Open Source BIND Alternative Launches 162
bednarz writes "A group of experts on Tuesday released an open source alternative to the BIND DNS server. The new software — dubbed Unbound 1.0 — is a recursive DNS server. From its first prototype in 2004, Unbound was designed to be a faster, more secure replacement for BIND. Unbound supports DNS security extensions (DNSSEC), which authenticate DNS lookups but are not yet widely deployed because they rely on a public key infrastructure. Unbound was released to open source developers by NLnet Labs, VeriSign, Nominet and Kirei."
Powerdns anyone? (Score:4, Interesting)
Are we supposed to trust.. (Score:5, Interesting)
Re:IE6 (Score:2, Interesting)
Those are some mighty fine credentials.
ldapdns (Score:3, Interesting)
Re:It's not... (Score:5, Interesting)
Seems this is a first: both the submission and the article are absurdly wrong.
Feh.... (Score:2, Interesting)
DNS is a big problem and it's getting bigger (Score:3, Interesting)
DNS is one of the bottlenecks to come. For nearly every ISP, DNS traffic grows faster than the overall traffic.
i'm doing a lot of consulting for large ISPs on DNS problems. BIND is good for small and medium ISPs but bad for large ones (as resolver, as primary or secondary nameserver).
It doesn't work very well with Cache above 1GB and the multithreading is not very efficent. Startup (for servers with 100K zones) is very slow, restart (after changing the configuration) is risky if you decreased the number of masters for a secondary zone (core dump). The readability of the code is far from perfect and it doesn't seperate different functions very well (e.g. you cannot easily replace the caching algorithm). The handling of slow or dead servers could be improved too...
So, i personaly welcome the new contender in the OSS nameserver arena ;-). Let the games begin...
The best results (up today) i got with Nominum [nominum.com] ANS and CNS. It's neither FOSS nor cheap but really, really fast. We replaced at one customer 4 overloaded BIND systems (3 Ghz Dual Xeon, 4GB RAM, 2 BIND processes per system) with CNS on the same hardware (but only 2 systems) and the load barely reached 10%.
Sincerely yours, Martin
BIND isn't Open Source? (Score:3, Interesting)
Re:Feh.... (Score:1, Interesting)
Theo admits if he is wrong straight away - been there done it, proved him wrong on the hardware RNG support in AMD chipsets a while ago.
Making DJB admit anything takes deploying half of the ex-SU nuclear arsenal and you are still more likely to turn half the world into a desert than succeed.
They are also different on another major count. Theo tries to make the entire platform become better and he does not mind people taking his improvements and using them. DJB cares solely about his stuff and instead of improving the underlying platform he replaces it at a whim. Not invented here and reinvent the wheel to the hilt and then some.
Re:Feh.... (Score:1, Interesting)
He is very protective of his image though, that much is true. He's also a very bright but highly academic type. My dealings with him on the crypto front led me to believe he doesn't really grasp the concept between research and practice (e.g. what people actually use versus what is technically out there).
Anyways, the solution as always, is not to use DJB software
Re:Java based DNS server? (Score:3, Interesting)
Re:It's not... (Score:5, Interesting)
Perhaps most pieces of DNS software can do both. But actual DNS installations should not be configured that way [measurement-factory.com]. In fact, I've seen a rise in DNS cache poisoning attempts [slashdot.org] against my authoritative DNS server.
Re:Powerdns anyone? (Score:4, Interesting)
Re:DNS is a big problem and it's getting bigger (Score:4, Interesting)
Sorry, you missunderstood me. I didn't say DNS traffic is a bottleneck. I said DNS is the bottleneck and i meant the number of requests.
Why do we get so many more DNS requests today:
While DNS is still a small percentage of the overall traffic, it can be a bottleneck. I slow caching nameserver (if its overloaded or as inefficent as a BIND in a large ISP environment) can severely decrease the "speed experience" of a fast DSL line. If you have an average answer time of 300ms for a DNS request from a caching nameserver, it really hurts. Just believe me...
Iw ould agree that BIND nearly never is your biggest problem. But for big ISP it can be a big problem anyway. A lot of them already dumped BIND.
Regards, Martin
Re:DNS is a big problem and it's getting bigger (Score:1, Interesting)
Root F runs bind and I'm betting it does far more than your trivially small organisation with only 100k zones.
Root F and its mirrors answer somewhere in excess of 1/3 of all top level queries.
Re:DNS is a big problem and it's getting bigger (Score:5, Interesting)
If you run BIND with 100K zones, it takes quite some time to come up and starts answering queries. If you do a reload, it has a dead time in between. Try it...As secondary it has bugs (for more than 12 months now) that may crash it. I just had customer who paid a lot of money to get it fixed by an external company. Of course the fix was sent to the BIND maintainers.
As always, you can work around the problem. E.g. for the startup/reload problem you can use multiple server and load balancers, switch ip addresses, pull a rabbit out of your hat... It's all possible. The question is always: is it cost efficent? If you have to adopt your procedures to work with BIND, you may do so. A lot of companys prefer paying money and adopt the software to their procdures. Both ways may work.
BIND doesn't have a performance problem as primary nameserver or secondary nameserver. It has a performance problem as a caching nameserver and a severe one. This is why i'm happy about Unbound.
At last: Some root nameservers should always run BIND. We need at huge diversity of software for root server, even if it creates pains. Just for security reasons....
Regards, Martin
Disclaimer: I don't hate BIND, i don't love specific comercial products. The decision is always based on a lot of parameters. Price, FOSS vs. comercial, hardware or software based solution, Know How of the administrators... All goes into one pot. There is no one size fits all.
Re:djbdns (Score:3, Interesting)
Also keep in mind that qmail proper is 10 years old, and things like RFC 2822 didn't exist when it was written. qmail-ldap provides a much more modern view on email -- including all the goodies like TLS/SSL support, pre-acceptance address verification, etc. -- to the same basic structure.