Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Internet Systems Consortium Seeks Wider Input For BIND 10

timothy posted more than 2 years ago | from the one-bind-to-ring-them-all dept.

Networking 60

joabj writes "The ISC is seeking some open source magic for the next version of the widely used BIND. Although the BIND is already open source, most of the work thus far done on the DNS server software has come from contractors, the government and Unix vendors. 'The goal is to move away from having BIND a heavily sponsored corporate product,' said BIND 10 manager Shane Kerr. Kerr is hoping that more eyes will equal fewer bugs, and that more users will go ahead and implement the features they've been requesting themselves. BIND 10, due by the end of the year, features a new modular architecture, one designed to circumvent many of the security woes that have bedeviled BIND 9."

cancel ×

60 comments

History repeats itself (4, Insightful)

Richard_at_work (517087) | more than 2 years ago | (#38696018)

BIND 9 was an almost total rewrite because BIND 8 was a horrible codebase, and in turn BIND 8 was an almost total rewrite because BIND 4 was so bad.

So what makes them think BIND 10 will succeed?

Re:History repeats itself (0)

Anonymous Coward | more than 2 years ago | (#38696092)

because its Open Source, and as everyone knows Open Source software is perfect /sarcasm

Well, obviously (4, Funny)

OeLeWaPpErKe (412765) | more than 2 years ago | (#38696108)

They're going to be more agile.

That's what the bind 10 egineering manager told the committee of architects. She did this with approval from four other managers. The committee of architects will now present their solution to a conference of engineers, and then they will then choose external parties to be contracted to do the actual programming (and "surprisingly" the cheapest acceptable external party will just happen to have a job at verizon ... which is why "corporate features" are so prevalent in Bind). But now ... They're "looking for input". Anyone here ever tried to give input to an ISC discussion ? It's a bit like bleeding to death while having your leg slowly feasted on by a pack of hyenas, except of course that it takes 4-5 years for you to die (don't worry, the chances of someone actually having looked at your input in that time frame is minute, after all let's face it : these guys work so fast that features like intergalactic eon-timescales dns support needs to be built in right now. After all, given their decision speeds, it's very unlikely that there will be consensus for another release before we need it). By the time it is obvious just how much input ISC egos can stand you will have a newfound appreciation for bleeding to death : it's fast, and a bleeding leg does not have an ego charlie sheen would describe as "much worse than my mother".

I foresee issues.

Re:Well, obviously (2)

hcs_$reboot (1536101) | more than 2 years ago | (#38696124)

BIND 9 was an almost total rewrite because BIND 8 was a horrible codebase, and in turn BIND 8 was an almost total rewrite because BIND 4 was so bad. So what makes them think BIND 10 will succeed?

Let me guess... Because BIND 9 is an awful code?

Re:Well, obviously (0)

Anonymous Coward | more than 2 years ago | (#38698554)

Because the rent is TOO DAMN HIGH!

Re:History repeats itself (5, Informative)

MaraDNS (1629201) | more than 2 years ago | (#38696212)

From a security perspective, BIND 9 is infinitely better than BIND 8 wasâ"and anyone else who remembers BIND 8's constant remote root exploits knows what I'm talking about.

The security holes in BIND 9 are along the lines of denial-of-service attacks. Worrying about someone being able to stop the DNS is much less to worry about than worrying about someone being able to control machines remotely.

Re:History repeats itself (1)

Crackez (605836) | more than 2 years ago | (#38699772)

A DoS on a DNS server is a pretty bad thing though... It's such a fundamental service on the network, that if it's down, lots of things break. So a DoS on DNS is an amplified problem such that many services will fail or become unreachable which is just as bad.

Re:History repeats itself (0)

Anonymous Coward | more than 2 years ago | (#38696230)

Any project which has Paul Vixie anywhere near it will be a disaster.

Re:History repeats itself (2)

Ice Station Zebra (18124) | more than 2 years ago | (#38696692)

Because Paul Vixie says so, and we all know he is always right.

