Forgot your password?
typodupeerror
Networking Open Source The Internet Unix Linux Technology

Internet Systems Consortium Seeks Wider Input For BIND 10 60

Posted by timothy
from the one-bind-to-ring-them-all dept.
joabj writes "The ISC is seeking some open source magic for the next version of the widely used BIND. Although the BIND is already open source, most of the work thus far done on the DNS server software has come from contractors, the government and Unix vendors. 'The goal is to move away from having BIND a heavily sponsored corporate product,' said BIND 10 manager Shane Kerr. Kerr is hoping that more eyes will equal fewer bugs, and that more users will go ahead and implement the features they've been requesting themselves. BIND 10, due by the end of the year, features a new modular architecture, one designed to circumvent many of the security woes that have bedeviled BIND 9."
This discussion has been archived. No new comments can be posted.

Internet Systems Consortium Seeks Wider Input For BIND 10

Comments Filter:
  • by Richard_at_work (517087) <richardprice&gmail,com> on Saturday January 14, 2012 @05:14AM (#38696018)

    BIND 9 was an almost total rewrite because BIND 8 was a horrible codebase, and in turn BIND 8 was an almost total rewrite because BIND 4 was so bad.

    So what makes them think BIND 10 will succeed?

    • by OeLeWaPpErKe (412765) on Saturday January 14, 2012 @05:41AM (#38696108) Homepage

      They're going to be more agile.

      That's what the bind 10 egineering manager told the committee of architects. She did this with approval from four other managers. The committee of architects will now present their solution to a conference of engineers, and then they will then choose external parties to be contracted to do the actual programming (and "surprisingly" the cheapest acceptable external party will just happen to have a job at verizon ... which is why "corporate features" are so prevalent in Bind). But now ... They're "looking for input". Anyone here ever tried to give input to an ISC discussion ? It's a bit like bleeding to death while having your leg slowly feasted on by a pack of hyenas, except of course that it takes 4-5 years for you to die (don't worry, the chances of someone actually having looked at your input in that time frame is minute, after all let's face it : these guys work so fast that features like intergalactic eon-timescales dns support needs to be built in right now. After all, given their decision speeds, it's very unlikely that there will be consensus for another release before we need it). By the time it is obvious just how much input ISC egos can stand you will have a newfound appreciation for bleeding to death : it's fast, and a bleeding leg does not have an ego charlie sheen would describe as "much worse than my mother".

      I foresee issues.

      • BIND 9 was an almost total rewrite because BIND 8 was a horrible codebase, and in turn BIND 8 was an almost total rewrite because BIND 4 was so bad. So what makes them think BIND 10 will succeed?

        Let me guess... Because BIND 9 is an awful code?

    • by MaraDNS (1629201) on Saturday January 14, 2012 @06:16AM (#38696212) Homepage Journal

      From a security perspective, BIND 9 is infinitely better than BIND 8 wasâ"and anyone else who remembers BIND 8's constant remote root exploits knows what I'm talking about.

      The security holes in BIND 9 are along the lines of denial-of-service attacks. Worrying about someone being able to stop the DNS is much less to worry about than worrying about someone being able to control machines remotely.

      • by Crackez (605836)
        A DoS on a DNS server is a pretty bad thing though... It's such a fundamental service on the network, that if it's down, lots of things break. So a DoS on DNS is an amplified problem such that many services will fail or become unreachable which is just as bad.
    • Because Paul Vixie says so, and we all know he is always right.

    • by Chemisor (97276)

      Third time's the charm.

  • by Colin Smith (2679) on Saturday January 14, 2012 @05:51AM (#38696142)

    Screw bind, what's needed is a non heirarchical name resolution mechanism.

    • by MaraDNS (1629201) on Saturday January 14, 2012 @06:11AM (#38696202) Homepage Journal

      You know, I keep hearing on Slashdot about the need for some kind of non-hierarchical peer-to-peer name resolution to replace DNS. What I haven't seen is a working proposal for such a system; the closest I've seen is Namecoin [dot-bit.org].

      • by Colin Smith (2679) on Saturday January 14, 2012 @06:19AM (#38696224)

        Mostly because in security terms it's a fucking nightmare. Has to solve some very difficult maths.
         

      • Resolving short names to dns name servers in a p2p fashion is problematic. What we should build is a system based on public / private key pairs. Sure the problem of establishing that "Bank of America" has key XXXX is going to be problematic, I'm not sure exactly how to tackle it, and that's most of what the dns system actually solves. But after that step you could be performing name server lookups via a known public key. Just sign a new location record and publish it via something like DHT [wikipedia.org].

        No root servers,

        • by AuMatar (183847)

          Ooh, I know. We could have a central authority that serves the domain->key mappings via an internet protocol. We could call it DKS- domain key service.

          Or you know, that could be why it was hierarchial to begin with. Peer to peer isn't always the right answer.

          • Or have a few trusted entities that sign your key and name record, SSL anyone?. Or allow duplicates with a web of trust. And allow url's to use the above public key for cross domain links.
      • A few people have done it. It hasn't caught on, because it's a stupid idea.

