Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Open Source BIND Alternative Launches

kdawson posted more than 6 years ago | from the ties-that-bind dept.

Software 162

bednarz writes "A group of experts on Tuesday released an open source alternative to the BIND DNS server. The new software — dubbed Unbound 1.0 — is a recursive DNS server. From its first prototype in 2004, Unbound was designed to be a faster, more secure replacement for BIND. Unbound supports DNS security extensions (DNSSEC), which authenticate DNS lookups but are not yet widely deployed because they rely on a public key infrastructure. Unbound was released to open source developers by NLnet Labs, VeriSign, Nominet and Kirei."

cancel ×

162 comments

Sorry! There are no comments related to the filter you selected.

Powerdns anyone? (3, Interesting)

superskippy (772852) | more than 6 years ago | (#23490740)

We use powerdns_recursor which seems very similar, and is very good.

Re:Powerdns anyone? (5, Funny)

Anonymous Coward | more than 6 years ago | (#23491064)

We use powerdns_recursor which seems very similar, and is very good.

Return to parent comment.

Re:Powerdns anyone? (3, Insightful)

num42 (614006) | more than 6 years ago | (#23491944)

We use PowerDNS recursor at a large german DSL ISP and i simply must say it totally rocks. When we - which you can read as 'i' btw. ;-) - were still on BIND9.(3|4) i had crashing named processes at least once a day, never had a single crash of a pdns_recursor process that wasn't my own fault until this day. Also the PowerDNS community is a nice bunch of people. Come visit us at #powerdns on IRCnet.
\o/

As for unbound, yeah it sure looks interesting but don't trust the benchmark, that one simply doesn't look like they used 'real' DNS traffic for it. If you're a recursive DNS Admin you'll know how ugly things are out in the wild. ;-)

Re:Powerdns anyone? (2, Funny)

Bill_the_Engineer (772575) | more than 6 years ago | (#23492272)

never had a single crash of a pdns_recursor process that wasn't my own fault until this day.

What caused pdns_recursor to crash today?

Re:Powerdns anyone? (1)

Mike89 (1006497) | more than 6 years ago | (#23492344)

What caused pdns_recursor to crash today?
I read it like that too at first, but it's just English being ambiguous. Up to, and including, this day, it hasn't crashed.

Re:Powerdns anyone? (1)

num42 (614006) | more than 6 years ago | (#23492484)

Yes you interpretation is correct it hasn't crashed yet and thats since Nov 11 2006 - just looked it up.

Re:Powerdns anyone? (2, Insightful)

Bill_the_Engineer (772575) | more than 6 years ago | (#23492924)

Is it too early in the day for humor?

Re:Powerdns anyone? (4, Interesting)

num42 (614006) | more than 6 years ago | (#23492304)

When we - which you can read as 'i' btw. ;-) - were still on BIND9.(3|4) i had crashing named processes at least once a day, never had a single crash of a pdns_recursor process that wasn't my own fault until this day.
Just as a funny sidenote i thought i should share with you what happened when i grabbed myself a heart and switched from BIND8 to BIND9 one day. ;-) This was the result: http://zaphods.net/~zaphodb/high-performance-bind9.html [zaphods.net]

Re:Powerdns anyone? (2, Funny)

Tarlus (1000874) | more than 6 years ago | (#23492902)

// We use powerdns_recursor which seems very similar, and is very good.

// Return to parent comment.

Dang it, I want to read further into the thread but I keep getting a stack overflow before I can get past the second comment.

It's not... (5, Informative)

cosmocain (1060326) | more than 6 years ago | (#23490774)

...a DNS-Server.

Taken from here [unbound.net] : Unbound is a validating, recursive, and caching DNS resolver. Huh, frontpage-information is always quite hard to get.

Re:It's not... (4, Interesting)

value_added (719364) | more than 6 years ago | (#23490952)

I've only had a quick glance, but it appears you're correct.

Seems this is a first: both the submission and the article are absurdly wrong.

Re:It's not... (3, Informative)

zn0k (1082797) | more than 6 years ago | (#23491078)

That might be due to the website of the distributor calling the product a DNS server.

Taken from http://www.nlnetlabs.nl/ [nlnetlabs.nl] :

Recent Software Updates
Unbound 1.0.0
Tue May 20 2008
The public release of Unbound, a fast recursive validating caching DNS server.

Re:It's not... (3, Insightful)

Bogtha (906264) | more than 6 years ago | (#23492684)

Seems this is a first: both the submission and the article are absurdly wrong.

Never in the history of Slashdot has a comment been more deserving of the response "You must be new here".

For those of you wondering what the difference is: (4, Informative)

an.echte.trilingue (1063180) | more than 6 years ago | (#23490992)

For those of you who (like me) don't know the difference between the two, from wikipedia:

DNS servers
The Domain Name System consists of a hierarchical set of DNS servers. Each domain or subdomain has one or more authoritative DNS servers that publish information about that domain and the name servers of any domains "beneath" it. The hierarchy of authoritative DNS servers matches the hierarchy of domains. At the top of the hierarchy stand the root nameservers: the servers to query when looking up (resolving) a top-level domain name (TLD).

