Internet Systems Consortium Seeks Wider Input For BIND 10 60
joabj writes "The ISC is seeking some open source magic for the next version of the widely used BIND. Although the BIND is already open source, most of the work thus far done on the DNS server software has come from contractors, the government and Unix vendors. 'The goal is to move away from having BIND a heavily sponsored corporate product,' said BIND 10 manager Shane Kerr. Kerr is hoping that more eyes will equal fewer bugs, and that more users will go ahead and implement the features they've been requesting themselves. BIND 10, due by the end of the year, features a new modular architecture, one designed to circumvent many of the security woes that have bedeviled BIND 9."
History repeats itself (Score:5, Insightful)
BIND 9 was an almost total rewrite because BIND 8 was a horrible codebase, and in turn BIND 8 was an almost total rewrite because BIND 4 was so bad.
So what makes them think BIND 10 will succeed?
Well, obviously (Score:5, Funny)
They're going to be more agile.
That's what the bind 10 egineering manager told the committee of architects. She did this with approval from four other managers. The committee of architects will now present their solution to a conference of engineers, and then they will then choose external parties to be contracted to do the actual programming (and "surprisingly" the cheapest acceptable external party will just happen to have a job at verizon ... which is why "corporate features" are so prevalent in Bind). But now ... They're "looking for input". Anyone here ever tried to give input to an ISC discussion ? It's a bit like bleeding to death while having your leg slowly feasted on by a pack of hyenas, except of course that it takes 4-5 years for you to die (don't worry, the chances of someone actually having looked at your input in that time frame is minute, after all let's face it : these guys work so fast that features like intergalactic eon-timescales dns support needs to be built in right now. After all, given their decision speeds, it's very unlikely that there will be consensus for another release before we need it). By the time it is obvious just how much input ISC egos can stand you will have a newfound appreciation for bleeding to death : it's fast, and a bleeding leg does not have an ego charlie sheen would describe as "much worse than my mother".
I foresee issues.
Re: (Score:3)
BIND 9 was an almost total rewrite because BIND 8 was a horrible codebase, and in turn BIND 8 was an almost total rewrite because BIND 4 was so bad. So what makes them think BIND 10 will succeed?
Let me guess... Because BIND 9 is an awful code?
Re:History repeats itself (Score:5, Informative)
From a security perspective, BIND 9 is infinitely better than BIND 8 wasâ"and anyone else who remembers BIND 8's constant remote root exploits knows what I'm talking about.
The security holes in BIND 9 are along the lines of denial-of-service attacks. Worrying about someone being able to stop the DNS is much less to worry about than worrying about someone being able to control machines remotely.
Re: (Score:1)
Re: (Score:3)
Because Paul Vixie says so, and we all know he is always right.
Re: (Score:2)
Third time's the charm.
Non heirarchical naming (Score:5, Interesting)
Screw bind, what's needed is a non heirarchical name resolution mechanism.
Re:Non heirarchical naming (Score:5, Interesting)
You know, I keep hearing on Slashdot about the need for some kind of non-hierarchical peer-to-peer name resolution to replace DNS. What I haven't seen is a working proposal for such a system; the closest I've seen is Namecoin [dot-bit.org].
Re:Non heirarchical naming (Score:4, Informative)
Mostly because in security terms it's a fucking nightmare. Has to solve some very difficult maths.
Re: (Score:3)
Resolving short names to dns name servers in a p2p fashion is problematic. What we should build is a system based on public / private key pairs. Sure the problem of establishing that "Bank of America" has key XXXX is going to be problematic, I'm not sure exactly how to tackle it, and that's most of what the dns system actually solves. But after that step you could be performing name server lookups via a known public key. Just sign a new location record and publish it via something like DHT [wikipedia.org].
No root servers,
Re: (Score:2)
Ooh, I know. We could have a central authority that serves the domain->key mappings via an internet protocol. We could call it DKS- domain key service.
Or you know, that could be why it was hierarchial to begin with. Peer to peer isn't always the right answer.
Re: (Score:2)
Re: (Score:2)
A few people have done it. It hasn't caught on, because it's a stupid idea.
