Slashdot Mirror
Paul Vixie to Leave BIND
strabo writes "Paul Vixie made it known at LISA '99 in Seattle on Wednesday that he'll be stepping down as the maintainer and head architect of BIND, which he has been doing for the past 10 years. Many thanks to Paul for his hard work and dedication!
"
didn't you use a 'complain letter generator' for this posting? Well, I did, so here is the follow-up:
I want to share with you a few of the tentative conclusions I've reached regarding Mr. Paul Vixie's publicity stunts. And I
stress the word "tentative," because the subject of what motivates Paul is tricky and complex. What follows is a series of
remarks addressed to the readers of this letter and to Paul himself. When we lay out some ideas and interpretations that
hold the potential for insight, we are not only threading our way through a maze of competing interests; we are weaving
the very pattern of our social fabric. He can pervert any established ideology. The quest to feature simplistic answers to
complex problems is the true inner kernel of Paul's philosophy, insofar as this figment of a libidinous brain can be designated
a "philosophy", and besides, Paul expresses only the noblest intentions, singing praises to the value of community even as he
enacts policies that promote promiscuity and obscene language. I don't mean to imply that there's a contradiction between
his simultaneous condemnation of worthless thieves and his imposition of brutal imperialism, but it's true, nonetheless.
His tracts are popular among horny hatemongers, but that doesn't mean the rest of us have to accept them. One thing is
certain: Paul can out-reason the most flippant lowbrows you'll ever see but not anyone else. In such a brief letter as this, I
certainly cannot refute all the tirades of hopeless bums, but perhaps I can brush away some of their most deliberate and
flagrant politics. Admittedly, he is doing the very thing for which he criticizes others. But that's because he has made some
very dangerous assumptions about dim-witted dorks. Ethnocentrism is not confined to any specific era, culture, or country.
No wonder that I suspect that people who work with Paul's cronies discredit themselves.
It would be a mistake to believe that the Universe belongs to Paul by right. Now that I've had time to think about his antics,
my only question is this: Why? Why fan the flames of McCarthyism into a planet-spanning inferno? In the past, when I
complained that he was attempting to put increased disruptive powers in salacious blockheads' hands, I was told that I was
just being immature. But nowadays, people realize that even his horoscope says he's bleeding-heart. Let me mention again
that I maintain that my slurs regarding grungy champions of deceit, lies, theft, plunder, and rapine, while far from
complete, will suggest the kind of politics and policies that are needed to restore good sense to this important debate. I'd
like to finish with a quote from a private e-mail message sent to me by a close friend of mine: "In times of economic, social,
or political crisis, small groups that inject Mr. Paul Vixie's lethal poison into our children's minds and souls suddenly gain a
mass following".
Grunt. Oink, oink.
Satic IPs are regularly removed from the DUL at the request of users like yourself. The intent of the DUL is to list dynamic addresses, not static IPs like dedicated dialups and DSL connections and so forth. Have you contacted the MAPS DUL team for help with this issue? Al Iverson MAPS LLC RSS Team
-- Al Iverson
Well, that's encouraging. I did not do so because after reading through all of the information at http://maps.vix.com/dul/, I could find no indication that such a request would be honored. On the page of information for end users, http://maps.vix.com/dul/enduser.htm, the exclusive remedy is to use your ISP's relay. On the page on removing your network, http://maps.vix.com/dul/removing.htm, the acceptable reasons listed speak only to the needs of ISPs, not individuals. The closest thing I could find was the clause on "Removal due to operational requirements and a strong AUP", which still had lots of stuff about dial-up users and such that didn't apply to me. And is "I find it extremely useful, from a diagnostic standpoint, to be able to review my SMTP delivery logs" a sufficient "operational requirement?" Like, when my wife's mail doesn't get delivered, I like to be able to tell her why?
The tone of the DUL pages, taken in total, is quite hostile -- or at a minimum paternalistic and condescending -- especially to individuals. Taken as a whole, it presents the attitude that individuals really don't need to have that kind of control over their Internet presence, that individuals should just trust in their ISPs and not worry thier little heads over it.