Re:History repeats itself (1)

Chemisor (97276) | more than 2 years ago | (#38697354)

Third time's the charm.

Non heirarchical naming (4, Interesting)

Colin Smith (2679) | more than 2 years ago | (#38696142)

Screw bind, what's needed is a non heirarchical name resolution mechanism.

Re:Non heirarchical naming (5, Interesting)

MaraDNS (1629201) | more than 2 years ago | (#38696202)

You know, I keep hearing on Slashdot about the need for some kind of non-hierarchical peer-to-peer name resolution to replace DNS. What I haven't seen is a working proposal for such a system; the closest I've seen is Namecoin [dot-bit.org] .

Re:Non heirarchical naming (3, Informative)

Colin Smith (2679) | more than 2 years ago | (#38696224)

Mostly because in security terms it's a fucking nightmare. Has to solve some very difficult maths.
 

Re:Non heirarchical naming (0)

Anonymous Coward | more than 2 years ago | (#38696242)

Didn't that Pirate bay guy start one? What happened to that?

Re:Non heirarchical naming (2)

complete loony (663508) | more than 2 years ago | (#38696358)

Resolving short names to dns name servers in a p2p fashion is problematic. What we should build is a system based on public / private key pairs. Sure the problem of establishing that "Bank of America" has key XXXX is going to be problematic, I'm not sure exactly how to tackle it, and that's most of what the dns system actually solves. But after that step you could be performing name server lookups via a known public key. Just sign a new location record and publish it via something like DHT [wikipedia.org] .

No root servers, no name confiscation, that key could belong to you forever.

Re:Non heirarchical naming (1)

AuMatar (183847) | more than 2 years ago | (#38700344)

Ooh, I know. We could have a central authority that serves the domain->key mappings via an internet protocol. We could call it DKS- domain key service.

Or you know, that could be why it was hierarchial to begin with. Peer to peer isn't always the right answer.

Re:Non heirarchical naming (1)

complete loony (663508) | more than 2 years ago | (#38700438)

Or have a few trusted entities that sign your key and name record, SSL anyone?. Or allow duplicates with a web of trust. And allow url's to use the above public key for cross domain links.

Re:Non heirarchical naming (1)

TheRaven64 (641858) | more than 2 years ago | (#38697910)

A few people have done it. It hasn't caught on, because it's a stupid idea.

Peer to peer name resolution is pretty easy, the problem is authority. DNS doesn't just give an arbitrary mapping from names to IP addresses, it gives a mapping that the whole world agrees on. That is the bit that is hard to do. With DNS, this is simple. Each tier is authoritative for each subdomain. In a p2p system, who is responsible for allocating foo.bar (or slashdot.org)? With DNSSEC, it's actually quite easy to add a p2p layer on top of DVD for resolution - DNS caches could easily discover each other and send queries to each other before checking the authoritative server.

Re:Non heirarchical naming (1)

Anonymous Coward | more than 2 years ago | (#38697476)

Already working on it.
- P2P - No concept of "authority".
- Based on a web of trust with cascading rulesets - Impossible to poison, unless you personally trusted the wrong person.
- Graph [wikipedia.org] -based - Structured like the human mind or society, based on fractional associations.
- File system driver - Why not follow the UNIX philosophy? Makes it compatible to *everything* and child's play to use.
- Obviously possible to be tunnelled over everything, like encryption, compression, etc.
- Written in Haskell, verified in QuickCheck, so good luck with those buffer overruns and the like.

The only reason I'm not already done with it, is lack of financing. (Gotta eat something too, and had to learn Haskell plus a load of other stuff first.)
(By the way: If you want to code something like that too, go ahead. If you're done before me, there will be no hard feelings. In fact I will probably send you a thank you note, and promote you. :)

Re:Non heirarchical naming (0)

Anonymous Coward | more than 2 years ago | (#38704940)

You forgot to provide a link to - ohh I don't know... -
Documentation?
A manifesto?
Code?