Peer to peer name resolution is pretty easy, the problem is authority. DNS doesn't just give an arbitrary mapping from names to IP addresses, it gives a mapping that the whole world agrees on. That is the bit that is hard to do. With DNS, this is simple. Each tier is authoritative for each subdomain. In a p2p system, who is responsible for allocating foo.bar (or slashdot.org)? With DNSSEC, it's actually quite easy to add a p2
Re: (Score:1)
Already working on it.
- P2P - No concept of "authority".
- Based on a web of trust with cascading rulesets - Impossible to poison, unless you personally trusted the wrong person.
- Graph [wikipedia.org]-based - Structured like the human mind or society, based on fractional associations.
- File system driver - Why not follow the UNIX philosophy? Makes it compatible to *everything* and child's play to use.
- Obviously possible to be tunnelled over everything, like encryption, compression, etc.
- Written in Haskell, verified in Qu
Re: (Score:2)
an OS in Haskell? Count me in :-D
Anyway, if you want to share some insight on the DNS app get in touch.
BIND alternatives (Score:5, Informative)
Since this is about BIND, let me start the inevitable thread about the BIND alternatives.
BIND [isc.org] is the swiss army knife of DNS servers. It has a lot of features and can do pretty much everything. It's also a big binary and sometimes difficult to configure. CVE [nist.gov]
Unbound [unbound.net] and NSD [nlnetlabs.nl] are a suite of DNS servers from the same people. One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet. NSD CVE [nist.gov] Unbound CVE [nist.gov]
PowerDNS [powerdns.com] (which like Unbound/NSD, is two separate programs) has a lot of flexibility with connecting to databases or what not to resolve a DNS name. Used by Wikimedia, among others. CVE [nist.gov]
MaraDNS [maradns.org]. I think it's the best one, but my opinion is a little biased. It was once a single program, now two separate programs (like Unbound/BSD and PowerDNS) Easy-to-configure; tiny binary suitable for embedded systems. CVE [nist.gov]
DjbDNS [cr.yp.to]. Great tiny two-program DNS suite. Hasn't been updated since 2001 and yes, it has security problems [nist.gov] (I'm already taking bets that a follow-up to this post will pretend DjbDNS is magically perfectly secure). Zinq [sourceforge.net] is a currently maintained unofficial fork.
There are many many other DNS servers, both open source and non-open source. Rick Moen has a great list of the open-source ones [linuxmafia.com]
Re: (Score:2)
Theres also Windows DNS :D
Pretty sure its based on Bind though, and is missing some features.
Re: (Score:2)
Unbound and NSD are a suite of DNS servers from the same people One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet
I thought bind was bloated, but unbound includes an HTTP server and client as well? That brings bloat to a whole new level. Is it based on EMACS?
Re: (Score:2)
Re: (Score:1)
Voice-Family: Leo having a conversation with Sheldon [wikipedia.org] in an episode of "The Big Bang Theory".
No, Unbound and NSD do not have HTTP servers. Come on. I was just trying to explain a complicated concept in a half sentence; it's called an analogy.
To make the pedants happy: A DNS server is, if you will, akin to an office suite. Yeah, what's really going on is that there is an "authoriative DNS server" that serves arbitrary name-to-data mappings so that programs called "recursive DNS servers" can give said
Re: (Score:2)
No, Unbound and NSD do not have HTTP servers. Come on. I was just trying to explain a complicated concept in a half sentence; it's called an analogy.
You realise that this is Slashdot, right? I.e. your audience is fairly technical people, not folks who don't know the difference between the web and the Internet. More specifically, this is an article about BIND, on Slashdot, meaning anyone reading your post is likely to have at least a basic understanding of what DNS is and (at least a vague idea of) how it works. You could have explained the same thing, without talking nonsense about web pages, in any of these ways, depending on how much detail you wan
Re: (Score:1)
Sigh. I give up. Yes, I was technically being a little inaccurate, and yes, there are a zillion ways I could have explained that entire mess better, such as linking to Rick's excellent explanation of different DNS server types [linuxmafia.com].
It frustrates and annoys me that you are being so dang pedantic about the issue. I think it would do you well to think about why it is that you annoy a lot of people [slashdot.org].