But, taking you at your word, I'll go ahead and make a request.
Vixie is of the well-considered opinion that the DNS tree can only have one root. DNS is designed around the idea that each zone, including the top-level zone, can only have a single authority record. This means that delegation can emanate only from one place, namely the top-level SOA (Start Of Authority) record.
Whoever controls the top-level SOA controls the delegation for the top-level domains (com, edu, de, jp, etc.) and hence the rest of the system. This was true when InterNIC was run not-for-profit, and remains true now that InterNIC is run for profit: it is not an artifact of the management of the DNS directory, but rather of its design.
It would be possible to create a new name-service system which permitted multiple roots, search engines or Hotline-style "trackers", a directed-graph model instead of a tree model, &c. However, this would not be DNS, and these features should not be slapped onto the side of DNS. They would require a new architecture.
If you want it, please feel free to design it. Distribute your resolver libraries far and wide. However, don't commit the errors of AlterNIC, such as committing computer crimes (forgery of DNS entries) in order to popularize your system.
wasn't BIND brought from 4.9.something to 8 so that it would be consistent with Sendmail? how are we at BIND9 without being at sendmail9?
(hates gratuitous version increment gaps)
no, i'm not dropping any projects. bind is still an ISC project, but bind9 is the up and coming thing and i'm choosing the bind8/bind9 transition as my moment to step back from the technical lime light. i am still chairman of ISC, and ISC is still very much doing bind.
Many thanks to Paul for the hard work, dedication, and numerous security holes he has contributed to this project over the past 10 years (relax, it's a joke).
Paper Pusher
re: "you the man" i was the man, but DNS is now much larger than any man (no matter how much coffee he drinks) can implement. that's why ISC exists. BIND9 is the future, and it's very bright.
Dude, what the fuck are you talking about? Get a fucking grip. -- more intelligent debate will be posted should you rise to the occasion --
Paper Pusher
NOT FUNNY.
puns, grrrr...
The buffer overflows were put there with the help of Paul.
> Grrr! I -hate- closed-door development. It's not much better than closed-source.
Read the Cathedral and the Bazaar. ESR notes "It's fairly clear that one cannot code from the ground up in bazaar style.". The developers certainly want as many eyes as possible looking at the code, and finding and repairing bugs, as possible, but they have to provide something that works at some level first.
At the ISP where I used to work we had a Microsoft Small Business Server. This project was pushed big time by MS. It is a complete MS project - the clients run MS stuff, the ISP runs Microsoft stuff.
And (typically) it didn't work.
With a lot of MS pressure, a lot of MS help and a lot of MCSEs trying to help it finally got off the ground.
The difference now is that it uses BIND and not MS's DNS.
This to me is as much a medal as "This Man" could ever earn.
Good luck for the future.
email: 3->e
"DNA is God's contribution to the Open Source movement"
> where's this BIND 9 that keeps getting talked about? the companies who funded it wanted early access. since the budget was $1.5M we gave on this point. when it's ready for public testing it will be up on some ftp server with a regular BSD/ISC license. > Second, who's going to take over BIND now? nobody. ISC took it over in 1994. i'm chairman of ISC but as bind8 is approaching end-of-life in favour of bind9, my involvement as an architect is sort of ending. i'm just a manager now. > Third, what's the -real- reason for the resignation? 10 years is a long time. DNS is very big now. i'm going to stay involved with ISC but not be "the" or even "a" BIND technologist in the future. once we (ISC) get bind9 out the door i may decide to contribute code fragments to it, but as an individual contributor rather than as any sort of author, coauthor, or architect.
when i saw the linux chroot("../../../../../../../..") hole i about fell out of my chair. truly no place is safe any more.
This "bug" pops up every other month on linux-kernel, and has been for several years. This is not a bug. This is the way chroot is supposed to work. If you make a chroot and run process as root inside, you deserve to what happens to you.
