TL;DR The grandparent complained about MaraDNS not having more features. He responded to my "show me the money" reply by saying "why should anyone pay you if you don't have more features". My reply: "Because DNS shouldn't be a monoculture".
(As an aside, I actually somewhat respect the parent poster because he does a reasonable job of articulating his points. His thinking is a little rigid and absolute "this is how it must be done" for my tastes, but he at least has clue, something becoming rarer and rarer as Slashdot slowly goes the way of the horse and buggy)
Since I have Karma to burn, and since it probably would be best if my Karma went to hell, discouraging me from wasting time on Slashdot, here's my thoughts on the negative moderations:
Sure, the first post came off as an ad. I wrote it too quickly, and I can see why a moderator didn't like it. I can also see why a moderator--perhaps the same one--didn't like the parent to this. A good number of Slashdot readers still live in that "everything should be free and no one has bills to pay since they all live in my mother's basement [1] like I do" neckbeard fantasyland probably don't like how I pointed out that it's going to take real money for MaraDNS to get DNSSEC or have rate limiting. They probably stopped there and moderated down (the post was also too long, but a long post deserves a long reply).
[1] In other cultures, multiple generations living under the same roof is normal; I feel the idea that a kid has to move out of the house at 18 to be a real man is one that is bad for families. It's actually in many ways good when a 45-year-old man still lives in his mother's basement, since he will become the one taking care of his aging mother instead of sending her to a nursing home.
OK, I'm out of Slashdot for the rest of 2013. I will not post here until the beginning of 2014. The moderators hath spoken and I really need to get out of the shithole Slashdot is becoming. MaraDNS is the past; it's time for me to make a new mark on the world!
"Potential" being the operative word. Truncated DNS packets still have enough information in them to answer DNS questions, and the only time I've really seen truncated packets is with some of the byzantine DNS packets Yahoo has.
DNSSEC support is critical
But not critical enough for someone to send me the money to make DNSSEC happen with MaraDNS: http://maradns.org/products.html It's really the same problem IPv6 has: All kinds of geeks talk about how great it would be if IPv6 were everywhere, but they don't put out the money for IPv6 to happen more quickly.
It's still possible to resolve domains and surf the web without DNSSEC. I know: MaraDNS 2.0 (Deadwood) is being used to resolve Slashdot.org (and all the other places I go) so I can make this posting. Yes, there are issues with someone with a packet sniffer forging DNS packets on the same network, and I do agree DNSSEC is needed on a larger network with infected machines, and is needed for a DNS server that calls itself secure, but it is working for me right now.
(For sites where forgery is a real problem, such as online banking, I use a special virtual machine and make sure the HTTPS certificate is kosher)
DNS resolvers should not be usable by the world.
Google, OpenDNS, and heck, Level3 disagree with you. That said, I mostly agree: That's why there are no examples in MaraDNS' documentation showing how to make a recursive nameserver globally resolvable, and why it has never been a default configuration in Mara.
Any DNS server that provides recursive DNS ought to not simultaneously provide authoritative DNS from the same service, or from the same IP.
That's the design MaraDNS 2.0 has: I removed the recursion from the "maradns" daemon and completely, from scratch, reimplemented recursion in a separate daemon, which has to run on a separate IP. Not one line of code is shared between the two.
I fully expect any government or corporate grants will go towards DNS server implementations that are more widely used
I understand your sentiment, but, software monoculture is a bad thing and software diversity is a good thing.
When DNS first showed up in the 1980s, there were a number of different implementations. By the time I started MaraDNS 12 years ago, there was only one usable open-source DNS server out there. When I finished MaraDNS, there were five or six (depending on whether Unbound/NSD counts as one or two) different actively maintained significant open-source DNS servers out there. That number has since gone down (none of the djbdns forks came out with a release that fixes CVE-2012-1191). I hope that number continues to be higher than one.
An attitude of "let's only support one DNS server" can return us to the world of a DNS monoculture. EDNS, DNSSEC, and all of these extensions to DNS do not help.
I don't like how CSS, Javascript, and HTML have become such a mess that it requires multi-million dollar grants to keep a browser current, and where Opera finally threw in the towel because they just couldn't keep up with the nonstop update treadmill browsers are on. Dillo doesn't even try to be current (I think they made a mistake trying to support CSS at all, but that's another discussion for another day).
