bind vs djbdns

D. J. Bernstein 75628121832146-bind at sublist.cr.yp.to
Tue Sep 5 22:30:14 UTC 2000 

Jim Reid, Nominum employee, writes:
> BIND happens to implement those open and interoperable standards.

Let's get a few things straight here.

First, the DNS ``standards'' that I haven't implemented are not required
for DNS interoperability. IXFR, for example, is an entirely optional
``Proposed Standard.'' People handle BIND's rickety IXFR implementation
by simply turning it off; zone transfers work without IXFR.

(In contrast, BIND's failure to handle new RR types is a violation of
the _required_ protocol, and causes real interoperability problems.
Similarly, BIND's incorrect compression algorithm in versions 4.9.*
through 8.1.2---still used on a.root-servers.net---is a violation of the
_required_ protocol, and causes real interoperability problems.)

Second, the same ``standards'' were written as documentation of features
that the BIND company had already implemented or planned to implement.
Often Paul Vixie is the author. When you say that BIND ``happens to
implement'' these features, you are not telling the truth.

Third, IXFR is not the only way to incrementally replicate DNS data. The
rsync protocol is incremental; it provides better compression than IXFR;
and the software actually works. Many people are happily using rsync
today. When you say ``IXFR'' rather than ``incremental replication,''
you are not thinking from the user's point of view. The same comment
applies to several more of your ``standards.''

Fourth, specifications that the BIND company doesn't like are blocked by
a committee packed with people who---like you---have financial interests
in BIND. An RFC explaining the nice features of DNS replication through
rsync+ssh, for example, won't be published unless the BIND company
decides to start using rsync+ssh itself.

> > Brief answers to your other questions: DNS over TCP, IXFR,
> > NOTIFY, and BIND's pathetic anti-forgery mechanisms have
> > already been discussed.
> ...and your server doesn't implement or support them.

False. There's better support for DNS-over-TCP in djbdns than there is
in BIND. Your entire complaint is that TCP queries from other sites are
rejected _by default_; but this is the right behavior for most servers,
as discussed in http://cr.yp.to/djbdns/faq/tinydns.html#tcp.

> You have repeatedly failed to give straight answers to straight
> questions on these topics.

What question have I failed to answer? I've repeatedly made clear that
I didn't implement IXFR, NOTIFY, and TSIG because my users already have
better solutions to the same problems. I've repeatedly pointed out my
web page discussing DNSSEC: http://cr.yp.to/djbdns/forgery.html. RTFM.

---Dan

More information about the bind-users mailing list