Forgot your password?
typodupeerror
Networking Open Source The Internet Unix Linux Technology

Internet Systems Consortium Seeks Wider Input For BIND 10 60

Posted by timothy
from the one-bind-to-ring-them-all dept.
joabj writes "The ISC is seeking some open source magic for the next version of the widely used BIND. Although the BIND is already open source, most of the work thus far done on the DNS server software has come from contractors, the government and Unix vendors. 'The goal is to move away from having BIND a heavily sponsored corporate product,' said BIND 10 manager Shane Kerr. Kerr is hoping that more eyes will equal fewer bugs, and that more users will go ahead and implement the features they've been requesting themselves. BIND 10, due by the end of the year, features a new modular architecture, one designed to circumvent many of the security woes that have bedeviled BIND 9."
This discussion has been archived. No new comments can be posted.

Internet Systems Consortium Seeks Wider Input For BIND 10

Comments Filter:
  • by MaraDNS (1629201) on Saturday January 14, 2012 @06:16AM (#38696212) Homepage Journal

    From a security perspective, BIND 9 is infinitely better than BIND 8 wasâ"and anyone else who remembers BIND 8's constant remote root exploits knows what I'm talking about.

    The security holes in BIND 9 are along the lines of denial-of-service attacks. Worrying about someone being able to stop the DNS is much less to worry about than worrying about someone being able to control machines remotely.

  • by Colin Smith (2679) on Saturday January 14, 2012 @06:19AM (#38696224)

    Mostly because in security terms it's a fucking nightmare. Has to solve some very difficult maths.
     

  • BIND alternatives (Score:5, Informative)

    by MaraDNS (1629201) on Saturday January 14, 2012 @06:41AM (#38696276) Homepage Journal

    Since this is about BIND, let me start the inevitable thread about the BIND alternatives.

    BIND [isc.org] is the swiss army knife of DNS servers. It has a lot of features and can do pretty much everything. It's also a big binary and sometimes difficult to configure. CVE [nist.gov]

    Unbound [unbound.net] and NSD [nlnetlabs.nl] are a suite of DNS servers from the same people. One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet. NSD CVE [nist.gov] Unbound CVE [nist.gov]

    PowerDNS [powerdns.com] (which like Unbound/NSD, is two separate programs) has a lot of flexibility with connecting to databases or what not to resolve a DNS name. Used by Wikimedia, among others. CVE [nist.gov]

    MaraDNS [maradns.org]. I think it's the best one, but my opinion is a little biased. It was once a single program, now two separate programs (like Unbound/BSD and PowerDNS) Easy-to-configure; tiny binary suitable for embedded systems. CVE [nist.gov]

    DjbDNS [cr.yp.to]. Great tiny two-program DNS suite. Hasn't been updated since 2001 and yes, it has security problems [nist.gov] (I'm already taking bets that a follow-up to this post will pretend DjbDNS is magically perfectly secure). Zinq [sourceforge.net] is a currently maintained unofficial fork.

    There are many many other DNS servers, both open source and non-open source. Rick Moen has a great list of the open-source ones [linuxmafia.com]

"Maintain an awareness for contribution -- to your schedule, your project, our company." -- A Group of Employees

Working...