DNS resolvers
A resolver looks up the resource record information associated with nodes. A resolver knows how to communicate with name servers by sending DNS queries and heeding DNS responses.

A DNS query may be either a recursive query or a non-recursive query:
  • A non-recursive query is one where the DNS server may provide a partial answer to the query (or give an error). DNS servers must support non-recursive queries.
  • A recursive query is one where the DNS server will fully answer the query (or give an error). DNS servers are not required to support recursive queries.
The resolver (or another DNS server acting recursively on behalf of the resolver) negotiates use of recursive service using bits in the query headers.

Resolving usually entails iterating through several name servers to find the needed information. However, some resolvers function simplistically and can communicate only with a single name server. These simple resolvers rely on a recursive query to a recursive name server to perform the work of finding information for them.

Re:It's not... (0)

Anonymous Coward | more than 6 years ago | (#23491114)

Not entirely unexpected, since NLnet Labs develops NSD [nlnetlabs.nl] , which is an authoritative DNS server only ;)

Slashdot Barbie... (5, Funny)

argent (18001) | more than 6 years ago | (#23491120)

Slashdot Barbie says "research is hard".

Re:Slashdot Barbie... (0)

Anonymous Coward | more than 6 years ago | (#23492880)

"Research is hard, let's be editors!"

Re:It's not... (4, Informative)

spinkham (56603) | more than 6 years ago | (#23491144)

It IS a DNS server, just not an authoritative server. DNS servers come in 2 flavors, authoritative servers (which hold the actual info) and recursive servers (which do the looking up for a client).
Most DNS servers do both, so "DNS server" means many different things depending on the context. When your ISP gives you a "DNS server" to use, it's a recursive server, not an authoratative server.
The end user has a "stub resolver", which does not qualify as a server.

For a more indepth discussion of DNS architecture and DNSSEC, you can check out "DNS for Rocket Scientists" here http://www.zytrax.com/books/dns/ [zytrax.com] or a talk I gave on DNS security here:
http://www.mavensecurity.com/presentations [mavensecurity.com]

Re:It's not... (1)

value_added (719364) | more than 6 years ago | (#23491626)

Most DNS servers do both, so "DNS server" means many different things depending on the context.

From the unbound site:

Unbound is an implementation of a DNS resolver, that does caching and DNSSEC validation.

Seems clear to me.

I don't see how describing how servers can behave as clients to/among one another is informative or useful, nor does it make a server a non-server, at least not in the traditional sense. Unbound does lookups and caching, and from what I see, it can make use of some localhost zone files.

Then again, maybe I'm just talking out my ass. Shall I concede dig and nslookup are servers because they perform lookups just as would a non-authoritative bind server, or one with a forwarders clause?

Re:It's not... (2, Insightful)

hey (83763) | more than 6 years ago | (#23491724)

Wouldn't "proxy DNS server" be a better term?

Re:It's not... (1)

spinkham (56603) | more than 6 years ago | (#23492370)

No. That could refer to a proxy for an authoritative name server, a proxy for a resolver, etc.
A recursive resolver does much more then simply proxy requests, it searches down the DNS namespace to find the information you are looking for.
You ask for www.amazon.com, and it queries multiple servers get more and more specific information, then returns the result to you.
There are good definitions for the terms name server, authoritative name server, resolver, recursive resolver and more in the DNS world, but "DNS server" is ambiguous and means exactly what the speaker means. People who deal with DNS tend to avoid the general term due to this difficulty.

Re:It's not... (4, Interesting)

Omnifarious (11933) | more than 6 years ago | (#23492012)

Perhaps most pieces of DNS software can do both. But actual DNS installations should not be configured that way [measurement-factory.com] . In fact, I've seen a rise in DNS cache poisoning attempts [slashdot.org] against my authoritative DNS server.

Re:It's not... (1)

spinkham (56603) | more than 6 years ago | (#23492294)

Correct. I was just referring to the ambiguity of the term "DNS Server", since the parent claimed that unbound was not one. Name server, authoritative server, resolver, etc are all strictly defined, but DNS server can mean any of the above.