While I disagree with DJB on a lot of things, I understand why he rejected DNSSEC and proposed DNSCURVE: He wanted to keep DNS simple, to keep DNS something that a single talented developer can implement in their spare time.
For better or for worse, DNSSEC won, and now DNS is no longer can practically be implemented by a one-man show any more.
PowerDNS
I agree PowerDNS is a good choice, especially for people who want a database back end, but I'm disappointed it took them over a year to patch CVE-
Out of all those though, rate limiting seems to make the most sense and is the lesser of the evils.
Except for the fact that some DNS servers do not have rate limiting nor the funds to implement rate limiting (it's non-trivial to implement), you're right.
In my case, without EDNS support, the highest amplification factor my DNS server has is 23x (as opposed to the 100x+ EDNS servers have). Also: My server doesn't have open recursion enabled by default.
As the implementer of MaraDNS, here are my thoughts:
1) MaraDNS 1 and Deadwood do not support a technology called "EDNS"
that allows for large DNS packets. By only supporting 512-byte packets,
both DNS servers do not allow for the 100x amplification used in this
DDOS that other DNS servers have.
2) My DNS software does not come with unrestricted recursive access enabled
by default, and the documentation strongly discourages open recursion.
3) I will have to double check, but, as I recall, the documentation and
example configuration files do not include an example with unrestricted
recursive access.
One feature that would be nice would be to be able to restrict how
much data my DNS server sends to a given IP (again, as noted above,
MaraDNS/Deadwood already has a form of this because they do not support
EDNS). Unfortunately, since I am not developing new features for MaraDNS
like this without being compensated for my time, I would need a corporate
or government grant to implement this. TANSTAAFL
Slashdot: 2001 called and wants their lack of ability to edit posts (perhaps with a timeout to stop some forms of abuse) back. I swear, this place is becoming almost as musty as Usenet.
You're right of course; it's just not possible to fully describe the differences between DNSSEC and DNScurve in a 250-word summary written for people who think DNS is just some "boring subject". I chose readable over "pedantically accurate", along with a disclaimer that some details were lost in the interest of brevity and readability.
DNS is really boring today, but let me tell you, between 1999 and 2001, DNS was a much more interesting topic.
Back then, there were two DNS servers out there:
BIND, which was horribly insecure and one of the more significant cause of remote root access security holes
DJBDNS, which was and by and large is secure, but had a weird maybe-not-open license and lots of quirks
LWN has a good article from that era to give people an idea how limited choices were with open-source DNS servers. Since then, we got Unbound and NSD, PowerDNS, and (shameless plug warning) MaraDNS (there are also a lot of DNS server projects which never were finished or were abandoned years ago, such as OakDNS, Dents, Posadis, etc.)
The idea behind DNSSEC is that is is, within a margin of error (I'm already awaiting a somewhat pedantic correction from a neckbeard), it is the HTTPS of DNS: It makes it impossible (cue neckbeard pedantic correction) to spoof a DNS reply. DNS without DNSSEC is like HTTP without HTTPS: There are security issues where an attacker can make someone go to the wrong web site.
(Yes, I am aware of DNScurve. I'm also aware that, like Esperanto, the best idea doesn't always win--or even get implemented in a mainstream DNS server)
(Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)
DNScurve, as pointed out above, doesn't do nearly as much as DNSSEC does. In particular, DNScurve still allows "NXDOMAIN recirection" but DNSSEC doesn't. In addition, Bind, NSD, Unbound, and PowerDNS (non-recursive) have DNSSEC support, but there is not a mainstream DNS server out there with DNScurve support.
djbdns hasn't been updated since 2001 and even the unofficial forks do not have patches for all three CVE security holes in DjbDNS. Since DjbDNS' goal was security, I consider it abandoned until someone makes a fork fixing all of the known security problems.
There are ways to make blind DNS spoofing almost impossible without needing to add complex cryptography. Crypto, however, is needed when the attacker can watch the DNS packets that the victim sends.
I would love to implement DNSSEC for MaraDNS, but I would need $50k US to pull it off. I would like make it a kickstarter project, but I think people would rather just use Unbound/NSD (which, unlike MaraDNS, was funded with a government grant) instead of throwing money my way.