Re:Non heirarchical naming (0)

Anonymous Coward | more than 2 years ago | (#38705560)

Sorry mate. I don't want people to run around with half-done code, misinterpret it, make half-assed stuff on it, and then blame me for it becoming something shitty. Been there, had it happening to me.
It has to be done and finished at its core, so that nobody can mess up the concepts anymore. And then if there is any modification to the core, I will not want anyone to say it is related to my code anymore, unless I approved it.
Sorry. Too many bad experiences.

(Also, it's part of a bigger project on the scale of a OS replacement, so we'll see...)

Re:Non heirarchical naming (1)

justforgetme (1814588) | more than 2 years ago | (#38710938)

an OS in Haskell? Count me in :-D

Anyway, if you want to share some insight on the DNS app get in touch.

Re:Non heirarchical naming (0)

Anonymous Coward | more than 2 years ago | (#38700896)

You always have /etc/hosts at your disposal ...

BIND alternatives (5, Informative)

MaraDNS (1629201) | more than 2 years ago | (#38696276)

Since this is about BIND, let me start the inevitable thread about the BIND alternatives.

BIND [isc.org] is the swiss army knife of DNS servers. It has a lot of features and can do pretty much everything. It's also a big binary and sometimes difficult to configure. CVE [nist.gov]

Unbound [unbound.net] and NSD [nlnetlabs.nl] are a suite of DNS servers from the same people. One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet. NSD CVE [nist.gov] Unbound CVE [nist.gov]

PowerDNS [powerdns.com] (which like Unbound/NSD, is two separate programs) has a lot of flexibility with connecting to databases or what not to resolve a DNS name. Used by Wikimedia, among others. CVE [nist.gov]

MaraDNS [maradns.org] . I think it's the best one, but my opinion is a little biased. It was once a single program, now two separate programs (like Unbound/BSD and PowerDNS) Easy-to-configure; tiny binary suitable for embedded systems. CVE [nist.gov]

DjbDNS [cr.yp.to] . Great tiny two-program DNS suite. Hasn't been updated since 2001 and yes, it has security problems [nist.gov] (I'm already taking bets that a follow-up to this post will pretend DjbDNS is magically perfectly secure). Zinq [sourceforge.net] is a currently maintained unofficial fork.

There are many many other DNS servers, both open source and non-open source. Rick Moen has a great list of the open-source ones [linuxmafia.com]

Re:BIND alternatives (1)

LordLimecat (1103839) | more than 2 years ago | (#38697442)

Theres also Windows DNS :D
Pretty sure its based on Bind though, and is missing some features.

Re:BIND alternatives (1)

TheRaven64 (641858) | more than 2 years ago | (#38697922)

Unbound and NSD are a suite of DNS servers from the same people One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet

I thought bind was bloated, but unbound includes an HTTP server and client as well? That brings bloat to a whole new level. Is it based on EMACS?

Re:BIND alternatives (0)

Anonymous Coward | more than 2 years ago | (#38699444)

You didn't understand the comment you replied to. Read again.

Re:BIND alternatives (1)

TheRaven64 (641858) | more than 2 years ago | (#38699570)

I did. A DNS server / resolver has nothing to do with putting web pages online or for finding them. A DNS server puts your computer in a global human-readable namespace. A DNS resolver finds computers.

Re:BIND alternatives (1)

MaraDNS (1629201) | more than 2 years ago | (#38700048)

Voice-Family: Leo having a conversation with Sheldon [wikipedia.org] in an episode of "The Big Bang Theory".

No, Unbound and NSD do not have HTTP servers. Come on. I was just trying to explain a complicated concept in a half sentence; it's called an analogy.

To make the pedants happy: A DNS server is, if you will, akin to an office suite. Yeah, what's really going on is that there is an "authoriative DNS server" that serves arbitrary name-to-data mappings so that programs called "recursive DNS servers" can give said mapping to a client program and there's also non-recursive forwarding DNS servers and blah blah blah. I think the audience is falling asleep at this point...