Re:It's not... (1)

Lars T. (470328) | more than 6 years ago | (#23492922)

It IS a DNS server, just not an authoritative server. DNS servers come in 2 flavors, authoritative servers (which hold the actual info) and recursive servers (which do the looking up for a client).
To put it simple: you can replace BIND with Unbound if you don't have Zone files, right?

djbdns (3, Informative)

khundeck (265426) | more than 6 years ago | (#23490808)

I've been using djbdns as my BIND alternative for the last couple of years, and I've been very happy with it. Technically it was pretty straightforward to build/install. The only consideration seems to be whether you like the djb way of doing things (I do!) and the few Freedom wrinkles in the license. :-)

http://cr.yp.to/djbdns.html

Kurt

Re:djbdns (5, Informative)

oyenstikker (536040) | more than 6 years ago | (#23490882)

the few Freedom wrinkles in the license.

djbdns is now in the public domain (as of December 2007). Before that, there was no license.

http://cr.yp.to/distributors.html [cr.yp.to]

Re:djbdns (5, Insightful)

Anonymous Coward | more than 6 years ago | (#23491400)

It's also very small, extremely fast, highly modular, and extraordinarily robust. It could take the load of a root name server, if you had the bandwidth. It actually approaches the almost-mythical status of "bug-free software"; I certainly would be surprised by any remaining security or stability issues being discovered in it.

The man himself can often come across as arrogant - but you can't deny with djbdns he's written extraordinarily stable, virtually bug-free code that he has now (along with almost all of his other work) explicitly gifted to the public domain. He deserves a little credit for that, imho, and djbdns certainly deserves being considered alongside any other DNS server.

Re:djbdns (-1)

Anonymous Coward | more than 6 years ago | (#23491936)

i use djbdns, and ive always said that it's a piece of shit, but it's the best piece of shit available

Re:djbdns (0)

Anonymous Coward | more than 6 years ago | (#23492184)

Nah we should bash him and his software because he does not worship at the Temple of the Omnipotent Golden Gnu.

Re:djbdns (2, Insightful)

Christianfreak (100697) | more than 6 years ago | (#23492710)

Yes but he deserves scorn for the atrocity that is qmail.

Re:djbdns (1, Informative)

Anonymous Coward | more than 6 years ago | (#23491882)

djbdns won't support DNSSEC and Dan J. Bernstein made a detailed explanation about that:

http://cr.yp.to/djbdns/forgery.html

ldapdns (3, Interesting)

morgan_greywolf (835522) | more than 6 years ago | (#23490924)

I use a perhaps not-well-known alternative called ldapdns [sourceforge.net] , which used to be based on the DJBDNS code. It gets its DNS information from LDAP, which is very, very nice -- I can make a change in LDAP and the change is instant as opposed to making a change to the BIND stuff, which I then have to restart BIND, etc.

Re:ldapdns (3, Funny)

peterbye (708092) | more than 6 years ago | (#23492784)

Yes, typing 'rndc reload' is such an effort isn't it

Re:ldapdns (1)

morgan_greywolf (835522) | more than 6 years ago | (#23492940)

That could take a long time with a very large DNS database.

Feh.... (2, Interesting)

Ritz_Just_Ritz (883997) | more than 6 years ago | (#23490974)

Dan Bernstein's public demeanor makes Theo de Raadt look like Miss Manners. I'll stick with bind, thanks. It just plain works and I'm not stuck with an angry maintainer for updates. :D

Re:Feh.... (1)

morgan_greywolf (835522) | more than 6 years ago | (#23491072)

Dan Bernstein's public demeanor makes Theo de Raadt look like Miss Manners.
Ouch!

Angry Maintainer! (3, Funny)

argent (18001) | more than 6 years ago | (#23491096)

I can't decide if that should be a new emo superhero or a BOFH-themed ceiling-cat variant.

"Angry Maintainer is watching you masturbate." "Eww." "Why do you think he's angry?"

Re:Feh.... (1)

neumayr (819083) | more than 6 years ago | (#23491108)

Well, he's right[tm].

Re:Feh.... (1, Interesting)

arivanov (12034) | more than 6 years ago | (#23491412)

Actually there is a BIG difference between the two.

Theo admits if he is wrong straight away - been there done it, proved him wrong on the hardware RNG support in AMD chipsets a while ago.

Making DJB admit anything takes deploying half of the ex-SU nuclear arsenal and you are still more likely to turn half the world into a desert than succeed.

They are also different on another major count. Theo tries to make the entire platform become better and he does not mind people taking his improvements and using them. DJB cares solely about his stuff and instead of improving the underlying platform he replaces it at a whim. Not invented here and reinvent the wheel to the hilt and then some.

Re:Feh.... (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23491574)

Having actually met DJB, he's not at least from what I've seen an all around bad guy.

He is very protective of his image though, that much is true. He's also a very bright but highly academic type. My dealings with him on the crypto front led me to believe he doesn't really grasp the concept between research and practice (e.g. what people actually use versus what is technically out there).

Anyways, the solution as always, is not to use DJB software :-)

Re:Feh.... (3, Insightful)

schon (31600) | more than 6 years ago | (#23491678)

Theo admits if he is wrong straight away
WHAT!??!?!

When Theo is wrong, he *immediately* launches personal attacks, never once admitting the reality of the situation. (Linux devs were "inhuman" because they posted a GPL violation in a *public* repo to that repo's mailing list.)

What colour is the sky in your world?

"taking his improvements and using them" (0)

Anonymous Coward | more than 6 years ago | (#23492458)

As long as you don't GPL them.