It's ironic this is a front page story, because a few months ago I got in a pointless flame war over here at Slashdot over this very point (when, after going to a lot of effort to make a useful comparison of DNS servers, some pedant got upset that I used an analogy treating the Internet like the World Wide Web):
djbdns has not been updated since 2001 and even the unofficial forks have not addressed important issues like the security problem CVE-2012-1191.
If you want DNSSEC and don't want BIND, your only other open-source option is Unbound; MaraDNS doesn't have DNSSEC either, and PowerDNS only has it for the authoritative code.
It's akin to an office suite because -- except for BIND, which is monolithic -- you have two distinct programs with different functions: The authoritative and recursive program. Just like you have a word processor and spreadsheet in an office suite.
Last time I looked at DNS curve, it has absolutely no traction. None of the five DNS servers I listed above -- not even djbdns -- come with DNScurve support.
It frustrates and annoys me that you are being so dang pedantic about the issue. I think it would do you well to think about why it is that you annoy a lot of people.
Voice-Family: Leo having a conversation with Sheldon in an episode of "The Big Bang Theory".
No, Unbound and NSD do not have HTTP servers. Come on. I was just trying to explain a complicated concept in a half sentence; it's called an analogy.
To make the pedants happy: A DNS server is, if you will, akin to an office suite. Yeah, what's really going on is that there is an "authoriative DNS server" that serves arbitrary name-to-data mappings so that programs called "recursive DNS servers" can give said mapping to a client program and there's also non-recursive forwarding DNS servers and blah blah blah. I think the audience is falling asleep at this point...
Now, when I said above that a DNS server is akin to an office suite, I wasn't saying that there is a spreadsheet and a word processor included with DNS servers. However, if someone were willing to sponsor it, I would be perfectly happy to make a version of MaraDNS that uses SINK RRs and dynamic updates to allow people to perform document collaboration via DNS.
Since this is about BIND, let me start the inevitable thread about the BIND alternatives.
BIND is the swiss army knife of DNS servers. It has a lot of features and can do pretty much everything. It's also a big binary and sometimes difficult to configure. CVE
Unbound and NSD are a suite of DNS servers from the same people. One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet. NSD CVEUnbound CVE
PowerDNS (which like Unbound/NSD, is two separate programs) has a lot of flexibility with connecting to databases or what not to resolve a DNS name. Used by Wikimedia, among others. CVE
MaraDNS. I think it's the best one, but my opinion is a little biased. It was once a single program, now two separate programs (like Unbound/BSD and PowerDNS) Easy-to-configure; tiny binary suitable for embedded systems. CVE
DjbDNS. Great tiny two-program DNS suite. Hasn't been updated since 2001 and yes, it has security problems (I'm already taking bets that a follow-up to this post will pretend DjbDNS is magically perfectly secure). Zinq is a currently maintained unofficial fork.
From a security perspective, BIND 9 is infinitely better than BIND 8 wasâ"and anyone else who remembers BIND 8's constant remote root exploits knows what I'm talking about.
The security holes in BIND 9 are along the lines of denial-of-service attacks. Worrying about someone being able to stop the DNS is much less to worry about than worrying about someone being able to control machines remotely.
You know, I keep hearing on Slashdot about the need for some kind of non-hierarchical peer-to-peer name resolution to replace DNS. What I haven't seen is a working proposal for such a system; the closest I've seen is Namecoin.
You know, you're not the first person who wants me to do all kinds of work and doesn't want to pay me, and you won't be the last one.
I have blogged about this before, and it comes down to this: If you want to be treated like a customer of MaraDNS, you first must become a customer of MaraDNS.
If you don't want to pay me money, you have the source code. You are free to either submit patches (which I would gladly host), or to make your own fork of the code.
You would be a more productive person by "lighting a candle" -- either paying me or by submitting patches -- than by "cursing the darkness" -- complaining that open source developers are not at your beck and call.
I would hardly call calling a single program bundled with MaraDNS before running it the first time a "stupid convoluted hoop", especially when said program is run by the built-in install.bat script and requires no user-interaction to run.
But, hey, if you would rather have CryptGenRandom() in the MaraDNS and Deadwood binary itself, show me the money and we'll talk.
I no longer implement features just because some anonymous identity on the web wants it, but money talks. Please discuss rates with me in private email before paying me.
While there pretty much isn't anything out there -- besides Windows -- without/dev/urandom, MaraDNS' Deadwood has a built-in default random "magic hash number" that changes for each and every point release of Deadwood.