Now, when I said above that a DNS server is akin to an office suite, I wasn't saying that there is a spreadsheet and a word processor included with DNS servers. However, if someone were willing to sponsor it, I would be perfectly happy to make a version of MaraDNS that uses SINK RRs [ietf.org] and dynamic updates to allow people to perform document collaboration via DNS.

Re:BIND alternatives (1)

TheRaven64 (641858) | more than 2 years ago | (#38700232)

No, Unbound and NSD do not have HTTP servers. Come on. I was just trying to explain a complicated concept in a half sentence; it's called an analogy.

You realise that this is Slashdot, right? I.e. your audience is fairly technical people, not folks who don't know the difference between the web and the Internet. More specifically, this is an article about BIND, on Slashdot, meaning anyone reading your post is likely to have at least a basic understanding of what DNS is and (at least a vague idea of) how it works. You could have explained the same thing, without talking nonsense about web pages, in any of these ways, depending on how much detail you wanted to give:

  • One (NSD) acts as an authoritative DNS server the other (Unbound) as a DNS cache.
  • One (NSD) serves your DNS records to others, the other (Unbound) caches DNS lookups for your network.
  • One (NSD) publishes host names, the other (Unbound) looks up addresses on behalf of clients and caches them.

See? You don't have to talk complete nonsense when you simplify things, you just have to explain what you actually mean, in simple terms. Explanations like yours given to people who don't know much about computers are why we end up with people creating a 'GUI interface using visual basic to track the killers IP address' in CSI.

Re:BIND alternatives (1)

MaraDNS (1629201) | more than 2 years ago | (#38700366)

Sigh. I give up. Yes, I was technically being a little inaccurate, and yes, there are a zillion ways I could have explained that entire mess better, such as linking to Rick's excellent explanation of different DNS server types [linuxmafia.com] .

It frustrates and annoys me that you are being so dang pedantic about the issue. I think it would do you well to think about why it is that you annoy a lot of people [slashdot.org] .

Re:BIND alternatives (1)

TheRaven64 (641858) | more than 2 years ago | (#38700870)

It frustrates and annoys me that you are being so dang pedantic about the issue

I made a cheap joke about your poor phrasing, the AC contradicted the (correct) assertion it contained, and then you chimed in trying to justify your inaccuracy. I would have let it go at the start with the first comment, or if you'd just said 'yes, it's an oversimplification' but you decided to jump straight into ultra-patronising mode with:

Voice-Family: Leo having a conversation with Sheldon [wikipedia.org] in an episode of "The Big Bang Theory".

And then, of course, you feel the need to respond with this:

I think it would do you well to think about why it is that you annoy a lot of people [slashdot.org].

A link to my foes page? Seriously? As evidence that I annoy 'a lot of people'? Try clicking on some of those names sometime and checking their posting history: most of them are persistent trolls that I've called out, like first-post-troll '(1337) God' or guy-who-posts-stories-about-having-sex-with-children 'Oliver Newland'. And, since we're being childish, let's look at some other pages like my fans page [slashdot.org] , which I haven't looked at for a couple of years, and now seems to contain almost 20 times as many entries as my freaks page.

Seems like a pretty good ratio to me. If you're not offending anyone at all, then you're probably not saying anything of value, and I'm pretty happy with most of the people on my freaks page. Not saying much of interest to anyone, by the way, seems to be a description of you that it appears only two people would disagree with... [slashdot.org]

Re:BIND alternatives (1)

MaraDNS (1629201) | more than 2 years ago | (#38701472)

This conversation has hit the point that it's best continued in private email [samiam.org] . I am not going to reply to any more of your postings.

Re:BIND alternatives (0)

Anonymous Coward | more than 2 years ago | (#38710148)

This conversation has hit the point where I'm pretty sure I'm not ever going to use MaraDNS, and will discourage others from using it.

Re:BIND alternatives (1)

Candyban (723804) | more than 2 years ago | (#38708912)

A DNS server is, if you will, akin to an office suite

Is this some kind of inside joke like half of the code is dead (LibreOffice) or there are many different formats doing the same?