Re:Feh.... (0)

mikelieman (35628) | more than 6 years ago | (#23491112)

Updates?

Isn't qmail still at 1.03 or something?

Re:Feh.... (1)

CrazedWalrus (901897) | more than 6 years ago | (#23491784)

Coincidentally, I just installed it yesterday. They're distributing netqmail 1.06, which is qmail 1.03 plus some patches. Check out the web site [qmail.org] .

Charles Cazabon, Dave Sill, Henning Brauer, Peter Samuel, and Russell Nelson have put together a netqmail-1.06 distribution of qmail. It is comprised of qmail-1.03 plus the recommended patches and some documentation.


That said, if there are no major bugs and the software is feature complete, I wouldn't really expect many new releases. Releases for the sake of it just increase LOC and bug count.

I've been meaning to play with djbdns. I think qmail is orders of magnitude easier to deal with than sendmail. (Seriously -- WTF is up with sendmail.cf? Just run it through PGP and have the user edit the results. It won't be much different.) If DJBDNS lives up to the expectation I have from qmail, I'm sure it's worth the effort.

Re:Feh.... (2, Funny)

lysse (516445) | more than 6 years ago | (#23492362)

Dan Bernstein's public demeanor makes Theo de Raadt look like Miss Manners.
"It's my estimation that every man ever got a statue made of him was one kind of sommbitch or another." (Jaynestown)

Re:Feh.... (3, Insightful)

Russ Nelson (33911) | more than 6 years ago | (#23492448)

Why do you need updates? I think that's one of djb's point: that if the software is written well, it doesn't need to be updated, and thus you don't need to form a relationship with the author.

Re:djbdns (0)

pak9rabid (1011935) | more than 6 years ago | (#23491848)

Agreed. As a younger kid, I always shy'd away from messing w/DNS solely because I didn't want to take the plunge into BIND's complexity. The company I work for now uses djbdns for it's internal DNS. As a sysadmin who had to familiarize myself with it, I'll have to say it's such a pleasure to work with. My only nag is that it be updated such that its tools to add records support some of the newer records, like SRV. But there are web-based tools [anders.com] that make up for these short-comings.

Re:djbdns is abandonware (3, Informative)

EllynGeek (824747) | more than 6 years ago | (#23492764)

djbdns is abandonware. It hasn't had an update since 2001, and you can believe in perfect code that doesn't ever need updating if you want to, but I don't. DJB's crazy licensing meant that only patches could be distributed, not modified sources or binaries, which effectively killed any community support. Now that it's public domain it's possible for someone to pick it up and start maintaining it again, and I'll wait until that happens before using it again. I can live with DJB's complete disregard of filesystem conventions and stuffing a whole lot of new top-level directories for no good reason into the system, and creating a bunch of unnecessary new management daemons (daemontools). But not maintaining his own software makes it a no-go, especially something as crucial as name services.

Java based DNS server? (5, Funny)

Anonymous Coward | more than 6 years ago | (#23490816)

Java seems like a logical way to go with this, considering the great track record of other Java web technologies (Tomcat, Jetty, etc).

Is there anything out there?

Re:Java based DNS server? (3, Informative)

morgan_greywolf (835522) | more than 6 years ago | (#23491090)

Is there anything out there?
Actually, yes, yes there is [dnsjava.org] .

Re:Java based DNS server? (1)

EvilRyry (1025309) | more than 6 years ago | (#23492246)

ApacheDS too and its not too terrible. http://directory.apache.org/ [apache.org] Kerberos, DHCP, DNS and user information all storing their information in a multi-master LDAP database out of the box. I think it could be a pretty exciting project once it matures.

Re:Java based DNS server? (2, Interesting)

lseltzer (311306) | more than 6 years ago | (#23491618)

Only slightly on point, Unbound was originally prototyped in Java, but rewritten in C.

Re:Java based DNS server? (0)

Anonymous Coward | more than 6 years ago | (#23492620)

Am I the only one who thinks it's funny that this post is modded "Funny"?

IE6 (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23490832)

Their page [unbound.net] does not render correctly on IE7. The main paragraphs are partially hidden by the right hand pane.

If they cannot even code their web pages to work with the main web browser out there then I cannot trust their claims of their implementation of DNS being so secure.

Re:IE6 (2, Interesting)

zn0k (1082797) | more than 6 years ago | (#23490872)

They are the guys that wrote and support nsd (http://www.nlnetlabs.nl/nsd/), the software used on at least 2 root servers (k.root-servers.org and l.root-servers.org).

Those are some mighty fine credentials.

Re:IE6 (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23491014)

If they are so good, why can't they handle writing a simple web page?

Re:IE6 (1)

jZnat (793348) | more than 6 years ago | (#23492576)

Why can't IE6 handle simple web pages written to widely-accepted standards?

