Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Systems Consortium Seeks Wider Input For BIND 10

Posted by timothy on from the one-bind-to-ring-them-all dept.

joabj writes "The ISC is seeking some open source magic for the next version of the widely used BIND. Although the BIND is already open source, most of the work thus far done on the DNS server software has come from contractors, the government and Unix vendors. 'The goal is to move away from having BIND a heavily sponsored corporate product,' said BIND 10 manager Shane Kerr. Kerr is hoping that more eyes will equal fewer bugs, and that more users will go ahead and implement the features they've been requesting themselves. BIND 10, due by the end of the year, features a new modular architecture, one designed to circumvent many of the security woes that have bedeviled BIND 9."

60 comments

  1. History repeats itself by Richard_at_work · · Score: 4, Insightful

    BIND 9 was an almost total rewrite because BIND 8 was a horrible codebase, and in turn BIND 8 was an almost total rewrite because BIND 4 was so bad.

    So what makes them think BIND 10 will succeed?

    1. Re:History repeats itself by Anonymous Coward · · Score: 0

      because its Open Source, and as everyone knows Open Source software is perfect /sarcasm

    2. Re:History repeats itself by MaraDNS · · Score: 5, Informative

      From a security perspective, BIND 9 is infinitely better than BIND 8 wasâ"and anyone else who remembers BIND 8's constant remote root exploits knows what I'm talking about.

      The security holes in BIND 9 are along the lines of denial-of-service attacks. Worrying about someone being able to stop the DNS is much less to worry about than worrying about someone being able to control machines remotely.

      --
      MaraDNS is an open-source DNS server.
    3. Re:History repeats itself by Anonymous Coward · · Score: 0

      Any project which has Paul Vixie anywhere near it will be a disaster.

    4. Re:History repeats itself by Ice+Station+Zebra · · Score: 2

      Because Paul Vixie says so, and we all know he is always right.

    5. Re:History repeats itself by Chemisor · · Score: 1

      Third time's the charm.

    6. Re:History repeats itself by Crackez · · Score: 1

      A DoS on a DNS server is a pretty bad thing though... It's such a fundamental service on the network, that if it's down, lots of things break. So a DoS on DNS is an amplified problem such that many services will fail or become unreachable which is just as bad.

  2. Well, obviously by OeLeWaPpErKe · · Score: 4, Funny

    They're going to be more agile.

    That's what the bind 10 egineering manager told the committee of architects. She did this with approval from four other managers. The committee of architects will now present their solution to a conference of engineers, and then they will then choose external parties to be contracted to do the actual programming (and "surprisingly" the cheapest acceptable external party will just happen to have a job at verizon ... which is why "corporate features" are so prevalent in Bind). But now ... They're "looking for input". Anyone here ever tried to give input to an ISC discussion ? It's a bit like bleeding to death while having your leg slowly feasted on by a pack of hyenas, except of course that it takes 4-5 years for you to die (don't worry, the chances of someone actually having looked at your input in that time frame is minute, after all let's face it : these guys work so fast that features like intergalactic eon-timescales dns support needs to be built in right now. After all, given their decision speeds, it's very unlikely that there will be consensus for another release before we need it). By the time it is obvious just how much input ISC egos can stand you will have a newfound appreciation for bleeding to death : it's fast, and a bleeding leg does not have an ego charlie sheen would describe as "much worse than my mother".

    I foresee issues.

    1. Re:Well, obviously by hcs_$reboot · · Score: 2

      BIND 9 was an almost total rewrite because BIND 8 was a horrible codebase, and in turn BIND 8 was an almost total rewrite because BIND 4 was so bad. So what makes them think BIND 10 will succeed?

      Let me guess... Because BIND 9 is an awful code?

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re:Well, obviously by Anonymous Coward · · Score: 0

      Because the rent is TOO DAMN HIGH!