Re: (Score:2)
It frustrates and annoys me that you are being so dang pedantic about the issue
I made a cheap joke about your poor phrasing, the AC contradicted the (correct) assertion it contained, and then you chimed in trying to justify your inaccuracy. I would have let it go at the start with the first comment, or if you'd just said 'yes, it's an oversimplification' but you decided to jump straight into ultra-patronising mode with:
Voice-Family: Leo having a conversation with Sheldon [wikipedia.org] in an episode of "The Big Bang Theory".
And then, of course, you feel the need to respond with this:
I think it would do you well to think about why it is that you annoy a lot of people [slashdot.org].
A link to my foes page? Seriously? As evidence that I annoy 'a lot of people'? Try clicking on some of t
Re: (Score:1)
Re: (Score:1)
A DNS server is, if you will, akin to an office suite
Is this some kind of inside joke like half of the code is dead (LibreOffice) or there are many different formats doing the same?
I am totally lost and confused by your "analogy". The whole idea about an analogy is that you make it SIMPLE by using well known concepts.
Now, when I said above that a DNS server is akin to an office suite, I wasn't saying that there is a spreadsheet and a word processor included with DNS servers
So then what were you saying? It is like powerpoint? Or Outlook?
:)
Please do not take this wrong way. It is meant as positive criticism: try to find better analogies, it helps the both of us.
Re: (Score:1)
It's akin to an office suite because -- except for BIND, which is monolithic -- you have two distinct programs with different functions: The authoritative and recursive program. Just like you have a word processor and spreadsheet in an office suite.
Rick Moen explains it quite well [linuxmafia.com].
Re: (Score:1)
Distributed DNS (Score:3, Interesting)
We are sick and tired of being threatened by our governments on behalf of failing business models (MAFIAA)
We want distributed DNS (like this: http://dot-bit.org/Main_Page [dot-bit.org])
(For non-techies: Think of DNS servers functioning like BitTorrent.)
Re: (Score:1)
I don't understand the tech details, and would appreciate your thoughts on why the global community can't just launch a tld like "nonusa", and have nameservers that the US can't attack. Then we could have registrars hand out .com.nonusa and so on.
Doable?
Re: (Score:3)
Re: (Score:2)
In BitTorrent, you download a .torrent file that contains checksums allowing you to validate the segments. Where do you get the equivalent in this system? Who is responsible for deciding whether a particular name to IP mapping in the system is authoritative?
Creating a distributed read-only key-value store is not an especially difficult system, the difficult bit is defining authority.
Re: (Score:2)
It's a distributed system. You can only take control of a domain if the majority of the peers in the network agree to it, and they're configured to reject "hostile takeovers".
Re: (Score:3)
As another responder further in the thread mentioned, plans like this are all well and good, good luck getting them to be used before 2020. (See: DNSSEC, IPv6)
Even SPF took a few years to meed widespread adoption, and that only required a single TXT record for a domain to secure itself, and was highly compatible with non-SPF users. An alternative naming system, on the other hand, would be useless in proportion to the number of users not on it.
As someone who's maintined bind servers... (Score:3, Funny)
I say KILL IT WITH FIRE! And while they are readying the bonfire... hunt down sendmail as well. Some software ages gracefully... like a fine wine... and gets better over the years. Other looks more like some over the hill celebrity who's had way too much work done on their face just so they can pretend to still be relevant and land that last big staring role. Give it up Bind... it's not going to happen.
Re: (Score:1)
bind and sendmail will die when they have outlived their usefulness.
Re: (Score:1)
As someone still maintaining a BIND9 deployment, I have to ask: do you have any arguments to go with that rant? Because I don't have any problems.
Re: (Score:2)
My only complaint about BIND 9 is setting up DNSSEC. They're working on it, and 9.8 made it a bit easier, but it's still a hassle. DNS has always been a set it up and forget it service until now.
Re: (Score:2)
We don't use DNSSEC, so that's probably why I find BIND9 to be trouble free.
We do a lot of host mutations though, so I get to work a lot with BIND. The only hassle is to remind myself to update the zone serials.
Re: (Score:2)
PowerDNS does autoserials with DB backends. It's quite handy.
Rant (Score:1)
My input for BIND 10:
Keep it. ISC, you suck.
Competition is fun (Score:2)
Competing against the pros is an incentive for some alternative DNS projects. Why break what works?