Re:IE6 (0)

Anonymous Coward | more than 6 years ago | (#23490890)

Well it's obviously a standards compliant web page that renders well in standards compliant browsers, such as Firefox :)

If you insist upon using a flawed implementation of a web browser, such as IE7 then that's your own problem, don't ruin it for the rest of us!

Re:IE6 (0, Offtopic)

siride (974284) | more than 6 years ago | (#23491118)

I mostly agree, but it happens that their HTML doesn't validate. Also, their CSS is a little weird for the three column layout. They have a float: right for the rightmost column (the one that overlaps on this guys site), but position: absolute as well. I don't know what that's supposed to mean, but it can't be good.

Re:IE6 (0)

Anonymous Coward | more than 6 years ago | (#23491296)

Haha, you use Windows.

Everyone point and laugh.

Re:IE6 (1)

aproposofwhat (1019098) | more than 6 years ago | (#23492474)

LOL - it renders perfectly in Firefox :)

Being real software, though, I doubt whether they tested their page with any Windows based browser :P

Re:IE6 (1)

dominious (1077089) | more than 6 years ago | (#23492716)

So for you a security expert must know html and all the bull crap around it? Well, I'm sorry but one has nothing to do with the other.

Re:IE6 (1)

Jellybob (597204) | more than 6 years ago | (#23492762)

I bet they can't write a first person shooter either.

We definately shouldn't trust their ability to write DNS servers.

(Hint for the humour impaired: Apples != Oranges)

FYI, bind9 is already open source (5, Informative)

molo (94384) | more than 6 years ago | (#23490844)

This posting makes it sound like bind9 is not sufficiently open/free. That is not correct, and kdawson should do a better job of editing to prevent biased postings like this.

Bind9 is licensed under the ISC license, a BSD-like license. The full text of the license follows.

-molo

Copyright (C) 1996-2001 Internet Software Consortium.

Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Because kdawson is a troll (2, Informative)

Anonymous Coward | more than 6 years ago | (#23491428)

Plain and simple.

Re:FYI, bind9 is already open source (1)

bsDaemon (87307) | more than 6 years ago | (#23491584)

This is what I thought. Next thing, we'll be hearing of an "open source" alternative to Apache or some such nonsense.

Re:FYI, bind9 is already open source (1, Insightful)

Anonymous Coward | more than 6 years ago | (#23491588)

[...] kdawson should do a better job of editing to prevent biased postings like this.
I don't care what your user ID says. You must be new here. :-)

Re:FYI, bind9 is already open source (1)

Directrix1 (157787) | more than 6 years ago | (#23492044)

To me it just sounded like somebody is proposing another open source alternative without a barrage of security holes being discovered. I think the implication is that ISC Bind has bad code quality, and this is an alternative.

Re:FYI, bind9 is already open source (1)

lysse (516445) | more than 6 years ago | (#23492224)

Not only that, but what must be its most prominent competitor, djbdns, is also now free software (public domain, like the rest of DJB's stuff, as of last year). So "open source DNS" is a bit more crowded a field than it used to be these days...

Re:FYI, bind9 is already open source (1)

Kadin2048 (468275) | more than 6 years ago | (#23492312)

I guess I can see how the title might have been interpreted that way, but I don't think it was an intentional mis-statement.

The title is "Open Source BIND Alternative Launches". You could interpret that in two ways -- one, that there's a new alternative to BIND that's open source, with the implication that it's the open-source-ness that differentiates it from BIND (and thus that BIND is not open source); two, that there's a new alternative to BIND, which happens to be open source, full stop. The latter interpretation doesn't say anything about BIND per se, and that's the way I think kdawson meant it. Particularly because BIND is such a well-known open-source package.

Are we supposed to trust.. (5, Interesting)

bleh-of-the-huns (17740) | more than 6 years ago | (#23490854)

Anything with Verisign's named attached to it?

Re:Are we supposed to trust.. (4, Funny)

richie2000 (159732) | more than 6 years ago | (#23491066)

Anything with Verisign's named attached to it?
No, this isn't a named.

Will it have a built-in SiteFinder? (1)

arghileh (320728) | more than 6 years ago | (#23490862)

Because this new delegate-only option in bind is making me miss out if i typo a domain.

Both Open Source, Both BSD... (4, Insightful)

Manip (656104) | more than 6 years ago | (#23490878)

Both pieces of software are released under the same open source license, namely BSD.

On top of that, given the history of security problems in this line of software I would wait a while before deploying Unbound on anything serious.

Especially given the fact it sells its self as being more complex and big than its predecessor.

Re:Both Open Source, Both BSD... (-1, Redundant)

morgan_greywolf (835522) | more than 6 years ago | (#23491110)

Especially given the fact it sells its self as being more complex and big than its predecessor.
More big and complex than BIND? Are you guys sure Microsoft didn't write this?

No Chance. (1, Funny)

Anonymous Coward | more than 6 years ago | (#23490920)

All your base belong to BIND.

