Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Systems Consortium Seeks Wider Input For BIND 10

Posted by timothy on from the one-bind-to-ring-them-all dept.

joabj writes "The ISC is seeking some open source magic for the next version of the widely used BIND. Although the BIND is already open source, most of the work thus far done on the DNS server software has come from contractors, the government and Unix vendors. 'The goal is to move away from having BIND a heavily sponsored corporate product,' said BIND 10 manager Shane Kerr. Kerr is hoping that more eyes will equal fewer bugs, and that more users will go ahead and implement the features they've been requesting themselves. BIND 10, due by the end of the year, features a new modular architecture, one designed to circumvent many of the security woes that have bedeviled BIND 9."

14 of 60 comments (clear)

  1. History repeats itself by Richard_at_work · · Score: 4, Insightful

    BIND 9 was an almost total rewrite because BIND 8 was a horrible codebase, and in turn BIND 8 was an almost total rewrite because BIND 4 was so bad.

    So what makes them think BIND 10 will succeed?

    1. Re:History repeats itself by MaraDNS · · Score: 5, Informative

      From a security perspective, BIND 9 is infinitely better than BIND 8 wasâ"and anyone else who remembers BIND 8's constant remote root exploits knows what I'm talking about.

      The security holes in BIND 9 are along the lines of denial-of-service attacks. Worrying about someone being able to stop the DNS is much less to worry about than worrying about someone being able to control machines remotely.

      --
      MaraDNS is an open-source DNS server.
    2. Re:History repeats itself by Ice+Station+Zebra · · Score: 2

      Because Paul Vixie says so, and we all know he is always right.

  2. Well, obviously by OeLeWaPpErKe · · Score: 4, Funny

    They're going to be more agile.

    That's what the bind 10 egineering manager told the committee of architects. She did this with approval from four other managers. The committee of architects will now present their solution to a conference of engineers, and then they will then choose external parties to be contracted to do the actual programming (and "surprisingly" the cheapest acceptable external party will just happen to have a job at verizon ... which is why "corporate features" are so prevalent in Bind). But now ... They're "looking for input". Anyone here ever tried to give input to an ISC discussion ? It's a bit like bleeding to death while having your leg slowly feasted on by a pack of hyenas, except of course that it takes 4-5 years for you to die (don't worry, the chances of someone actually having looked at your input in that time frame is minute, after all let's face it : these guys work so fast that features like intergalactic eon-timescales dns support needs to be built in right now. After all, given their decision speeds, it's very unlikely that there will be consensus for another release before we need it). By the time it is obvious just how much input ISC egos can stand you will have a newfound appreciation for bleeding to death : it's fast, and a bleeding leg does not have an ego charlie sheen would describe as "much worse than my mother".

    I foresee issues.

    1. Re:Well, obviously by hcs_$reboot · · Score: 2

      BIND 9 was an almost total rewrite because BIND 8 was a horrible codebase, and in turn BIND 8 was an almost total rewrite because BIND 4 was so bad. So what makes them think BIND 10 will succeed?

      Let me guess... Because BIND 9 is an awful code?

      --
      Slashdot, fix the reply notifications... You won't get away with it...
  3. Non heirarchical naming by Colin+Smith · · Score: 4, Interesting

    Screw bind, what's needed is a non heirarchical name resolution mechanism.

    --
    Deleted
    1. Re:Non heirarchical naming by MaraDNS · · Score: 5, Interesting

      You know, I keep hearing on Slashdot about the need for some kind of non-hierarchical peer-to-peer name resolution to replace DNS. What I haven't seen is a working proposal for such a system; the closest I've seen is Namecoin.

      --
      MaraDNS is an open-source DNS server.
    2. Re:Non heirarchical naming by Colin+Smith · · Score: 3, Informative

      Mostly because in security terms it's a fucking nightmare. Has to solve some very difficult maths.
       

      --
      Deleted
    3. Re:Non heirarchical naming by complete+loony · · Score: 2

      Resolving short names to dns name servers in a p2p fashion is problematic. What we should build is a system based on public / private key pairs. Sure the problem of establishing that "Bank of America" has key XXXX is going to be problematic, I'm not sure exactly how to tackle it, and that's most of what the dns system actually solves. But after that step you could be performing name server lookups via a known public key. Just sign a new location record and publish it via something like DHT.

      No root servers, no name confiscation, that key could belong to you forever.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  4. BIND alternatives by MaraDNS · · Score: 5, Informative

    Since this is about BIND, let me start the inevitable thread about the BIND alternatives.

    BIND is the swiss army knife of DNS servers. It has a lot of features and can do pretty much everything. It's also a big binary and sometimes difficult to configure. CVE

    Unbound and NSD are a suite of DNS servers from the same people. One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet. NSD CVE Unbound CVE

    PowerDNS (which like Unbound/NSD, is two separate programs) has a lot of flexibility with connecting to databases or what not to resolve a DNS name. Used by Wikimedia, among others. CVE

    MaraDNS. I think it's the best one, but my opinion is a little biased. It was once a single program, now two separate programs (like Unbound/BSD and PowerDNS) Easy-to-configure; tiny binary suitable for embedded systems. CVE

    DjbDNS. Great tiny two-program DNS suite. Hasn't been updated since 2001 and yes, it has security problems (I'm already taking bets that a follow-up to this post will pretend DjbDNS is magically perfectly secure). Zinq is a currently maintained unofficial fork.

    There are many many other DNS servers, both open source and non-open source. Rick Moen has a great list of the open-source ones

    --
    MaraDNS is an open-source DNS server.
  5. Distributed DNS by Anonymous Coward · · Score: 3, Interesting

    We are sick and tired of being threatened by our governments on behalf of failing business models (MAFIAA)

    We want distributed DNS (like this: http://dot-bit.org/Main_Page)

    (For non-techies: Think of DNS servers functioning like BitTorrent.)

    1. Re:Distributed DNS by tomhudson · · Score: 2

      There's no reason - it's been done before in direct competition with the ICANN, and there are a bunch in operation right now - the problem being getting people to use them instead.

    2. Re:Distributed DNS by LordLimecat · · Score: 2

      As another responder further in the thread mentioned, plans like this are all well and good, good luck getting them to be used before 2020. (See: DNSSEC, IPv6)

      Even SPF took a few years to meed widespread adoption, and that only required a single TXT record for a domain to secure itself, and was highly compatible with non-SPF users. An alternative naming system, on the other hand, would be useless in proportion to the number of users not on it.

  6. As someone who's maintined bind servers... by jimmydigital · · Score: 2, Funny

    I say KILL IT WITH FIRE! And while they are readying the bonfire... hunt down sendmail as well. Some software ages gracefully... like a fine wine... and gets better over the years. Other looks more like some over the hill celebrity who's had way too much work done on their face just so they can pretend to still be relevant and land that last big staring role. Give it up Bind... it's not going to happen.

    --
    Every normal man must be tempted, at times, to spit on his hands, hoist the black flag, and begin slitting throats. -HLM