        Peer to peer name resolution is pretty easy, the problem is authority. DNS doesn't just give an arbitrary mapping from names to IP addresses, it gives a mapping that the whole world agrees on. That is the bit that is hard to do. With DNS, this is simple. Each tier is authoritative for each subdomain. In a p2p system, who is responsible for allocating foo.bar (or slashdot.org)? With DNSSEC, it's actually quite easy to add a p2

    • by Anonymous Coward

      Already working on it.
      - P2P - No concept of "authority".
      - Based on a web of trust with cascading rulesets - Impossible to poison, unless you personally trusted the wrong person.
      - Graph [wikipedia.org]-based - Structured like the human mind or society, based on fractional associations.
      - File system driver - Why not follow the UNIX philosophy? Makes it compatible to *everything* and child's play to use.
      - Obviously possible to be tunnelled over everything, like encryption, compression, etc.
      - Written in Haskell, verified in Qu

  • BIND alternatives (Score:5, Informative)

    by MaraDNS (1629201) on Saturday January 14, 2012 @06:41AM (#38696276) Homepage Journal

    Since this is about BIND, let me start the inevitable thread about the BIND alternatives.

    BIND [isc.org] is the swiss army knife of DNS servers. It has a lot of features and can do pretty much everything. It's also a big binary and sometimes difficult to configure. CVE [nist.gov]

    Unbound [unbound.net] and NSD [nlnetlabs.nl] are a suite of DNS servers from the same people. One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet. NSD CVE [nist.gov] Unbound CVE [nist.gov]

    PowerDNS [powerdns.com] (which like Unbound/NSD, is two separate programs) has a lot of flexibility with connecting to databases or what not to resolve a DNS name. Used by Wikimedia, among others. CVE [nist.gov]

    MaraDNS [maradns.org]. I think it's the best one, but my opinion is a little biased. It was once a single program, now two separate programs (like Unbound/BSD and PowerDNS) Easy-to-configure; tiny binary suitable for embedded systems. CVE [nist.gov]

    DjbDNS [cr.yp.to]. Great tiny two-program DNS suite. Hasn't been updated since 2001 and yes, it has security problems [nist.gov] (I'm already taking bets that a follow-up to this post will pretend DjbDNS is magically perfectly secure). Zinq [sourceforge.net] is a currently maintained unofficial fork.

    There are many many other DNS servers, both open source and non-open source. Rick Moen has a great list of the open-source ones [linuxmafia.com]

    • Theres also Windows DNS :D
      Pretty sure its based on Bind though, and is missing some features.

    • Unbound and NSD are a suite of DNS servers from the same people One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet

      I thought bind was bloated, but unbound includes an HTTP server and client as well? That brings bloat to a whole new level. Is it based on EMACS?

  • Distributed DNS (Score:3, Interesting)

    by Anonymous Coward on Saturday January 14, 2012 @06:57AM (#38696316)

    We are sick and tired of being threatened by our governments on behalf of failing business models (MAFIAA)

    We want distributed DNS (like this: http://dot-bit.org/Main_Page [dot-bit.org])

    (For non-techies: Think of DNS servers functioning like BitTorrent.)

    • by Anonymous Coward

      I don't understand the tech details, and would appreciate your thoughts on why the global community can't just launch a tld like "nonusa", and have nameservers that the US can't attack. Then we could have registrars hand out .com.nonusa and so on.
      Doable?

    • As another responder further in the thread mentioned, plans like this are all well and good, good luck getting them to be used before 2020. (See: DNSSEC, IPv6)

      Even SPF took a few years to meed widespread adoption, and that only required a single TXT record for a domain to secure itself, and was highly compatible with non-SPF users. An alternative naming system, on the other hand, would be useless in proportion to the number of users not on it.

  • by jimmydigital (267697) on Saturday January 14, 2012 @08:44AM (#38696594) Homepage Journal

    I say KILL IT WITH FIRE! And while they are readying the bonfire... hunt down sendmail as well. Some software ages gracefully... like a fine wine... and gets better over the years. Other looks more like some over the hill celebrity who's had way too much work done on their face just so they can pretend to still be relevant and land that last big staring role. Give it up Bind... it's not going to happen.

    • by Anonymous Coward

      bind and sendmail will die when they have outlived their usefulness.

    • by mvdwege (243851)

      As someone still maintaining a BIND9 deployment, I have to ask: do you have any arguments to go with that rant? Because I don't have any problems.

      • by laffer1 (701823)

        My only complaint about BIND 9 is setting up DNSSEC. They're working on it, and 9.8 made it a bit easier, but it's still a hassle. DNS has always been a set it up and forget it service until now.

        • by mvdwege (243851)

          We don't use DNSSEC, so that's probably why I find BIND9 to be trouble free.

          We do a lot of host mutations though, so I get to work a lot with BIND. The only hassle is to remind myself to update the zone serials.

  • My input for BIND 10:
    Keep it. ISC, you suck.

  • Competing against the pros is an incentive for some alternative DNS projects. Why break what works?

Truly simple systems... require infinite testing. -- Norman Augustine

Working...