I am totally lost and confused by your "analogy". The whole idea about an analogy is that you make it SIMPLE by using well known concepts.

Now, when I said above that a DNS server is akin to an office suite, I wasn't saying that there is a spreadsheet and a word processor included with DNS servers

So then what were you saying? It is like powerpoint? Or Outlook?

Please do not take this wrong way. It is meant as positive criticism: try to find better analogies, it helps the both of us. :)

Re:BIND alternatives (1)

MaraDNS (1629201) | more than 2 years ago | (#38710948)

It's akin to an office suite because -- except for BIND, which is monolithic -- you have two distinct programs with different functions: The authoritative and recursive program. Just like you have a word processor and spreadsheet in an office suite.

Rick Moen explains it quite well [linuxmafia.com] .

Re:BIND alternatives (0)

Anonymous Coward | more than 2 years ago | (#38700488)

The number one reason why BIND sucks is the lack of support for DNSCurve. Even after admitting that DNSSEC sucks, Vixie, rather than support DNSCurve, insists on pushing DNSSEC garbage. Bernstein must've really gotten under his skin.

Re:BIND alternatives (1)

MaraDNS (1629201) | more than 2 years ago | (#38701488)

Last time I looked at DNS curve, it has absolutely no traction [blogspot.com] . None of the five DNS servers I listed above -- not even djbdns -- come with DNScurve support.

Re:BIND alternatives (0)

Anonymous Coward | more than 2 years ago | (#38702050)

That doesn't mean the most popular server shouldn't support it. They could have been first. The protocol is well documented.

Distributed DNS (3, Interesting)

Anonymous Coward | more than 2 years ago | (#38696316)

We are sick and tired of being threatened by our governments on behalf of failing business models (MAFIAA)

We want distributed DNS (like this: http://dot-bit.org/Main_Page [dot-bit.org] )

(For non-techies: Think of DNS servers functioning like BitTorrent.)

Re:Distributed DNS (1)

Anonymous Coward | more than 2 years ago | (#38696398)

I don't understand the tech details, and would appreciate your thoughts on why the global community can't just launch a tld like "nonusa", and have nameservers that the US can't attack. Then we could have registrars hand out .com.nonusa and so on.
Doable?

Re:Distributed DNS (0)

Anonymous Coward | more than 2 years ago | (#38696414)

Genuine question here, not trying to be a smartass or anything.
If nobody controls it, what's stopping someone from stealing your domain?

Re:Distributed DNS (0)

Anonymous Coward | more than 2 years ago | (#38697588)

>If nobody controls it, what's stopping someone from stealing your domain?

A stolen domain would be like a corrupted segment in the BitTorrent analogy.

Re:Distributed DNS (1)

TheRaven64 (641858) | more than 2 years ago | (#38697948)

In BitTorrent, you download a .torrent file that contains checksums allowing you to validate the segments. Where do you get the equivalent in this system? Who is responsible for deciding whether a particular name to IP mapping in the system is authoritative?

Creating a distributed read-only key-value store is not an especially difficult system, the difficult bit is defining authority.

Re:Distributed DNS (1)

icebraining (1313345) | more than 2 years ago | (#38697844)

It's a distributed system. You can only take control of a domain if the majority of the peers in the network agree to it, and they're configured to reject "hostile takeovers".

Re:Distributed DNS (2)

LordLimecat (1103839) | more than 2 years ago | (#38697466)

As another responder further in the thread mentioned, plans like this are all well and good, good luck getting them to be used before 2020. (See: DNSSEC, IPv6)

Even SPF took a few years to meed widespread adoption, and that only required a single TXT record for a domain to secure itself, and was highly compatible with non-SPF users. An alternative naming system, on the other hand, would be useless in proportion to the number of users not on it.