  3. Non heirarchical naming by Colin+Smith · · Score: 4, Interesting

    Screw bind, what's needed is a non heirarchical name resolution mechanism.

    --
    Deleted
    1. Re:Non heirarchical naming by MaraDNS · · Score: 5, Interesting

      You know, I keep hearing on Slashdot about the need for some kind of non-hierarchical peer-to-peer name resolution to replace DNS. What I haven't seen is a working proposal for such a system; the closest I've seen is Namecoin.

      --
      MaraDNS is an open-source DNS server.
    2. Re:Non heirarchical naming by Colin+Smith · · Score: 3, Informative

      Mostly because in security terms it's a fucking nightmare. Has to solve some very difficult maths.
       

      --
      Deleted
    3. Re:Non heirarchical naming by Anonymous Coward · · Score: 0

      Didn't that Pirate bay guy start one? What happened to that?

    4. Re:Non heirarchical naming by complete+loony · · Score: 2

      Resolving short names to dns name servers in a p2p fashion is problematic. What we should build is a system based on public / private key pairs. Sure the problem of establishing that "Bank of America" has key XXXX is going to be problematic, I'm not sure exactly how to tackle it, and that's most of what the dns system actually solves. But after that step you could be performing name server lookups via a known public key. Just sign a new location record and publish it via something like DHT.

      No root servers, no name confiscation, that key could belong to you forever.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    5. Re:Non heirarchical naming by Anonymous Coward · · Score: 1

      Already working on it.
      - P2P - No concept of "authority".
      - Based on a web of trust with cascading rulesets - Impossible to poison, unless you personally trusted the wrong person.
      - Graph-based - Structured like the human mind or society, based on fractional associations.
      - File system driver - Why not follow the UNIX philosophy? Makes it compatible to *everything* and child's play to use.
      - Obviously possible to be tunnelled over everything, like encryption, compression, etc.
      - Written in Haskell, verified in QuickCheck, so good luck with those buffer overruns and the like.

      The only reason I'm not already done with it, is lack of financing. (Gotta eat something too, and had to learn Haskell plus a load of other stuff first.)
      (By the way: If you want to code something like that too, go ahead. If you're done before me, there will be no hard feelings. In fact I will probably send you a thank you note, and promote you. :)

    6. Re:Non heirarchical naming by TheRaven64 · · Score: 1

      A few people have done it. It hasn't caught on, because it's a stupid idea.

      Peer to peer name resolution is pretty easy, the problem is authority. DNS doesn't just give an arbitrary mapping from names to IP addresses, it gives a mapping that the whole world agrees on. That is the bit that is hard to do. With DNS, this is simple. Each tier is authoritative for each subdomain. In a p2p system, who is responsible for allocating foo.bar (or slashdot.org)? With DNSSEC, it's actually quite easy to add a p2p layer on top of DVD for resolution - DNS caches could easily discover each other and send queries to each other before checking the authoritative server.

      --
      I am TheRaven on Soylent News
    7. Re:Non heirarchical naming by AuMatar · · Score: 1

      Ooh, I know. We could have a central authority that serves the domain->key mappings via an internet protocol. We could call it DKS- domain key service.

      Or you know, that could be why it was hierarchial to begin with. Peer to peer isn't always the right answer.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    8. Re:Non heirarchical naming by complete+loony · · Score: 1

      Or have a few trusted entities that sign your key and name record, SSL anyone?. Or allow duplicates with a web of trust. And allow url's to use the above public key for cross domain links.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    9. Re:Non heirarchical naming by Anonymous Coward · · Score: 0

      You always have /etc/hosts at your disposal ...

    10. Re:Non heirarchical naming by Anonymous Coward · · Score: 0

      You forgot to provide a link to - ohh I don't know... -
      Documentation?
      A manifesto?
      Code?