But, but, but, but... (1, Funny)

MasterOfMagic (151058) | more than 6 years ago | (#23490938)

but what if I like bondage? What would the Internet be without a little (okay, well, a lot) of bondage?!

Re:But, but, but, but... (1)

phoenixwade (997892) | more than 6 years ago | (#23491034)

but what if I like bondage? What would the Internet be without a little (okay, well, a lot) of bondage?!
So, you want to be tied up with a cat-5 cable or have you upgraded to fiber?

Re:But, but, but, but... (1)

MasterOfMagic (151058) | more than 6 years ago | (#23491086)

I'm old-school. Thinnet for me, thanks.

Re:But, but, but, but... (1)

doon (23278) | more than 6 years ago | (#23491146)

I old skool We use Waxed string here to abuse our cables....

Re:But, but, but, but... (2, Funny)

Enry (630) | more than 6 years ago | (#23491218)

So I guess goths go for vampire taps?

The obligatory... (2, Funny)

Jesus_666 (702802) | more than 6 years ago | (#23491380)

I use Microsoft. Its vendor lock-in strategy surpasses every bondage artist's skill and administering Windows boxen makes my inner masochist cry from glee. And pain, of course.

They also eat cute little puppies, which is fine with me as I'm a cat person.

maradns (3, Informative)

TheSlashaway (1032228) | more than 6 years ago | (#23490982)

This is one of the best: http://www.maradns.org/ [maradns.org]

Re:maradns (2, Informative)

EllynGeek (824747) | more than 6 years ago | (#23492912)

I agree, Maradns is an excellent authoritative name server and caching resolver. Unlike the horrid lardy mess that is BIND, it handles very large loads, and it is easy to configure. BIND is a gawdawful bloated mess that should have been laughed into oblivion years ago. Maradns, NSD, and Powerdns are all far superior to BIND. They're sane to administer and much more robust. For LAN DHCP and DNS, try Dnsmasq. Friends don't let friends use BIND.

free planet/population rescue kode re-launches (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23491032)

it's way user friendly, & did we mention that it's also an absolutely free alternative to watching everything we're familiar with go/be taken away? let your conscience be yOUR guide. you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

http://news.yahoo.com/s/ap/20071229/ap_on_sc/ye_climate_records;_ylt=A0WTcVgednZHP2gB9wms0NUE [yahoo.com]
http://news.yahoo.com/s/afp/20080108/ts_alt_afp/ushealthfrancemortality;_ylt=A9G_RngbRIVHsYAAfCas0NUE [yahoo.com]
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A [nytimes.com]

is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.

http://video.google.com/videosearch?hl=en&q=video+cloud+spraying [google.com]

dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster. meanwhile, you can help to stop the bleeding (loss of life & limb);

http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html [cnn.com]

the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'. the creators will prevail. as it has always been.

corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7

as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way. the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available. 'vote' with (what's left in) yOUR wallet, & by your behaviors. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable. some of US should consider ourselves somewhat fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate. it's right in the manual, 'world without end', etc.... as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis. concern about the course of events that will occur should the life0cidal execrable fail to be intervened upon is in order. 'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land."

meanwhile, the life0cidal philistines continue on their path of death, debt, & disruption for most of US. gov. bush denies health care for the little ones;

http://www.cnn.com/2007/POLITICS/10/03/bush.veto/index.html [cnn.com]

whilst demanding/extorting billions to paint more targets on the bigger kids;

http://www.cnn.com/2007/POLITICS/12/12/bush.war.funding/index.html [cnn.com]

& pretending that it isn't happening here;

http://www.timesonline.co.uk/tol/news/world/us_and_americas/article3086937.ece [timesonline.co.uk]
all is not lost/forgotten/forgiven

(yOUR elected) president al gore (deciding not to wait for the much anticipated 'lonesome al answers yOUR questions' interview here on /.) continues to attempt to shed some light on yOUR foibles. talk about reverse polarity;

http://www.timesonline.co.uk/tol/news/environment/article3046116.ece [timesonline.co.uk]

DNS is a big problem and it's getting bigger (3, Interesting)

mseeger (40923) | more than 6 years ago | (#23491076)

Hi,

DNS is one of the bottlenecks to come. For nearly every ISP, DNS traffic grows faster than the overall traffic.

i'm doing a lot of consulting for large ISPs on DNS problems. BIND is good for small and medium ISPs but bad for large ones (as resolver, as primary or secondary nameserver).

It doesn't work very well with Cache above 1GB and the multithreading is not very efficent. Startup (for servers with 100K zones) is very slow, restart (after changing the configuration) is risky if you decreased the number of masters for a secondary zone (core dump). The readability of the code is far from perfect and it doesn't seperate different functions very well (e.g. you cannot easily replace the caching algorithm). The handling of slow or dead servers could be improved too...

So, i personaly welcome the new contender in the OSS nameserver arena ;-). Let the games begin...