On Windows, Deadwood includes a program for creating a random entropy pool file which is run when running the Deadwood install scripts. Deadwood will, by default, complain if it doesn't find that entropy on Windows.
Slashdot Mirror
TL;DR The grandparent complained about MaraDNS not having more features. He responded to my "show me the money" reply by saying "why should anyone pay you if you don't have more features". My reply: "Because DNS shouldn't be a monoculture".
(As an aside, I actually somewhat respect the parent poster because he does a reasonable job of articulating his points. His thinking is a little rigid and absolute "this is how it must be done" for my tastes, but he at least has clue, something becoming rarer and rarer as Slashdot slowly goes the way of the horse and buggy)
Another thing I forgot to add: Why use MaraDNS.
Since I have Karma to burn, and since it probably would be best if my Karma went to hell, discouraging me from wasting time on Slashdot, here's my thoughts on the negative moderations:
Sure, the first post came off as an ad. I wrote it too quickly, and I can see why a moderator didn't like it. I can also see why a moderator--perhaps the same one--didn't like the parent to this. A good number of Slashdot readers still live in that "everything should be free and no one has bills to pay since they all live in my mother's basement [1] like I do" neckbeard fantasyland probably don't like how I pointed out that it's going to take real money for MaraDNS to get DNSSEC or have rate limiting. They probably stopped there and moderated down (the post was also too long, but a long post deserves a long reply).
[1] In other cultures, multiple generations living under the same roof is normal; I feel the idea that a kid has to move out of the house at 18 to be a real man is one that is bad for families. It's actually in many ways good when a 45-year-old man still lives in his mother's basement, since he will become the one taking care of his aging mother instead of sending her to a nursing home.
OK, I'm out of Slashdot for the rest of 2013. I will not post here until the beginning of 2014. The moderators hath spoken and I really need to get out of the shithole Slashdot is becoming. MaraDNS is the past; it's time for me to make a new mark on the world!
lack of EDNS support is a potential problem
"Potential" being the operative word. Truncated DNS packets still have enough information in them to answer DNS questions, and the only time I've really seen truncated packets is with some of the byzantine DNS packets Yahoo has.
DNSSEC support is critical
But not critical enough for someone to send me the money to make DNSSEC happen with MaraDNS: http://maradns.org/products.html It's really the same problem IPv6 has: All kinds of geeks talk about how great it would be if IPv6 were everywhere, but they don't put out the money for IPv6 to happen more quickly.
It's still possible to resolve domains and surf the web without DNSSEC. I know: MaraDNS 2.0 (Deadwood) is being used to resolve Slashdot.org (and all the other places I go) so I can make this posting. Yes, there are issues with someone with a packet sniffer forging DNS packets on the same network, and I do agree DNSSEC is needed on a larger network with infected machines, and is needed for a DNS server that calls itself secure, but it is working for me right now.
(For sites where forgery is a real problem, such as online banking, I use a special virtual machine and make sure the HTTPS certificate is kosher)
DNS resolvers should not be usable by the world.
Google, OpenDNS, and heck, Level3 disagree with you. That said, I mostly agree: That's why there are no examples in MaraDNS' documentation showing how to make a recursive nameserver globally resolvable, and why it has never been a default configuration in Mara.
Any DNS server that provides recursive DNS ought to not simultaneously provide authoritative DNS from the same service, or from the same IP.
That's the design MaraDNS 2.0 has: I removed the recursion from the "maradns" daemon and completely, from scratch, reimplemented recursion in a separate daemon, which has to run on a separate IP. Not one line of code is shared between the two.
I fully expect any government or corporate grants will go towards DNS server implementations that are more widely used
I understand your sentiment, but, software monoculture is a bad thing and software diversity is a good thing.
When DNS first showed up in the 1980s, there were a number of different implementations. By the time I started MaraDNS 12 years ago, there was only one usable open-source DNS server out there. When I finished MaraDNS, there were five or six (depending on whether Unbound/NSD counts as one or two) different actively maintained significant open-source DNS servers out there. That number has since gone down (none of the djbdns forks came out with a release that fixes CVE-2012-1191). I hope that number continues to be higher than one.
An attitude of "let's only support one DNS server" can return us to the world of a DNS monoculture. EDNS, DNSSEC, and all of these extensions to DNS do not help.