I don't really understand why he wrote the above.
what else to say?
except thank you for you and all of your dedicated team.
just curious, is there any picture of you and the team?
after all these years, many only knew the name and email.
:)
If it were replacing a prototype it would be, but a 10 year project. Surely a scratch rewrite is going to be going through a lot of rewrites as 10 year old lessons get re-learned.
A follow-up here for the record. I put in a request, and it was granted almost immediately; the DUL guys poked around a bit and when it checked out they went ahead and took my IP out of the DUL jail. I take back what I said. Well, most of it anyway, except for the part about the tone of their Web page, which I still think sounds pretty hostile. Nice to know, though, that they're more reasonable than they sound. --Bob
What other projects is Vixie running, and will he be stepping down on any others?
Thanks, PV! Kudos from an AC.
My only question is why? Will he be stepping down from other projects (the MAPS RBL?) as well? More details! More details!
--
Just curious, who will take over the BIND project? Or will it just be a group of people as opposed to one person overseeing the whole thing?
As a sideline, I wonder who will take over the Linux kernel when (if) Linus steps down? Just a random thought... :-)
mikre he sophia he tou Mikrosophou.
I think I speak for us all when I say well done to Paul, and thanks for all you've put in. It must have been a bit of a BIND at times, but you stuck it out :)
Ten years of working on what is arguably the most successful Open Source project ever deserves something. Someone nominate this guy for the FSF 1999 award.
Hates people who have stupid little sigs
Second, who's going to take over BIND now? For all it's problems and limitations, BIND is an excellent piece of code, and I'd hate to see it vanish.
Third, what's the -real- reason for the resignation? Open Source is less about egos, precicely because it's open, so I've my doubts about this "it's time". It sounds too much like a line from those cheesy B-Movie sci-fi movies, only without the benefit of cheese.
Last, but not least, for all my cynisism, doubt and concerns, I reckon Paul Vixie has done an excellent job with BIND, keeping it's title as one of the most widely-used nameservers on the Internet, despite fierce competition from commercial alternatives.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
--------------------------------------------------
...
- --
- --
Date: Sat, 13 Nov 1999 21:11:54 -0800
From: Paul A Vixie
Subject: Re: BIND bugs of the month (fwd)
please forward since i'm not on bugtraq
> Date: Sat, 13 Nov 1999 01:14:24 -0000
> From: D. J. Bernstein
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Re: BIND bugs of the month
>
>
> But all this cryptographic work accomplishes _nothing_ if the servers
> are subject to buffer overflows! An attacker doesn't have to bother
> guessing or sniffing query times and IDs, and forging DNS responses,
> if he can simply take over the DNS server.
yes. see the proceedings of the fifth usenix security symposium for
further evidence of this, and evidence that i agreed with this view even
several years ago, well before the current events.
> This NXT buffer overflow isn't part of some old code that Paul Vixie
> inherited from careless graduate students. It's new code. It's part of
> BIND's DNSSEC implementation. I don't find the irony amusing. Obviously
> ISC's auditing is inadequate.
at times, yes it is.
> Does anyone seriously believe that the current BIND code is secure? If
> it isn't, adding DNSSEC to it doesn't help anybody. Is ISC going to
> rewrite the client and server in a way that gives us confidence in
> their security?
yes, this has been done over the past 18 months. the result is BIND 9.
and yes, it's all new code, and yes, it's been audited, and yes, it's
designed to be audited, and yes, things like the NXT bug are the reason.
> David R. Conrad writes:
> > In addition, we recommend running your nameserver as non-root and
> > chrooted (I know setting this up is non-trivial -- it'll be much, much
> > easier in BINDv9).
>
> ``I wouldn't consider installing named any other way,'' I told Vixie in
> September 1996. He didn't respond. Of course, DNSSEC is equally useless
> either way; the only question is whether an attacker can also take over
> the rest of the machine.
when i saw the linux chroot("../../../../../../../..") hole i about fell
out of my chair. truly no place is safe any more.