The best results (up today) i got with Nominum [nominum.com] ANS and CNS. It's neither FOSS nor cheap but really, really fast. We replaced at one customer 4 overloaded BIND systems (3 Ghz Dual Xeon, 4GB RAM, 2 BIND processes per system) with CNS on the same hardware (but only 2 systems) and the load barely reached 10%.

Sincerely yours, Martin

Re:DNS is a big problem and it's getting bigger (-1, Troll)

kurt555gs (309278) | more than 6 years ago | (#23491598)

Here we go the the "commercial software is better than open source" argument.

I personally hate BIND, and BIND is open source, but some secret sauce being twice as fast? I don't think so.

Closed source software just can not compete with open source for performance or reliability, can't happen, no way.

And this is for some one that because of the fact that I forgot a period on the end of a domain name was ready to do great harm to the BIND developers out of frustration.

Cheers

Re:DNS is a big problem and it's getting bigger (0)

Anonymous Coward | more than 6 years ago | (#23491892)

Here we go the the "open source is teh bestest and no one can do betterer" argument.

I personally hate BIND, and BIND is open source, but some secret sauce being twice as fast? I don't think so.
As you clearly haven't done any measurement or work with large zone files, as the GP apparently does, how the hell do you know which is fastest? You're a fanboy.

Re:DNS is a big problem and it's getting bigger (4, Insightful)

mseeger (40923) | more than 6 years ago | (#23491978)

Hi,

Here we go the the "commercial software is better than open source" argument.

Neither is open source better thean comercial nor is comercial better than open source. It all depends on the use. As i wrote, if you are a small ISP or a medium ISP and (e.g. 5K Zones, 10K DNS requests per second) BIND suits your needs. If you have 100K zones and 100K DNS requests per second, i doesn't. I mentioned Nominum because it's the best solution i have seen till today and i will benchmark Outbound against CNS and not BIND. Beating BIND is IMHO not a challenge....

I personally hate BIND, and BIND is open source, but some secret sauce being twice as fast? I don't think so.

I'm not in the secret sauce business ;-). I speak numbers and statistics. E.g. CNS is for high loads 10-20 times more CPU efficent than BIND as caching nameserver on the same hardware. The cache handling of BIND 8/9 really, really sucks :-(. A customer doesn't pay 80K $ just on my say so (unluckily). They run tests and to prove the business case.

Remark: 90% of my customers run BIND and are happy with it. I do OSS and comercial software in a happy mix. Ideology is not my thing. Use the software (FOSS or comercial) that's better for the problem.

Regards, Martin

Re:DNS is a big problem and it's getting bigger (0)

Anonymous Coward | more than 6 years ago | (#23492340)

I think you've been drinking that sauce. Bind is a turd. Try polishing a turd sometime.

Re:DNS is a big problem and it's getting bigger (2, Insightful)

darkuncle (4925) | more than 6 years ago | (#23492226)

If DNS traffic is your bottleneck, you don't have a bottleneck.

Seriously, "DNS traffic grows faster than the overall traffic"? Maybe if you're doing a lot of TCP-over-DNS (thanks, Dan Kaminsky), or if you are providing DNS hosting services. Otherwise, I fail to see how a primarily UDP-based, extremely lightweight protocol (designed for cacheing at every layer, mind you) can grow faster than HTTP or whatever your traffic is.

Again, if DNS is your bottleneck, you've got something that's not designed properly, or are providing DNS hosting as a service (and probably still have something not designed properly). 100K zones is slow to startup? How about not putting 100K zones on the same servers? SPOF much?

I'm not arguing that BIND is the fastest, cleanest, most secure implementation out there (that title probably belongs to djbdns; I have yet to see a security hole published in any of his stuff - too bad it's such a hassle to use), but if your architecture is such that BIND's bugs are biting you, I would argue that BIND is _not_ your biggest problem.

Re:DNS is a big problem and it's getting bigger (3, Interesting)

mseeger (40923) | more than 6 years ago | (#23492430)

Hi,

If DNS traffic is your bottleneck, you don't have a bottleneck.

Sorry, you missunderstood me. I didn't say DNS traffic is a bottleneck. I said DNS is the bottleneck and i meant the number of requests.

Why do we get so many more DNS requests today:

  • Anti-SPAM-Systems use DNS to make their decisions.. A SPAM mail may cause several DNS requests on the receiving side.
  • Everyone and his dog is using small firewalls which regularly do a reverse DNS query per incoming connection. A new worm (even without any infection) can cause millions of DNS requests for a large ISP.
  • Web-Sites are heavily loaded with images/adds from other servers. This means a dozen or more DNS requests for a singe web page.
  • etc...

While DNS is still a small percentage of the overall traffic, it can be a bottleneck. I slow caching nameserver (if its overloaded or as inefficent as a BIND in a large ISP environment) can severely decrease the "speed experience" of a fast DSL line. If you have an average answer time of 300ms for a DNS request from a caching nameserver, it really hurts. Just believe me...

