Open Source BIND Alternative Launches

bednarz writes "A group of experts on Tuesday released an open source alternative to the BIND DNS server. The new software — dubbed Unbound 1.0 — is a recursive DNS server. From its first prototype in 2004, Unbound was designed to be a faster, more secure replacement for BIND. Unbound supports DNS security extensions (DNSSEC), which authenticate DNS lookups but are not yet widely deployed because they rely on a public key infrastructure. Unbound was released to open source developers by NLnet Labs, VeriSign, Nominet and Kirei."

Both Open Source, Both BSD...

[Manip]

Both pieces of software are released under the same open source license, namely BSD.

On top of that, given the history of security problems in this line of software I would wait a while before deploying Unbound on anything serious.

Especially given the fact it sells its self as being more complex and big than its predecessor.

Re:djbdns

[Anonymous Coward]

It's also very small, extremely fast, highly modular, and extraordinarily robust. It could take the load of a root name server, if you had the bandwidth. It actually approaches the almost-mythical status of "bug-free software"; I certainly would be surprised by any remaining security or stability issues being discovered in it.

The man himself can often come across as arrogant - but you can't deny with djbdns he's written extraordinarily stable, virtually bug-free code that he has now (along with almost all of his other work) explicitly gifted to the public domain. He deserves a little credit for that, imho, and djbdns certainly deserves being considered alongside any other DNS server.

Re:FYI, bind9 is already open source

[Anonymous Coward]

[...] kdawson should do a better job of editing to prevent biased postings like this.

I don't care what your user ID says. You must be new here. :-)

Re:Feh....

[schon]

Theo admits if he is wrong straight away

WHAT!??!?!

When Theo is wrong, he *immediately* launches personal attacks, never once admitting the reality of the situation. (Linux devs were "inhuman" because they posted a GPL violation in a *public* repo to that repo's mailing list.)

What colour is the sky in your world?

Re:It's not...

[hey]

Wouldn't "proxy DNS server" be a better term?

Re:Powerdns anyone?

[num42]

We use PowerDNS recursor at a large german DSL ISP and i simply must say it totally rocks. When we - which you can read as 'i' btw. ;-) - were still on BIND9.(3|4) i had crashing named processes at least once a day, never had a single crash of a pdns_recursor process that wasn't my own fault until this day. Also the PowerDNS community is a nice bunch of people. Come visit us at #powerdns on IRCnet.
\o/

As for unbound, yeah it sure looks interesting but don't trust the benchmark, that one simply doesn't look like they used 'real' DNS traffic for it. If you're a recursive DNS Admin you'll know how ugly things are out in the wild. ;-)

Re:DNS is a big problem and it's getting bigger

[mseeger]

Hi,

Here we go the the "commercial software is better than open source" argument.

Neither is open source better thean comercial nor is comercial better than open source. It all depends on the use. As i wrote, if you are a small ISP or a medium ISP and (e.g. 5K Zones, 10K DNS requests per second) BIND suits your needs. If you have 100K zones and 100K DNS requests per second, i doesn't. I mentioned Nominum because it's the best solution i have seen till today and i will benchmark Outbound against CNS and not BIND. Beating BIND is IMHO not a challenge....

I personally hate BIND, and BIND is open source, but some secret sauce being twice as fast? I don't think so.

I'm not in the secret sauce business ;-). I speak numbers and statistics. E.g. CNS is for high loads 10-20 times more CPU efficent than BIND as caching nameserver on the same hardware. The cache handling of BIND 8/9 really, really sucks :-(. A customer doesn't pay 80K $ just on my say so (unluckily). They run tests and to prove the business case.

Remark: 90% of my customers run BIND and are happy with it. I do OSS and comercial software in a happy mix. Ideology is not my thing. Use the software (FOSS or comercial) that's better for the problem.

Regards, Martin

Re:DNS is a big problem and it's getting bigger

[darkuncle]

If DNS traffic is your bottleneck, you don't have a bottleneck.

Seriously, "DNS traffic grows faster than the overall traffic"? Maybe if you're doing a lot of TCP-over-DNS (thanks, Dan Kaminsky), or if you are providing DNS hosting services. Otherwise, I fail to see how a primarily UDP-based, extremely lightweight protocol (designed for cacheing at every layer, mind you) can grow faster than HTTP or whatever your traffic is.

Again, if DNS is your bottleneck, you've got something that's not designed properly, or are providing DNS hosting as a service (and probably still have something not designed properly). 100K zones is slow to startup? How about not putting 100K zones on the same servers? SPOF much?

I'm not arguing that BIND is the fastest, cleanest, most secure implementation out there (that title probably belongs to djbdns; I have yet to see a security hole published in any of his stuff - too bad it's such a hassle to use), but if your architecture is such that BIND's bugs are biting you, I would argue that BIND is _not_ your biggest problem.

Re:Feh....

[Russ Nelson]

Why do you need updates? I think that's one of djb's point: that if the software is written well, it doesn't need to be updated, and thus you don't need to form a relationship with the author.

Re:DNS is a big problem and it's getting bigger

[Russ Nelson]

DNS is one of the bottlenecks to come. For nearly every ISP, DNS traffic grows faster than the overall traffic.

Martin, have you tried setting your TTL larger than ten seconds?

Re:It's not...

[Bogtha]

Seems this is a first: both the submission and the article are absurdly wrong.

Never in the history of Slashdot has a comment been more deserving of the response "You must be new here".

Re:djbdns

[Christianfreak]

Yes but he deserves scorn for the atrocity that is qmail.

Re:Powerdns anyone?

[Bill_the_Engineer]

Is it too early in the day for humor?

Re:Why re-invent BIND?

[Russ Nelson]

Which has been beaten up so much over the past decade that it's now (probably) pretty secure with most of the bugs worked out.

Bugs are like cockroaches. When you stomp one, you know there are ten more like it. Thus, all the bugs found and fixed simply means that there are more bugs in bind that nobody has found yet.

Security is written into software. It's not added after the fact, and security lapses cannot be fixed.

Re:djbdns is abandonware

[Sivar]

Isn't it funny how Dan Bernstein is the only guy to develop a bulletproof mail and DNS server, yet all he gets is criticism for his work?

Maybe he didn't want his sources modified because nobody else seems to be able to write secure software, and he doesn't want his name on a security bulletin for someone else's Qmail/DJBDNS mistake.

Tell me again how many mail and DNS servers have had zero security holes?

Not that it matters anymore, as these have all been placed in the public domain.

One might request new features in these applications, but patches are often to fix bugs.
If there haven't been any official patches since 2001, maybe it's because there haven't been any bugs.

DJB my not agree with the GPL and may like to do things in a very non-standard way, but damn, the proof is in the product.