Re:Distributed DNS (0)

Anonymous Coward | more than 2 years ago | (#38706194)

The hardest part on the Internet is establishing authenticity. Are you who you say you are. With normal "hierarchical" DNS this is done with static IP's which are closely guarded over. On dynamic IP's and peer-peer networks I imagine this is the hardest thing to make happen. The worst scenario is that a group can take your distributed dns name and receive your email. I'm sure noone wants that done. Anyhow I wish you luck, my take is that 10 years from now people will still want distributed dns but are empty handed on what to use to establish authenticity.

Good luck,

-some dude

As someone who's maintined bind servers... (2, Funny)

jimmydigital (267697) | more than 2 years ago | (#38696594)

I say KILL IT WITH FIRE! And while they are readying the bonfire... hunt down sendmail as well. Some software ages gracefully... like a fine wine... and gets better over the years. Other looks more like some over the hill celebrity who's had way too much work done on their face just so they can pretend to still be relevant and land that last big staring role. Give it up Bind... it's not going to happen.

Re:As someone who's maintined bind servers... (0)

Anonymous Coward | more than 2 years ago | (#38696634)

I say KILL IT WITH FIRE! And while they are readying the bonfire... hunt down sendmail as well. Some software ages gracefully... like a fine wine... and gets better over the years. Other looks more like some over the hill celebrity who's had way too much work done on their face just so they can pretend to still be relevant and land that last big staring role. Give it up Bind... it's not going to happen.

Can I get an AMEN???

Re:As someone who's maintined bind servers... (1)

Anonymous Coward | more than 2 years ago | (#38696702)

bind and sendmail will die when they have outlived their usefulness.

Re:As someone who's maintined bind servers... (1)

mvdwege (243851) | more than 2 years ago | (#38697440)

As someone still maintaining a BIND9 deployment, I have to ask: do you have any arguments to go with that rant? Because I don't have any problems.

Re:As someone who's maintined bind servers... (1)

laffer1 (701823) | more than 2 years ago | (#38698002)

My only complaint about BIND 9 is setting up DNSSEC. They're working on it, and 9.8 made it a bit easier, but it's still a hassle. DNS has always been a set it up and forget it service until now.

Re:As someone who's maintined bind servers... (1)

mvdwege (243851) | more than 2 years ago | (#38698222)

We don't use DNSSEC, so that's probably why I find BIND9 to be trouble free.

We do a lot of host mutations though, so I get to work a lot with BIND. The only hassle is to remind myself to update the zone serials.

Re:As someone who's maintined bind servers... (1)

otis wildflower (4889) | more than 2 years ago | (#38698662)

PowerDNS does autoserials with DB backends. It's quite handy.

Rant (1)

RedHat Rocky (94208) | more than 2 years ago | (#38697178)

My input for BIND 10:
Keep it. ISC, you suck.

Stuff I want to see (0)

Anonymous Coward | more than 2 years ago | (#38697990)

I want to see in BIND 10 (some of this might be overstepping...)
- integration with GeoIP as standard, or at least a way to build it plugged in
- integration with MySQL's threaded model.
(The above two are already possible in some form or another, but the patches are unmaintained or break DNSSEC)

Because of some political hotpotatoes I also propose a few new features that also involve needing GeoIP or similar.
- Peer to Peer verification. Instead of just keeping a zone file, the DNS should periodicity query the ip addresses it has on file if it "is still" that domain. Verify the private key.
- Anti-censorship provision (or working around braindead dns servers) and GeoIP/CDN selection. This would require more changes to DNS itself, but the browser could send a geolocation centric query, like "GA example.com (ISO-3166-2 code)" instead of a A record, it gets a Geocentric A record.

Competition is fun (1)

sgt scrub (869860) | more than 2 years ago | (#38698106)

Competing against the pros is an incentive for some alternative DNS projects. Why break what works?

DNSCurve (0)

Anonymous Coward | more than 2 years ago | (#38699326)

Support for DNSCurve.

http://dnscurve.org/

PowerDNS ftw (0)

Anonymous Coward | more than 2 years ago | (#38701386)

lol bind?

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...