Iw ould agree that BIND nearly never is your biggest problem. But for big ISP it can be a big problem anyway. A lot of them already dumped BIND.

Regards, Martin

Re:DNS is a big problem and it's getting bigger (3, Informative)

darkuncle (4925) | more than 6 years ago | (#23492738)

yes, yes there are lots of DNS requests. And there is cacheing at every single layer of the infrastructure, including most importantly:
* client resolver library
* client's upstream nameservers (recursive-only generally, operated by their ISP)
* any add'l upstream DNS architecture between the client's nameservers and the SOA

point being that billions of DNS requests generated daily for e.g. google.com are NOT all individually served by Google's nameservers. A small percentage of the total actually comes all the way through; the rest are handled by cacheing (one of the primary design goals of the protocol).

A proper architecture will do more to improve site performance (and reduce burden on the network) than any amount of changes to the software you're using to serve DNS. The slowdown you're referring to is much more likely to occur closer to the edge than in the core of the ISP (where DNS server performance are a factor).

BIND is not the problem. DNS isn't even the problem (unless you've got some really boneheaded setups). _architecture_, in a general sense (from systems to storage to networking to web page content to CDN to GSLB to peering to geographic distribution of datacenters), is the problem. DNS is a very small facet of the overall problem (it can be a problem, granted - but it's hardly the most significant one, or even in the top 5 the vast majority of the time).

Re:DNS is a big problem and it's getting bigger (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23492486)

If bind is your problem, your doing it wrong.
Root F runs bind and I'm betting it does far more than your trivially small organisation with only 100k zones.
Root F and its mirrors answer somewhere in excess of 1/3 of all top level queries.

Re:DNS is a big problem and it's getting bigger (5, Interesting)

mseeger (40923) | more than 6 years ago | (#23492906)

Hi,
If bind is your problem, your doing it wrong. Root F runs bind and I'm betting it does far more than your trivially small organisation with only 100k zones. Root F and its mirrors answer somewhere in excess of 1/3 of all top level queries.

If you run BIND with 100K zones, it takes quite some time to come up and starts answering queries. If you do a reload, it has a dead time in between. Try it...As secondary it has bugs (for more than 12 months now) that may crash it. I just had customer who paid a lot of money to get it fixed by an external company. Of course the fix was sent to the BIND maintainers.

As always, you can work around the problem. E.g. for the startup/reload problem you can use multiple server and load balancers, switch ip addresses, pull a rabbit out of your hat... It's all possible. The question is always: is it cost efficent? If you have to adopt your procedures to work with BIND, you may do so. A lot of companys prefer paying money and adopt the software to their procdures. Both ways may work.

BIND doesn't have a performance problem as primary nameserver or secondary nameserver. It has a performance problem as a caching nameserver and a severe one. This is why i'm happy about Unbound.

At last: Some root nameservers should always run BIND. We need at huge diversity of software for root server, even if it creates pains. Just for security reasons....

Regards, Martin

Disclaimer: I don't hate BIND, i don't love specific comercial products. The decision is always based on a lot of parameters. Price, FOSS vs. comercial, hardware or software based solution, Know How of the administrators... All goes into one pot. There is no one size fits all.

Re:DNS is a big problem and it's getting bigger (2, Insightful)

Russ Nelson (33911) | more than 6 years ago | (#23492512)

DNS is one of the bottlenecks to come. For nearly every ISP, DNS traffic grows faster than the overall traffic.
Martin, have you tried setting your TTL larger than ten seconds?

ENUM with DNSSEC (1)

Skinkie (815924) | more than 6 years ago | (#23491080)

Using DNSSEC it is possible to send out special replies to known or not yet known users. In that way authorization based on DNS is possible. This will also open possibilities to use ENUM how it is supposed to.

BIND isn't Open Source? (3, Interesting)

hitech69 (78566) | more than 6 years ago | (#23491104)

Am I missing something, when did BIND not qualify as Open Source?

Why re-invent BIND? (0)

Anonymous Coward | more than 6 years ago | (#23491302)

My initial thoughts before RTFA...

1) Why re-invent BIND? Which has been beaten up so much over the past decade that it's now (probably) pretty secure with most of the bugs worked out. Plus there are lots of resources out there that can be used to solve problems or help with setup questions.

2) OTOH, options are good, it prevents a mono-culture and makes it harder for exploits to take out everything.

Of course, in this particular case, they haven't re-invented BIND. They've simply developed another DNS resolver which can't be authoritative for DNS records. So what's the draw of using BIND for your authoritative servers and then using something different for your resolver servers?

Low Bar (0, Flamebait)

A R Baboon (212184) | more than 6 years ago | (#23492220)

Well that that is not a very high bar. Writing a better DNS server than bind is very welcome but not actually a daunting feat. I did this several years ago as an undergrad. I had set out only to modify BIND 8 only to find the source is a big ball of spaghetti code. It then became pretty obvious why there were regular exploits.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?