I proposed this idea to Clarkson University -- that it should become the first university to commit to 100% open source in five years. The president (Tony Collins) gave me the warm fuzzies and then dropped the idea like a hot potato. -russ
Haha! Yeah, well, talk to Clarkson's IT department. Clueless weenies. Who ever heard of outsourcing your IT department? I guess that was better than Liz Rivet, who was Ms. Complete Disaster.
The solution to that is obvious: don't run GNU/Linux. Run Linux instead. -russ p.s. my point being that GNU broke the C library. How is that djb's fault?
Gee, and all the programs you cite are less secure than djbdns. Cause and effect?
You are pretty clue-free. Nobody but nobody thinks a directory in the root of a filesystem creates a partition. Well, okay, you *are* that nobody. Let me say instead that nobody *else* calls it a partition. Nobody with a clue that is, anyway.
If you offer service to all comers (which an SMTP server does), then you are subject to DOS attacks. There is nothing you can do to stop somebody from opening connections from enough machines to suck up all your connections. If you run qmail-smtpd with proper resource limits, it will fail to consume too much memory. Duh.
That would matter if you needed something from the author. Don't look at djbdns as a complete solution. Look at it as a toolkit for creating a dns server. It's like anything else in Unix -- it's designed to be part of a solution, pasted together using scripting. THAT is why Unix has been successful, not because of monolithic programs like BIND and sendmail. -russ
Um.... tinydns doesn't need to be maintained, because people aren't finding security holes or bugs in it on a weekly basis. Really, your expectation that software has bugs and needs to be maintained bangs square up against djb, and stops. -russ
djbdns does zone transfers. If I need BIND's insecurity to get CHAOS records, I'll do without CHAOS records, thankyouverymuch. The configuration syntax is designed to be parsed by a program. If you don't like it, create your own syntax. Writing a tinydns data file is easy enough. -russ
Its config file syntax is even more human-unfriendly than BIND's
So create a front-end for it, if you think it needs to be prettier. The semantics are much more human-friendly. You get in-zone names for MX and NS records by default. You get serial numbers updated by default. You never have a "do I need a dot at the end of this name or not" problem.
It doesn't support caching
djbdns does support caching. Anyway, you should be using different programs to cache and serve up authoritative data. Some of BIND's security problems were caused by its combination of cachine and authoritative data, so that is no longer a recommended configuration.
Yes, you can't distribute modified version of djb's software. On the one hand, that's a pain in the ass. On the other hand, djb has a very good track record for security, so do you really WANT to distribute modified versions? -russ
The question is whether the flexibility is worth the security cost imposed by the extra complexity required to get the flexibility. I say no, and run qmail. It's the only MTA that has never had a security lapse. (actually, Courier might not have had one either, but who runs Courier?) -russ
Uhhhhhhh, sorry, Anonymous Coward, but you don't get away with that accusation without more details than that. There have been no security lapses in tinydns or dnscache. Weasles is actually spelled Weasels. Googling for djbdns fraud gets me nothing. Honest up, dude! -russ
Actually, the BIND zone file layout is error prone. How many times have you forgotten to update a serial number? How many times have you forgotten to put a dot at the end of a name?
Also, BIND allows you to mix caching and authoritative services. Not only is this insecure in nature, it's insecure in BIND's implementation. Much safer to have them on different IP addresses. -russ
Sigh. What does my signature say? Go ahead, read it, what does it say??? It says "Don't piss off the Angry Economist." Okay, so you went and did it. You said something that was total economic bullshit. If you want to find out what it was, go read my blog in 1/2 hour, when I get finished writing the reply. -russ
Slashdot Mirror
Truth.
Wow. What a load of economic ignorance. You need to read the Angry Economist:
I proposed this idea to Clarkson University -- that it should become the first university to commit to 100% open source in five years. The president (Tony Collins) gave me the warm fuzzies and then dropped the idea like a hot potato.
-russ
That's bullshit. I have a McDonald's cash register system in my office. It's running DOS networked using my packet drivers.
-russ
Uhhhhh, I'm talking facts, and you're accusing me of being religious. Whatever!
Whoa, are you channelling the angry economist or what?? Well written!