    11. Re:Non heirarchical naming by Anonymous Coward · · Score: 0

      Sorry mate. I don't want people to run around with half-done code, misinterpret it, make half-assed stuff on it, and then blame me for it becoming something shitty. Been there, had it happening to me.
      It has to be done and finished at its core, so that nobody can mess up the concepts anymore. And then if there is any modification to the core, I will not want anyone to say it is related to my code anymore, unless I approved it.
      Sorry. Too many bad experiences.

      (Also, it's part of a bigger project on the scale of a OS replacement, so we'll see...)

    12. Re:Non heirarchical naming by justforgetme · · Score: 1

      an OS in Haskell? Count me in :-D

      Anyway, if you want to share some insight on the DNS app get in touch.

      --
      -- no sig today
  4. BIND alternatives by MaraDNS · · Score: 5, Informative

    Since this is about BIND, let me start the inevitable thread about the BIND alternatives.

    BIND is the swiss army knife of DNS servers. It has a lot of features and can do pretty much everything. It's also a big binary and sometimes difficult to configure. CVE

    Unbound and NSD are a suite of DNS servers from the same people. One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet. NSD CVE Unbound CVE

    PowerDNS (which like Unbound/NSD, is two separate programs) has a lot of flexibility with connecting to databases or what not to resolve a DNS name. Used by Wikimedia, among others. CVE

    MaraDNS. I think it's the best one, but my opinion is a little biased. It was once a single program, now two separate programs (like Unbound/BSD and PowerDNS) Easy-to-configure; tiny binary suitable for embedded systems. CVE

    DjbDNS. Great tiny two-program DNS suite. Hasn't been updated since 2001 and yes, it has security problems (I'm already taking bets that a follow-up to this post will pretend DjbDNS is magically perfectly secure). Zinq is a currently maintained unofficial fork.

    There are many many other DNS servers, both open source and non-open source. Rick Moen has a great list of the open-source ones

    --
    MaraDNS is an open-source DNS server.
    1. Re:BIND alternatives by LordLimecat · · Score: 1

      Theres also Windows DNS :D
      Pretty sure its based on Bind though, and is missing some features.

    2. Re:BIND alternatives by TheRaven64 · · Score: 1

      Unbound and NSD are a suite of DNS servers from the same people One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet

      I thought bind was bloated, but unbound includes an HTTP server and client as well? That brings bloat to a whole new level. Is it based on EMACS?

      --
      I am TheRaven on Soylent News
    3. Re:BIND alternatives by Anonymous Coward · · Score: 0

      You didn't understand the comment you replied to. Read again.

    4. Re:BIND alternatives by TheRaven64 · · Score: 1

      I did. A DNS server / resolver has nothing to do with putting web pages online or for finding them. A DNS server puts your computer in a global human-readable namespace. A DNS resolver finds computers.

      --
      I am TheRaven on Soylent News
    5. Re:BIND alternatives by MaraDNS · · Score: 1

      Voice-Family: Leo having a conversation with Sheldon in an episode of "The Big Bang Theory".

      No, Unbound and NSD do not have HTTP servers. Come on. I was just trying to explain a complicated concept in a half sentence; it's called an analogy.

      To make the pedants happy: A DNS server is, if you will, akin to an office suite. Yeah, what's really going on is that there is an "authoriative DNS server" that serves arbitrary name-to-data mappings so that programs called "recursive DNS servers" can give said mapping to a client program and there's also non-recursive forwarding DNS servers and blah blah blah. I think the audience is falling asleep at this point...

      Now, when I said above that a DNS server is akin to an office suite, I wasn't saying that there is a spreadsheet and a word processor included with DNS servers. However, if someone were willing to sponsor it, I would be perfectly happy to make a version of MaraDNS that uses SINK RRs and dynamic updates to allow people to perform document collaboration via DNS.

      --
      MaraDNS is an open-source DNS server.
    6. Re:BIND alternatives by TheRaven64 · · Score: 1

      No, Unbound and NSD do not have HTTP servers. Come on. I was just trying to explain a complicated concept in a half sentence; it's called an analogy.