I don't like how CSS, Javascript, and HTML have become such a mess that it requires multi-million dollar grants to keep a browser current, and where Opera finally threw in the towel because they just couldn't keep up with the nonstop update treadmill browsers are on. Dillo doesn't even try to be current (I think they made a mistake trying to support CSS at all, but that's another discussion for another day).
While I disagree with DJB on a lot of things, I understand why he rejected DNSSEC and proposed DNSCURVE: He wanted to keep DNS simple, to keep DNS something that a single talented developer can implement in their spare time.
For better or for worse, DNSSEC won, and now DNS is no longer can practically be implemented by a one-man show any more.
PowerDNS
I agree PowerDNS is a good choice, especially for people who want a database back end, but I'm disappointed it took them over a year to patch CVE-
I would love to implement DNSSEC for MaraDNS, but, again, it's a case of TANSTAAFL: http://maradns.org/products.html
Except for the fact that some DNS servers do not have rate limiting nor the funds to implement rate limiting (it's non-trivial to implement), you're right.
In my case, without EDNS support, the highest amplification factor my DNS server has is 23x (as opposed to the 100x+ EDNS servers have). Also: My server doesn't have open recursion enabled by default.
One feature that would be nice would be to be able to restrict how much data my DNS server sends to a given IP (again, as noted above, MaraDNS/Deadwood already has a form of this because they do not support EDNS). Unfortunately, since I am not developing new features for MaraDNS like this without being compensated for my time, I would need a corporate or government grant to implement this. TANSTAAFL
I posted about this before and I will probably have to post this again: Where's this alternative to DNS everyone keeps talking about on Slashdot?
If you don't like that the ICANN is doing, (shameless plug) it's pretty easy to download and install an open-source (BSD licensed) recursive DNS server (even on Windows), then use the program to blacklist ICANN's new domains.
If you don't want to use my program, I am sure other DNS servers, such as Unbound and BIND (which usually comes with Linux) have similar capabilities.
Most likely, you will update Debian in the next two years and will be upgraded to MaraDNS 2.0 when that happens: http://packages.debian.org/source/experimental/maradns
Slashdot: 2001 called and wants their lack of ability to edit posts (perhaps with a timeout to stop some forms of abuse) back. I swear, this place is becoming almost as musty as Usenet.
Be sure to be using MaraDNS 2 and not MaraDNS 1; MaraDNS 1 is obsolete and support ends in about 2 years. ObNeckbeard: 2 years, 6 months, and 2 days.
You're right of course; it's just not possible to fully describe the differences between DNSSEC and DNScurve in a 250-word summary written for people who think DNS is just some "boring subject". I chose readable over "pedantically accurate", along with a disclaimer that some details were lost in the interest of brevity and readability.
Back then, there were two DNS servers out there:
LWN has a good article from that era to give people an idea how limited choices were with open-source DNS servers. Since then, we got Unbound and NSD, PowerDNS, and (shameless plug warning) MaraDNS (there are also a lot of DNS server projects which never were finished or were abandoned years ago, such as OakDNS, Dents, Posadis, etc.)
The idea behind DNSSEC is that is is, within a margin of error (I'm already awaiting a somewhat pedantic correction from a neckbeard), it is the HTTPS of DNS: It makes it impossible (cue neckbeard pedantic correction) to spoof a DNS reply. DNS without DNSSEC is like HTTP without HTTPS: There are security issues where an attacker can make someone go to the wrong web site.
(Yes, I am aware of DNScurve. I'm also aware that, like Esperanto, the best idea doesn't always win--or even get implemented in a mainstream DNS server)
(Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)
Really quickly:
It's ironic this is a front page story, because a few months ago I got in a pointless flame war over here at Slashdot over this very point (when, after going to a lot of effort to make a useful comparison of DNS servers, some pedant got upset that I used an analogy treating the Internet like the World Wide Web):
http://slashdot.org/comments.pl?sid=2620802&cid=38696276
If you want DNSSEC and don't want BIND, your only other open-source option is Unbound; MaraDNS doesn't have DNSSEC either, and PowerDNS only has it for the authoritative code.
It's akin to an office suite because -- except for BIND, which is monolithic -- you have two distinct programs with different functions: The authoritative and recursive program. Just like you have a word processor and spreadsheet in an office suite.
Rick Moen explains it quite well.
