Speed of BIND vs. W2k DNS

David R. Conrad david.conrad at nominum.com
Fri Dec 22 05:03:23 UTC 2000 

Jozef,

At 03:09 AM 12/21/2000 +0000, Jozef Skvarcek wrote:
>Enlighten me, please, because I need all arguments I can get.
>I am competing with W2k DNS in supporting mainly DDNS,

Both BIND and W2KDNS support Dynamic DNS, however see below.

>DNSSEC,

BIND version 9 fully implements DNSSEC (well, almost, signing of wildcarded 
zones is not supported).  BIND 9 also supports "Simple Secure Update" which 
is the DNSSEC way to do secure dynamic updates.  W2KDNS supports neither.

>TSIG,

BIND supports IETF standard HMAC-MD5 TSIG.  Microsoft has implemented their 
own GSS-TSIG.  To date, it has been impossible for anyone to write a 
GSS-TSIG that interoperates with Microsoft's, in fact, Microsoft had until 
fairly recently refused to fully document some required pieces.  Microsoft 
has (pretty much) fixed this, but there are still some issues that need to 
be worked out before anyone can implement an interoperable version of 
GSS-TSIG.  Microsoft does not support HMAC-MD5 TSIG.

As a result of both issues, it is not possible to do secure updates between 
BIND and W2KDNS although I believe unsecured updates work (haven't tried it 
myself).

>overall security and split zones.

BIND version 9 is a complete rewrite of BIND, so the various security 
problems plaguing BIND versions 4 and 8 will not be an issue.  BIND version 
9 supports "views", a relatively easy way of doing split DNS.  I don't 
believe split DNS is supported in W2KDNS (but could be wrong).  BIND 
version 9 supports all the ACLs and permission controls found in BIND 
version 8, not sure what W2KDNS does for permission controls.  BIND version 
9 is Open Source, so if you wish to review the code, you can.  W2KDNS is 
proprietary binary-only.

In addition, BIND version 9 fully supports IPv6 (if you care), and 9.1 has 
a "simplified database" (SDB) interface that facilitates integrating the 
DNS server with (e.g.,) SQL databases (a Postgres/SQL database driver is 
provided as an example), embedded languages for (e.g.) synthesizing common 
responses for zones that vary only slightly (a Tcl driver is provided as an 
example), and I've seen a posting for an LDAP driver to integrate the DNS 
with LDAP.  Also, in case it comes up, Nominum can provide commercial 
support contracts for BIND version 9.

Hope this helps.

Rgds,
-drc

More information about the bind-users mailing list