      You realise that this is Slashdot, right? I.e. your audience is fairly technical people, not folks who don't know the difference between the web and the Internet. More specifically, this is an article about BIND, on Slashdot, meaning anyone reading your post is likely to have at least a basic understanding of what DNS is and (at least a vague idea of) how it works. You could have explained the same thing, without talking nonsense about web pages, in any of these ways, depending on how much detail you wanted to give:

      • One (NSD) acts as an authoritative DNS server the other (Unbound) as a DNS cache.
      • One (NSD) serves your DNS records to others, the other (Unbound) caches DNS lookups for your network.
      • One (NSD) publishes host names, the other (Unbound) looks up addresses on behalf of clients and caches them.

      See? You don't have to talk complete nonsense when you simplify things, you just have to explain what you actually mean, in simple terms. Explanations like yours given to people who don't know much about computers are why we end up with people creating a 'GUI interface using visual basic to track the killers IP address' in CSI.

      --
      I am TheRaven on Soylent News
    7. Re:BIND alternatives by MaraDNS · · Score: 1

      Sigh. I give up. Yes, I was technically being a little inaccurate, and yes, there are a zillion ways I could have explained that entire mess better, such as linking to Rick's excellent explanation of different DNS server types.

      It frustrates and annoys me that you are being so dang pedantic about the issue. I think it would do you well to think about why it is that you annoy a lot of people.

      --
      MaraDNS is an open-source DNS server.
    8. Re:BIND alternatives by Anonymous Coward · · Score: 0

      The number one reason why BIND sucks is the lack of support for DNSCurve. Even after admitting that DNSSEC sucks, Vixie, rather than support DNSCurve, insists on pushing DNSSEC garbage. Bernstein must've really gotten under his skin.

    9. Re:BIND alternatives by TheRaven64 · · Score: 1

      It frustrates and annoys me that you are being so dang pedantic about the issue

      I made a cheap joke about your poor phrasing, the AC contradicted the (correct) assertion it contained, and then you chimed in trying to justify your inaccuracy. I would have let it go at the start with the first comment, or if you'd just said 'yes, it's an oversimplification' but you decided to jump straight into ultra-patronising mode with:

      Voice-Family: Leo having a conversation with Sheldon [wikipedia.org] in an episode of "The Big Bang Theory".

      And then, of course, you feel the need to respond with this:

      I think it would do you well to think about why it is that you annoy a lot of people [slashdot.org].

      A link to my foes page? Seriously? As evidence that I annoy 'a lot of people'? Try clicking on some of those names sometime and checking their posting history: most of them are persistent trolls that I've called out, like first-post-troll '(1337) God' or guy-who-posts-stories-about-having-sex-with-children 'Oliver Newland'. And, since we're being childish, let's look at some other pages like my fans page, which I haven't looked at for a couple of years, and now seems to contain almost 20 times as many entries as my freaks page.

      Seems like a pretty good ratio to me. If you're not offending anyone at all, then you're probably not saying anything of value, and I'm pretty happy with most of the people on my freaks page. Not saying much of interest to anyone, by the way, seems to be a description of you that it appears only two people would disagree with...

      --
      I am TheRaven on Soylent News
    10. Re:BIND alternatives by MaraDNS · · Score: 1

      This conversation has hit the point that it's best continued in private email. I am not going to reply to any more of your postings.

      --
      MaraDNS is an open-source DNS server.
    11. Re:BIND alternatives by MaraDNS · · Score: 1

      Last time I looked at DNS curve, it has absolutely no traction. None of the five DNS servers I listed above -- not even djbdns -- come with DNScurve support.

      --
      MaraDNS is an open-source DNS server.
    12. Re:BIND alternatives by Anonymous Coward · · Score: 0

      That doesn't mean the most popular server shouldn't support it. They could have been first. The protocol is well documented.

