BIND 8.2.3 verus 9.x.x ?? in production

[Brad Knowles]

At 9:37 PM +0000 3/19/01, Kerry M. Liles wrote:

>  I have recently heard that BIND 9 (not sure what sub version) is
>  "recommended" for production DNS servers. I would be interested in what the
>  concensus is in this forum.  Is 8.2.3 better or worse than 9.x.x and for
>  what specific reasons?

	BINDv9 is still somewhat slower than BIND 8.  So, if you've got 
an application where you're going to be pushing any more than about 
2000 queries per second through a suitably configured & tuned 
machine, then BINDv9 may not be a good idea just yet.  Other than 
that, I believe that the code is more secure and more robust than the 
older BIND 8 code.

	The one big problem is that I think there are still a few 
features available in BIND 8 that have not yet been made available 
with BINDv9.  If you need these features, that obviously drives your 
choice.


	NB: BINDv9 is also a lot more anal about requiring that certain 
things be done certain ways, and if you don't do that, it will simply 
refuse to run.  Under these same circumstances, BIND 8 will typically 
also complain, but is more likely to try to attempt to figure out 
what it should do in the face of incomplete or contradictory 
configuration information.

	Contrariwise, BINDv9 takes the attitude that if the information 
is incomplete or contradictory, then it shouldn't be attempting to 
make any guesses as to what it should do, and will at the very least 
simply refuse to load the zone -- the theory being that if it 
flat-out breaks things earlier, this will force you to fix them, as 
opposed to allowing the situation to fester until *real* problems are 
created.

>  I myself do not see any compelling reason to put 9.x.x into production, but
>  I would love to hear arguments to the contrary.

	BINDv9 may still feel a little raw to some people, who may be 
more comfortable sticking with BIND 8 for a while longer.

--
Brad Knowles, <brad.knowles at skynet.be>

/*     efdtt.c     Author:  Charles M. Hannum <root at ihack.net>             */
/*                                                                         */
/*     Thanks to Phil Carmody <fatphil at asdf.org> for additional tweaks.    */
/*                                                                         */
/*     Length:  434 bytes (excluding unnecessary newlines)                 */
/*                                                                         */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob           */
/*     where title-key = "153 2 8 105 225" or other similar 5-byte key     */

#define m(i)(x[i]^s[i+84])<<
unsigned char x[5],y,s[2048];main(n){for(read(0,x,5);read(0,s,n=2048);write(1,s
,n))if(s[y=s[13]%8+20]/16%4==1){int i=m(1)17^256+m(0)8,k=m(2)0,j=m(4)17^m(3)9^k
*2-k%8^8,a=0,c=26;for(s[y]-=16;--c;j*=2)a=a*2^i&1,i=i/2^j&1<<24;for(j=127;++j<n
;c=c>y)c+=y=i^i/8^i>>4^i>>12,i=i>>8^y<<17,a^=a>>14,y=a^a*8^a<<6,a=a>>8^y<<9,k=s
[j],k="7Wo~'G_\216"[k&7]+2^"cr3sfw6v;*k+>/n."[k>>4]*2^k*257/8,s[j]=k^(k&k*2&34)
*6^c+~y;}}