-----------------------------------------------
Alternative to BIND: http://www.dents.org/
-----------------------------------------------
all info courtesy of BUGTRAQ@securityfocus.com
--
-- ken williams
The MAPS (Mail Abuse Prevention System) Realtime Blackhole List is one of his projects. As far as I know, he's still going to be working on that...
As for other stuff, check out Vixie Enterprises. He does work with IETF, I think he runs an ISP, and he's got a bunch of other projects, though I'm not sure what they all are off the top of my head...
- strabo
For all the years of hard work in developing what could without a doubt be one of the core pushes in the advancement of the Internet as we know it today. (Oh, and hey... your DNS tutorials and guidelines saved my ass years ago. You the man!)
What is this feature, and why does Vixie hate AlterNIC? Is the (erstwhile) maintainer of BIND in bed with the money-grubbing, freedom-denying, satan-worshipping domain-name-controlling oligarchy?
Blech.
My word processor was written by Stanford Professor Donald Knuth. Who wrote yours?
(Following up on my own post to elaborate on an idea...)
As I understand it, the Hotline system depends largely on "trackers", which are systems which serve lists of Hotline servers. A server owner registers his/her server with one or more trackers; trackers are more widely-advertised (in the non-commercial sense of the word) than servers are; hence, users who discover a tracker discover all servers listed on it. Trackers, unlike the DNS root, are not global, and some of them may be quite difficult to locate; indeed, there are now meta-trackers (tracker-trackers) and (I'm told) even meta^2-trackers. Trackers serve to publicize servers, but they are not global nor are they as reliable as nameservice. Furthermore, they do not serve the authentication function which DNS does (through the IN-ADDR system, aka Reverse DNS).
A similar system could be constructed for names. Each client system (resolver) would need to know about some set of nameservers and meta-nameservers, through which it could search to find a machine or domain with a particular name. When an application gives the resolver a name to resolve, the name is passed to any or all of the nameservers, which return addresses -- just as DNS nameservers do.
The difference is that the resolver would have to query multiple nameservers, because of the lack of central organization to the system. Some servers would know about a particular name; others would not. Some servers might know that certain other servers knew an address for a name -- just as DNS has the forwarding system and routers have their route-advertisement protocols. However, since no one server could be guaranteed to find a name, the resolver would be best off querying every server it knows about.
Furthermore, because of the lack of a central authority, servers could disagree on the proper address for a given name. A resolver could look up "Slashdot" on a set of nameservers and get back two different answers -- or ten different answers. At that point, a decision of trust must be made: which servers do you trust to have the "real" Slashdot's address? All the problems of a PGP-style web of trust enter into the system here: a nameserver is acting as an introducer, just as a signer of a PGP key does.
Such a system would be by nature nondeterministic. It would be prone to all manner of reliability problems. However, it would be largely free of policy problems: since there would be no central authority, there could be no centralized injustice, such as some accuse NSI of exhibiting.
The decision between DNS and such a system is the decision between a centralized regime and a radically distributed regime: a cathedral and a bazaar -- or, more to the point, a hierarchy ("hieroi-archoi" -- holy leaders) and an anarchy ("an-archoi" -- no leaders). I make no claim as to which would be better for users, for the market, or for the Net as a system.
I just wanted to say thanks (since you seem to be actively reading and responding here) I've enjoyed using MAPS, BIND and crond for quite some time. I'm appreciate the time you've taken to make the internet what it is today, both from working on BIND to chairing the ISC. You've provided a great service to the internet community. Mike
--
Mike Mangino Consultant, Analysts International
Mike Mangino
mmangino@acm.org
I feel like I am going to cry :( We are losing an incredible coder of a software that is probably one of the most important things on the internet. Who's taking over? I hope its someone good...
- clowns are evil
...but thank you, Paul.
Paul is a really great guy. I remember not so many years ago, email conversations with him in which he hand walked me through setting up some DNS (back in my younger years). I just hope, that the team left behind on BIND doesn't start slacking off..
----- LoboSoft specializes in Digital Language Lab