BIND 9.1.2 and TinyDNS???

Mon Jun 11 15:17:49 UTC 2001

On Mon, Jun 11, 2001 at 03:42:06PM +0200, Brad Knowles wrote:
> 	For one, it does not hand out referrals to questions that are 
> asked of zones it does not control.

... unless I, as the administrator, decide I want otherwise. It's my
choice. tinydns.domainregistry.ie:53 gives referrals because I want it
to. I like having that choice.

> 	Secondly, TinyDNS is an authoritative-only nameserver.  It is not 
> capable of caching.

That's quite correct. I see that as a feature myself as I always run
those services seperately but, as you point out, that's not always
convenient for everyone.

> 	Thirdly, many sites want to have separate internal versions and 
> external versions of their DNS data.  Since you can't mix these two 
> services in the same program, you end up having to set up separate 
> external and internal TinyDNS servers, [ ... snip ... ]
> This could be much, much more easily done with 
> something like the "view" mechanism that is included with BIND 9.

tinydns does this with aplomb:
http://cr.yp.to/djbdns/faq/tinydns.html#differentiation

> 	Fourth, there is no support in TinyDNS or dnscache for the DNSSEC 
> extensions, whereby you can create cryptographically secure zones, 

True.

> 	Fifth, the code has had much less time to prove itself, and IMO 
> is much less stable.

Less stable than what? Bind8? We could compare the published
vulnerabilities in BIND8 that have surfaced during the lifetime of 
tinydns so far, but that wouldn't be nice :)

> there are still more sites out there running BIND 9 than there are 
> sites running TinyDNS.
> Heck, I'd be willing to bet that there are 
> probably more sites out there running the new alpha version of BIND 
> 9.2 than there are running TinyDNS.

FUD, FUD, FUD. What does that demonstrate? That people try different
software? Big deal.
More people drive Ford Mondeos (dull euro. family saloon) than Ferrari
360Ms (*drool*). What does that prove?

> Dan's $500 security hole guarantee, this doesn't help you one damn 
> bit if a security hole is actually discovered, and your entire 
> network is compromised and you have to spend many hours and thousands 
> or tens of thousands of dollars worth of person-hours to recover. 

Yes, very true. How many networks have been compromised through BIND holes
in the past six months? How many have been compromised by tinydns holes?

> 	Sixth, there is relatively little documentation or support for 
> TinyDNS.  Your support network is limited to Dan and his fanatics. 

There are a number of companies supplying commercial support for djbdns.
Dan's "fanatics" -you took your hyperbole pill this morning, didn't 
you- are keen to help. They (we?) would like djbdns to get a fair
hearing so try to help people out, in the same way this list works.

> Early testing with BIND 9.2 indicates that 
> it eliminates some critical bottlenecks in BIND 9.1.2, which means it 
> should be even faster.  Bill Manning has also reported some 
> performance problems they've seen with TinyDNS.

I haven't seen any hard figures (if they exist please point me at them)
but I know it's fast enough for me.

I'm not saying djbdns is perfect or that Dan Bernstein is god; it's
worth looking at and deciding if it's good for you. BIND and djbdns can
stand up against each other on their merits. Neither needs FUD. If
anybody's going to be taking a slice at either please get your facts
straight.

james
 - A contented djbdns /and/ BIND user.
-- 
James Raftery (JBR54)
  "It's somewhere in the Red Hat district"  --  A network engineer's
   freudian slip when talking about Amsterdam's nightlife at RIPE 38.