    13. Re:BIND alternatives by Candyban · · Score: 1

      A DNS server is, if you will, akin to an office suite

      Is this some kind of inside joke like half of the code is dead (LibreOffice) or there are many different formats doing the same?

      I am totally lost and confused by your "analogy". The whole idea about an analogy is that you make it SIMPLE by using well known concepts.

      Now, when I said above that a DNS server is akin to an office suite, I wasn't saying that there is a spreadsheet and a word processor included with DNS servers

      So then what were you saying? It is like powerpoint? Or Outlook?

      Please do not take this wrong way. It is meant as positive criticism: try to find better analogies, it helps the both of us. :)

    14. Re:BIND alternatives by Anonymous Coward · · Score: 0

      This conversation has hit the point where I'm pretty sure I'm not ever going to use MaraDNS, and will discourage others from using it.

    15. Re:BIND alternatives by MaraDNS · · Score: 1

      It's akin to an office suite because -- except for BIND, which is monolithic -- you have two distinct programs with different functions: The authoritative and recursive program. Just like you have a word processor and spreadsheet in an office suite.

      Rick Moen explains it quite well.

      --
      MaraDNS is an open-source DNS server.
  5. Distributed DNS by Anonymous Coward · · Score: 3, Interesting

    We are sick and tired of being threatened by our governments on behalf of failing business models (MAFIAA)

    We want distributed DNS (like this: http://dot-bit.org/Main_Page)

    (For non-techies: Think of DNS servers functioning like BitTorrent.)

    1. Re:Distributed DNS by Anonymous Coward · · Score: 1

      I don't understand the tech details, and would appreciate your thoughts on why the global community can't just launch a tld like "nonusa", and have nameservers that the US can't attack. Then we could have registrars hand out .com.nonusa and so on.
      Doable?

    2. Re:Distributed DNS by Anonymous Coward · · Score: 0

      Genuine question here, not trying to be a smartass or anything.
      If nobody controls it, what's stopping someone from stealing your domain?

    3. Re:Distributed DNS by tomhudson · · Score: 2

      There's no reason - it's been done before in direct competition with the ICANN, and there are a bunch in operation right now - the problem being getting people to use them instead.

    4. Re:Distributed DNS by LordLimecat · · Score: 2

      As another responder further in the thread mentioned, plans like this are all well and good, good luck getting them to be used before 2020. (See: DNSSEC, IPv6)

      Even SPF took a few years to meed widespread adoption, and that only required a single TXT record for a domain to secure itself, and was highly compatible with non-SPF users. An alternative naming system, on the other hand, would be useless in proportion to the number of users not on it.

    5. Re:Distributed DNS by Anonymous Coward · · Score: 0

      >If nobody controls it, what's stopping someone from stealing your domain?

      A stolen domain would be like a corrupted segment in the BitTorrent analogy.

    6. Re:Distributed DNS by icebraining · · Score: 1

      It's a distributed system. You can only take control of a domain if the majority of the peers in the network agree to it, and they're configured to reject "hostile takeovers".

      --
      Dilbert RSS feed
    7. Re:Distributed DNS by TheRaven64 · · Score: 1

      In BitTorrent, you download a .torrent file that contains checksums allowing you to validate the segments. Where do you get the equivalent in this system? Who is responsible for deciding whether a particular name to IP mapping in the system is authoritative?

      Creating a distributed read-only key-value store is not an especially difficult system, the difficult bit is defining authority.

      --
      I am TheRaven on Soylent News
    8. Re:Distributed DNS by Anonymous Coward · · Score: 0

      The hardest part on the Internet is establishing authenticity. Are you who you say you are. With normal "hierarchical" DNS this is done with static IP's which are closely guarded over. On dynamic IP's and peer-peer networks I imagine this is the hardest thing to make happen. The worst scenario is that a group can take your distributed dns name and receive your email. I'm sure noone wants that done. Anyhow I wish you luck, my take is that 10 years from now people will still want distributed dns but are empty handed on what to use to establish authenticity.