-russ
Haha! Yeah, well, talk to Clarkson's IT department. Clueless weenies. Who ever heard of outsourcing your IT department? I guess that was better than Liz Rivet, who was Ms. Complete Disaster.
I'll nuke it. Yes, I still live in Potsdam.
-russ
The solution to that is obvious: don't run GNU/Linux. Run Linux instead.
-russ
p.s. my point being that GNU broke the C library. How is that djb's fault?
Gee, and all the programs you cite are less secure than djbdns. Cause and effect?
You are pretty clue-free. Nobody but nobody thinks a directory in the root of a filesystem creates a partition. Well, okay, you *are* that nobody. Let me say instead that nobody *else* calls it a partition. Nobody with a clue that is, anyway.
If you offer service to all comers (which an SMTP server does), then you are subject to DOS attacks. There is nothing you can do to stop somebody from opening connections from enough machines to suck up all your connections. If you run qmail-smtpd with proper resource limits, it will fail to consume too much memory. Duh.
Parse an arbitrary BIND zone file.
-russ
Why parse a conf file when Unix gives you configuration for free?
A subdirectory (not folder) in root does not create a special partition. Where did you get your clue? At Wal*Mart?
There are no security flaws in qmail. Prove it! Break into qmail.org and post the root password here.
-russ
That would matter if you needed something from the author. Don't look at djbdns as a complete solution. Look at it as a toolkit for creating a dns server. It's like anything else in Unix -- it's designed to be part of a solution, pasted together using scripting. THAT is why Unix has been successful, not because of monolithic programs like BIND and sendmail.
-russ
Um .... tinydns doesn't need to be maintained, because people aren't finding security holes or bugs in it on a weekly basis. Really, your expectation that software has bugs and needs to be maintained bangs square up against djb, and stops.
-russ
djbdns does zone transfers. If I need BIND's insecurity to get CHAOS records, I'll do without CHAOS records, thankyouverymuch. The configuration syntax is designed to be parsed by a program. If you don't like it, create your own syntax. Writing a tinydns data file is easy enough.
-russ
Its config file syntax is even more human-unfriendly than BIND's
So create a front-end for it, if you think it needs to be prettier. The semantics are much more human-friendly. You get in-zone names for MX and NS records by default. You get serial numbers updated by default. You never have a "do I need a dot at the end of this name or not" problem.
It doesn't support caching
djbdns does support caching. Anyway, you should be using different programs to cache and serve up authoritative data. Some of BIND's security problems were caused by its combination of cachine and authoritative data, so that is no longer a recommended configuration.
Yes, you can't distribute modified version of djb's software. On the one hand, that's a pain in the ass. On the other hand, djb has a very good track record for security, so do you really WANT to distribute modified versions?
-russ
yes. http://qmail.org/news.html or http://qmail.org/news.rdf and there's a Slashdot news feed for it.
The question is whether the flexibility is worth the security cost imposed by the extra complexity required to get the flexibility. I say no, and run qmail. It's the only MTA that has never had a security lapse. (actually, Courier might not have had one either, but who runs Courier?)
-russ
Uhhhhhhh, sorry, Anonymous Coward, but you don't get away with that accusation without more details than that. There have been no security lapses in tinydns or dnscache. Weasles is actually spelled Weasels. Googling for djbdns fraud gets me nothing. Honest up, dude!
-russ
Why not?? He's replaced the other major ISC-associated software. Plus you know there must be security holes in dhcpd.
-russ
Actually, the BIND zone file layout is error prone. How many times have you forgotten to update a serial number? How many times have you forgotten to put a dot at the end of a name?
Also, BIND allows you to mix caching and authoritative services. Not only is this insecure in nature, it's insecure in BIND's implementation. Much safer to have them on different IP addresses.
-russ
That's only because I wasn't on the road with you. I can make driving MUCH more interesting .... and challenging.
-russ
Sigh. What does my signature say? Go ahead, read it, what does it say??? It says "Don't piss off the Angry Economist." Okay, so you went and did it. You said something that was total economic bullshit. If you want to find out what it was, go read my blog in 1/2 hour, when I get finished writing the reply.
-russ
Click on the russnelson.com url just north of here, and you'll see how close they got to my house.
-russ
The USGS photos on mapper.acme.com (same data as terraserver-usa.com) date from about 1996.
-russ