Open Source BIND Alternative Launches 162
bednarz writes "A group of experts on Tuesday released an open source alternative to the BIND DNS server. The new software — dubbed Unbound 1.0 — is a recursive DNS server. From its first prototype in 2004, Unbound was designed to be a faster, more secure replacement for BIND. Unbound supports DNS security extensions (DNSSEC), which authenticate DNS lookups but are not yet widely deployed because they rely on a public key infrastructure. Unbound was released to open source developers by NLnet Labs, VeriSign, Nominet and Kirei."
Both Open Source, Both BSD... (Score:5, Insightful)
On top of that, given the history of security problems in this line of software I would wait a while before deploying Unbound on anything serious.
Especially given the fact it sells its self as being more complex and big than its predecessor.
Re:djbdns (Score:5, Insightful)
The man himself can often come across as arrogant - but you can't deny with djbdns he's written extraordinarily stable, virtually bug-free code that he has now (along with almost all of his other work) explicitly gifted to the public domain. He deserves a little credit for that, imho, and djbdns certainly deserves being considered alongside any other DNS server.
Re:FYI, bind9 is already open source (Score:1, Insightful)
Re:Feh.... (Score:4, Insightful)
When Theo is wrong, he *immediately* launches personal attacks, never once admitting the reality of the situation. (Linux devs were "inhuman" because they posted a GPL violation in a *public* repo to that repo's mailing list.)
What colour is the sky in your world?
Re:It's not... (Score:3, Insightful)
Re:Powerdns anyone? (Score:3, Insightful)
\o/
As for unbound, yeah it sure looks interesting but don't trust the benchmark, that one simply doesn't look like they used 'real' DNS traffic for it. If you're a recursive DNS Admin you'll know how ugly things are out in the wild.
Re:DNS is a big problem and it's getting bigger (Score:5, Insightful)
Neither is open source better thean comercial nor is comercial better than open source. It all depends on the use. As i wrote, if you are a small ISP or a medium ISP and (e.g. 5K Zones, 10K DNS requests per second) BIND suits your needs. If you have 100K zones and 100K DNS requests per second, i doesn't. I mentioned Nominum because it's the best solution i have seen till today and i will benchmark Outbound against CNS and not BIND. Beating BIND is IMHO not a challenge....
I'm not in the secret sauce business ;-). I speak numbers and statistics. E.g. CNS is for high loads 10-20 times more CPU efficent than BIND as caching nameserver on the same hardware. The cache handling of BIND 8/9 really, really sucks :-(. A customer doesn't pay 80K $ just on my say so (unluckily). They run tests and to prove the business case.
Remark: 90% of my customers run BIND and are happy with it. I do OSS and comercial software in a happy mix. Ideology is not my thing. Use the software (FOSS or comercial) that's better for the problem.
Regards, Martin
Re:DNS is a big problem and it's getting bigger (Score:3, Insightful)
Seriously, "DNS traffic grows faster than the overall traffic"? Maybe if you're doing a lot of TCP-over-DNS (thanks, Dan Kaminsky), or if you are providing DNS hosting services. Otherwise, I fail to see how a primarily UDP-based, extremely lightweight protocol (designed for cacheing at every layer, mind you) can grow faster than HTTP or whatever your traffic is.
Again, if DNS is your bottleneck, you've got something that's not designed properly, or are providing DNS hosting as a service (and probably still have something not designed properly). 100K zones is slow to startup? How about not putting 100K zones on the same servers? SPOF much?
I'm not arguing that BIND is the fastest, cleanest, most secure implementation out there (that title probably belongs to djbdns; I have yet to see a security hole published in any of his stuff - too bad it's such a hassle to use), but if your architecture is such that BIND's bugs are biting you, I would argue that BIND is _not_ your biggest problem.
Re:Feh.... (Score:4, Insightful)
Re:DNS is a big problem and it's getting bigger (Score:3, Insightful)
Re:It's not... (Score:4, Insightful)
Never in the history of Slashdot has a comment been more deserving of the response "You must be new here".
Re:djbdns (Score:3, Insightful)
Re:Powerdns anyone? (Score:3, Insightful)
Re:Why re-invent BIND? (Score:3, Insightful)
Security is written into software. It's not added after the fact, and security lapses cannot be fixed.
Re:djbdns is abandonware (Score:3, Insightful)
Maybe he didn't want his sources modified because nobody else seems to be able to write secure software, and he doesn't want his name on a security bulletin for someone else's Qmail/DJBDNS mistake.
Tell me again how many mail and DNS servers have had zero security holes?
Not that it matters anymore, as these have all been placed in the public domain.
One might request new features in these applications, but patches are often to fix bugs.
If there haven't been any official patches since 2001, maybe it's because there haven't been any bugs.
DJB my not agree with the GPL and may like to do things in a very non-standard way, but damn, the proof is in the product.