BIND 9.1.2 and TinyDNS???
Brad Knowles
brad.knowles at skynet.be
Mon Jun 11 16:11:59 UTC 2001
At 4:17 PM +0100 6/11/01, James Raftery wrote:
> ... unless I, as the administrator, decide I want otherwise. It's my
> choice. tinydns.domainregistry.ie:53 gives referrals because I want it
> to. I like having that choice.
By not handing out referrals by default, I believe that TinyDNS
is in violation of the spirit of the RFCs, if not the letter.
> tinydns does this with aplomb:
> http://cr.yp.to/djbdns/faq/tinydns.html#differentiation
Thank you for pointing out this URL. Right there on the same
page (one paragraph down) is a note that TinyDNS does not support the
use of TCP by default, which I consider to be another big problem.
As the world gets older, and the data being slung around by
nameservers gets larger, more and more sites are going to have
problems with DNS UDP packet truncation, and those queries should be
restarted with TCP. However, by default, TinyDNS will not support
that behaviour, which IMO is very seriously broken. Again, I see
this as a direct violation of the RFCs.
> Less stable than what? Bind8? We could compare the published
> vulnerabilities in BIND8 that have surfaced during the lifetime of
> tinydns so far, but that wouldn't be nice :)
Less stable in general. Think about encryption algorithms. You
absolutely never want to trust one, just because it was written by
someone who theoretically knows what he's doing. Ron Rivest wrote
RC4 (his fourth algorithm), and at the time it was believed to be
reasonably secure. Since then, it has since been found to have a
number of flaws which prevent it from being seriously considered for
use by most cryptographers. It took a long time before people
started to actually trust DES. I'm sure that the same will be true
for Rijndael, too.
Fundamentally, TinyDNS (and all of Dan's DNS-related programs)
simply have not existed for a long enough period of time, being
tested on a large enough sample of machines, by a broad enough group
of sites, for it to be seriously considered as a proven nameserver
solution.
> There are a number of companies supplying commercial support for djbdns.
Who are they? Where are they? How big are they? How much
experience do they have?
I'm not being facetious, I am seriously interested in the answers
to these questions.
> Dan's "fanatics" -you took your hyperbole pill this morning, didn't
> you- are keen to help. They (we?) would like djbdns to get a fair
> hearing so try to help people out, in the same way this list works.
This still doesn't answer the issues of the other sources of
information about BIND, relative to TinyDNS, or any other nameserver
for that matter. Having just a mailing list for support doesn't do
you any good when your nameserver is down and you can't send and/or
receive mail, and you can't afford to wait for help.
Having a mailing list for support doesn't do you any good when
you are in a situation where you are totally isolated from the
Internet, and the only help you can bring along is your own expertise
and read-only media (such as books and CD-ROMs).
> I haven't seen any hard figures (if they exist please point me at them)
> but I know it's fast enough for me.
See the stuff that Matt Simerson has posted on the subject. Also
take a look at the benchmarking information that Rick Jones has at
<ftp://ftp.cup.hp.com/dist/networking/briefs/>. I challenge you to
come anywhere close to those numbers with TinyDNS.
As for the performance problems Bill Manning has found, you'd
have to ask him about that. I don't recall seeing him post any
details on this subject.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list