Speed of BIND vs. W2k DNS
David R. Conrad
david.conrad at nominum.com
Fri Dec 22 05:03:23 UTC 2000
Jozef,
At 03:09 AM 12/21/2000 +0000, Jozef Skvarcek wrote:
>Enlighten me, please, because I need all arguments I can get.
>I am competing with W2k DNS in supporting mainly DDNS,
Both BIND and W2KDNS support Dynamic DNS, however see below.
>DNSSEC,
BIND version 9 fully implements DNSSEC (well, almost, signing of wildcarded
zones is not supported). BIND 9 also supports "Simple Secure Update" which
is the DNSSEC way to do secure dynamic updates. W2KDNS supports neither.
>TSIG,
BIND supports IETF standard HMAC-MD5 TSIG. Microsoft has implemented their
own GSS-TSIG. To date, it has been impossible for anyone to write a
GSS-TSIG that interoperates with Microsoft's, in fact, Microsoft had until
fairly recently refused to fully document some required pieces. Microsoft
has (pretty much) fixed this, but there are still some issues that need to
be worked out before anyone can implement an interoperable version of
GSS-TSIG. Microsoft does not support HMAC-MD5 TSIG.
As a result of both issues, it is not possible to do secure updates between
BIND and W2KDNS although I believe unsecured updates work (haven't tried it
myself).
>overall security and split zones.
BIND version 9 is a complete rewrite of BIND, so the various security
problems plaguing BIND versions 4 and 8 will not be an issue. BIND version
9 supports "views", a relatively easy way of doing split DNS. I don't
believe split DNS is supported in W2KDNS (but could be wrong). BIND
version 9 supports all the ACLs and permission controls found in BIND
version 8, not sure what W2KDNS does for permission controls. BIND version
9 is Open Source, so if you wish to review the code, you can. W2KDNS is
proprietary binary-only.
In addition, BIND version 9 fully supports IPv6 (if you care), and 9.1 has
a "simplified database" (SDB) interface that facilitates integrating the
DNS server with (e.g.,) SQL databases (a Postgres/SQL database driver is
provided as an example), embedded languages for (e.g.) synthesizing common
responses for zones that vary only slightly (a Tcl driver is provided as an
example), and I've seen a posting for an LDAP driver to integrate the DNS
with LDAP. Also, in case it comes up, Nominum can provide commercial
support contracts for BIND version 9.
Hope this helps.
Rgds,
-drc
More information about the bind-users
mailing list