      Good luck,

      -some dude

  6. As someone who's maintined bind servers... by jimmydigital · · Score: 2, Funny

    I say KILL IT WITH FIRE! And while they are readying the bonfire... hunt down sendmail as well. Some software ages gracefully... like a fine wine... and gets better over the years. Other looks more like some over the hill celebrity who's had way too much work done on their face just so they can pretend to still be relevant and land that last big staring role. Give it up Bind... it's not going to happen.

    --
    Every normal man must be tempted, at times, to spit on his hands, hoist the black flag, and begin slitting throats. -HLM
    1. Re:As someone who's maintined bind servers... by Anonymous Coward · · Score: 0

      I say KILL IT WITH FIRE! And while they are readying the bonfire... hunt down sendmail as well. Some software ages gracefully... like a fine wine... and gets better over the years. Other looks more like some over the hill celebrity who's had way too much work done on their face just so they can pretend to still be relevant and land that last big staring role. Give it up Bind... it's not going to happen.

      Can I get an AMEN???

    2. Re:As someone who's maintined bind servers... by Anonymous Coward · · Score: 1

      bind and sendmail will die when they have outlived their usefulness.

    3. Re:As someone who's maintined bind servers... by mvdwege · · Score: 1

      As someone still maintaining a BIND9 deployment, I have to ask: do you have any arguments to go with that rant? Because I don't have any problems.

      --
      "I know I will be modded down for this": where's the option '-1, Asking for it'?
    4. Re:As someone who's maintined bind servers... by laffer1 · · Score: 1

      My only complaint about BIND 9 is setting up DNSSEC. They're working on it, and 9.8 made it a bit easier, but it's still a hassle. DNS has always been a set it up and forget it service until now.

      --
      MidnightBSD: The BSD for Everyone
    5. Re:As someone who's maintined bind servers... by mvdwege · · Score: 1

      We don't use DNSSEC, so that's probably why I find BIND9 to be trouble free.

      We do a lot of host mutations though, so I get to work a lot with BIND. The only hassle is to remind myself to update the zone serials.

      --
      "I know I will be modded down for this": where's the option '-1, Asking for it'?
    6. Re:As someone who's maintined bind servers... by otis+wildflower · · Score: 1

      PowerDNS does autoserials with DB backends. It's quite handy.

  7. Rant by RedHat+Rocky · · Score: 1

    My input for BIND 10:
    Keep it. ISC, you suck.

    --
    Anything is possible given time and money.
  8. Stuff I want to see by Anonymous Coward · · Score: 0

    I want to see in BIND 10 (some of this might be overstepping...)
    - integration with GeoIP as standard, or at least a way to build it plugged in
    - integration with MySQL's threaded model.
    (The above two are already possible in some form or another, but the patches are unmaintained or break DNSSEC)

    Because of some political hotpotatoes I also propose a few new features that also involve needing GeoIP or similar.
    - Peer to Peer verification. Instead of just keeping a zone file, the DNS should periodicity query the ip addresses it has on file if it "is still" that domain. Verify the private key.
    - Anti-censorship provision (or working around braindead dns servers) and GeoIP/CDN selection. This would require more changes to DNS itself, but the browser could send a geolocation centric query, like "GA example.com (ISO-3166-2 code)" instead of a A record, it gets a Geocentric A record.

  9. Competition is fun by sgt+scrub · · Score: 1

    Competing against the pros is an incentive for some alternative DNS projects. Why break what works?

    --
    Having to work for a living is the root of all evil.
  10. DNSCurve by Anonymous Coward · · Score: 0

    Support for DNSCurve.

    http://dnscurve.org/

  11. PowerDNS ftw by Anonymous Coward · · Score: 0

    lol bind?