Last time I looked at DNS curve, it has absolutely no traction. None of the five DNS servers I listed above -- not even djbdns -- come with DNScurve support.
This conversation has hit the point that it's best continued in private email. I am not going to reply to any more of your postings.
Sigh. I give up. Yes, I was technically being a little inaccurate, and yes, there are a zillion ways I could have explained that entire mess better, such as linking to Rick's excellent explanation of different DNS server types.
It frustrates and annoys me that you are being so dang pedantic about the issue. I think it would do you well to think about why it is that you annoy a lot of people.
Voice-Family: Leo having a conversation with Sheldon in an episode of "The Big Bang Theory".
No, Unbound and NSD do not have HTTP servers. Come on. I was just trying to explain a complicated concept in a half sentence; it's called an analogy.
To make the pedants happy: A DNS server is, if you will, akin to an office suite. Yeah, what's really going on is that there is an "authoriative DNS server" that serves arbitrary name-to-data mappings so that programs called "recursive DNS servers" can give said mapping to a client program and there's also non-recursive forwarding DNS servers and blah blah blah. I think the audience is falling asleep at this point...
Now, when I said above that a DNS server is akin to an office suite, I wasn't saying that there is a spreadsheet and a word processor included with DNS servers. However, if someone were willing to sponsor it, I would be perfectly happy to make a version of MaraDNS that uses SINK RRs and dynamic updates to allow people to perform document collaboration via DNS.
Since this is about BIND, let me start the inevitable thread about the BIND alternatives.
BIND is the swiss army knife of DNS servers. It has a lot of features and can do pretty much everything. It's also a big binary and sometimes difficult to configure. CVE
Unbound and NSD are a suite of DNS servers from the same people. One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet. NSD CVE Unbound CVE
PowerDNS (which like Unbound/NSD, is two separate programs) has a lot of flexibility with connecting to databases or what not to resolve a DNS name. Used by Wikimedia, among others. CVE
MaraDNS. I think it's the best one, but my opinion is a little biased. It was once a single program, now two separate programs (like Unbound/BSD and PowerDNS) Easy-to-configure; tiny binary suitable for embedded systems. CVE
DjbDNS. Great tiny two-program DNS suite. Hasn't been updated since 2001 and yes, it has security problems (I'm already taking bets that a follow-up to this post will pretend DjbDNS is magically perfectly secure). Zinq is a currently maintained unofficial fork.
There are many many other DNS servers, both open source and non-open source. Rick Moen has a great list of the open-source ones
From a security perspective, BIND 9 is infinitely better than BIND 8 wasâ"and anyone else who remembers BIND 8's constant remote root exploits knows what I'm talking about.
The security holes in BIND 9 are along the lines of denial-of-service attacks. Worrying about someone being able to stop the DNS is much less to worry about than worrying about someone being able to control machines remotely.
You know, I keep hearing on Slashdot about the need for some kind of non-hierarchical peer-to-peer name resolution to replace DNS. What I haven't seen is a working proposal for such a system; the closest I've seen is Namecoin.
You know, you're not the first person who wants me to do all kinds of work and doesn't want to pay me, and you won't be the last one.
I have blogged about this before, and it comes down to this: If you want to be treated like a customer of MaraDNS, you first must become a customer of MaraDNS.
If you don't want to pay me money, you have the source code. You are free to either submit patches (which I would gladly host), or to make your own fork of the code.
You would be a more productive person by "lighting a candle" -- either paying me or by submitting patches -- than by "cursing the darkness" -- complaining that open source developers are not at your beck and call.
I would hardly call calling a single program bundled with MaraDNS before running it the first time a "stupid convoluted hoop", especially when said program is run by the built-in install.bat script and requires no user-interaction to run.
But, hey, if you would rather have CryptGenRandom() in the MaraDNS and Deadwood binary itself, show me the money and we'll talk.
I no longer implement features just because some anonymous identity on the web wants it, but money talks. Please discuss rates with me in private email before paying me.
While there pretty much isn't anything out there -- besides Windows -- without /dev/urandom, MaraDNS' Deadwood has a built-in default random "magic hash number" that changes for each and every point release of Deadwood.
On Windows, Deadwood includes a program for creating a random entropy pool file which is run when running the Deadwood install scripts. Deadwood will, by default, complain if it doesn't find that entropy on Windows.