products from evolving as they deserved.

Re:Modular design?

Rather others couldn't play well with DJB. He understood DNS and SMTP, many others didn't. Hence Sendmail and BIND are such pieces of shit. What disdain for comments? Many of those comments are simply attacks because some people can't take original style (and new, better APIs) and good design. The 'products' are rather complete - they cover the needs of many people. Many people use them and are very happy.

Re:Modular design?

[e9th]

I resolved slashdot.org through the magic of dnscache. qmail dropped the news of your reply into my inbox. But do you remember the qmail/VMailer (now postfix) wars? Wietse Venema was there on USENET responding helpfully to potential users' questions & suggestions. Dan was there with a withering reply, if he responded at all. But I saw that qmail was Good (and also ready before postfix, and Sendmail 5 was killing me), so I chose it. Bind was the bane of my existence. Bugs, holes, bloat.

I'm saying that if Bernstein had worked a little closer with his user community, many more people would be happily using qmail & djbdns, and there might even be official distros that supported things like TLS & DNSSEC.

Re:Modular design?

[stinerman]

Weird license?

IIRC, his code was unlicensed. DJB believed that you didn't need a license to run a binary, compile source, etc.; this is debatable. However, you do need a license to distribute someone's copyrighted works; this is very obvious. Of course, as you say he disclaimed the copyright, so the point is now moot.

Re:Modular design?

[e9th]

Before he placed it into the public domain, his qmail site had a wonderful "Information for Distributors" page. Maybe not technically a license, but when the copyright holder says

If you want to distribute modified versions of qmail (including ports, no matter how minor the changes are) you'll have to get my approval. This does not mean approval of your distribution method, your intentions, your e-mail address, your haircut, or any other irrelevant information. It means a detailed review of the exact package that you want to distribute.

it makes you think twice before including it in [your favorite distro here].

Re:Modular design?

Isn't that pretty much the same thing that Mozilla requires?

Re:Modular design?

[Rich0]

Mozilla only requires this if you redistribute the branding. Of course, we source-based distributions only distribute pristine sources and let the user (automatically) do all the patching so these kinds of restrictions really only apply to binary-based distros. :)

Re:Modular design?

[jonaskoelker]

Isn't that pretty much the same thing that Mozilla requires?

Well, they require it for a trademark... license? It's a trademark issue, anyways. Regarding DJB, it's a copyright issue.

What's the difference? With firefox, if you replace the fox+globe logo with a globe logo and rename the program to FrozenRodent, you can do whatever the hell you please (if it's in line with at least one of firefox's license).

With DJB's software, I can't just strip out the "DanielMail" name and call it "JonasMail". No matter what I change, I still have to ask him for permission.

Re:Modular design?

[metamatic]

What killed my use of djb's stuff wasn't any of those things; it was the dependency on his daemontools replacement for /etc/init.d. (Even today, the djbdns FAQ tries to steer people away from using djbdns without daemontools, and only supplies a half-assed script to install manually.)

Re:Modular design?

[e9th]

daemontools per se is actually a pretty cool package, and an example of what I was trying to say. If Dan had made it easier to repackage, or even simply allowed you to configure alternatives to /command and /service, more people might be using it today.

IPv6

[nnet]

Please disable ipv6 mapped ipv4 AAAA records. Thank you.

I know why it's 5+ years away

[Black+Perl]

Bind 10 was written in Perl 6!

Perhaps a better name would be...

[jd2112]

...BIND Vista

If the schedule slips the could call it BIND Forever.

Were talkin a name server here, Most major OS rewrites have been done in less time.

Too late

[mseeger]

Hi,

my personal opinion is, that BIND 9 already lived too long and BIND 10 started much too late. If you have to operate huge installations (>250.000 Zones), BIND 9 is close to unuseable.

Example: Starting BIND 9 with 350.000 Zones already consumes the complete service window (2 hours) we have for works concerning the hardware. You can't even shave off much time by having all zone files on a ram disk (about 10% less time). BIND 9.6 utilizes a single core for 2 hours just to parse and load the information. For comparison a different (comercial) product imports the (same) complete configuration in about 90s (from disk, BIND 9 format) and takes about 4s for start afterwards. I know there are workarounds for BIND, but they come with high operational costs.

BIND is (IMHO) mainly a reference implementation. It has to implement everything in one single product and suffers the usual penalties for it. I still use BIND 9 myself for several purposes since it has a some advantages too (mainly, that it is OSS).

Sincerely yours, Martin

P.S. If there is any interest, i can post some benchmarks and scripts which i used to run them....

DISCLAIMER: I'm working for a company that is selling DNS products. So i'm not to be considered a neutral party :-). But since i'm doing this for 15 years now, i consider myself at least an experienced biased party.....

Re:Too late

[Just+Some+Guy]

Out of curiosity, would that still hold true for database backends? If you multiple zones point at the same file, does it have to parse that file for each zone or can it parse it once and cache it? Would converting them to dynamic zones so that BIND stores the data in its journal format make a difference one way or another?

the invention will be..

finally in 10 years we will be able to write our ip's in rr-zones from left to right.

old 1.2.3.4.5.6.7.8.9.0.1.2.1.0.0.2.ip6.arpa.
new .arpa.ip6.2.0.0.1.2.1.0.9.8.7.6.5.4.3.2.1

less headache, more usability - yay

5 years?

[bruthasj]

Haven't these guys heard of Agile?