Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Software The Internet

Open Source BIND Alternative Launches 162

bednarz writes "A group of experts on Tuesday released an open source alternative to the BIND DNS server. The new software — dubbed Unbound 1.0 — is a recursive DNS server. From its first prototype in 2004, Unbound was designed to be a faster, more secure replacement for BIND. Unbound supports DNS security extensions (DNSSEC), which authenticate DNS lookups but are not yet widely deployed because they rely on a public key infrastructure. Unbound was released to open source developers by NLnet Labs, VeriSign, Nominet and Kirei."
This discussion has been archived. No new comments can be posted.

Open Source BIND Alternative Launches

Comments Filter:
  • Powerdns anyone? (Score:4, Interesting)

    by superskippy ( 772852 ) on Wednesday May 21, 2008 @07:06AM (#23490740)
    We use powerdns_recursor which seems very similar, and is very good.
    • by Anonymous Coward on Wednesday May 21, 2008 @07:40AM (#23491064)
      We use powerdns_recursor which seems very similar, and is very good.

      Return to parent comment.
      • Re: (Score:3, Insightful)

        by num42 ( 614006 )
        We use PowerDNS recursor at a large german DSL ISP and i simply must say it totally rocks. When we - which you can read as 'i' btw. ;-) - were still on BIND9.(3|4) i had crashing named processes at least once a day, never had a single crash of a pdns_recursor process that wasn't my own fault until this day. Also the PowerDNS community is a nice bunch of people. Come visit us at #powerdns on IRCnet.
        \o/

        As for unbound, yeah it sure looks interesting but don't trust the benchmark, that one simply doesn't look l
      • Re: (Score:3, Funny)

        by Tarlus ( 1000874 )
        // We use powerdns_recursor which seems very similar, and is very good.

        // Return to parent comment.

        Dang it, I want to read further into the thread but I keep getting a stack overflow before I can get past the second comment.
    • Unbound is a DNS resolver, not a server. PowerDNS will do both. As a server, it's technically offtopic, but...

      I love the fact that there are pluggable backends. More than that, I love the pipe backend. I realize this is an "everything looks like a nail" scenario, but I actually wrote a PowerDNS->REST client with that, and then a Rails server behind it.

      Slow? Sure, but I can always setup a slave -- either someone like DynDNS, or another PowerDNS server with a faster backend (MySQL, Postgres, maybe even SQL
  • It's not... (Score:5, Informative)

    by cosmocain ( 1060326 ) on Wednesday May 21, 2008 @07:10AM (#23490774)
    ...a DNS-Server.

    Taken from here [unbound.net]: Unbound is a validating, recursive, and caching DNS resolver. Huh, frontpage-information is always quite hard to get.
    • Re:It's not... (Score:5, Interesting)

      by value_added ( 719364 ) on Wednesday May 21, 2008 @07:32AM (#23490952)
      I've only had a quick glance, but it appears you're correct.

      Seems this is a first: both the submission and the article are absurdly wrong.
    • by an.echte.trilingue ( 1063180 ) on Wednesday May 21, 2008 @07:35AM (#23490992) Homepage
      For those of you who (like me) don't know the difference between the two, from wikipedia:

      DNS servers
      The Domain Name System consists of a hierarchical set of DNS servers. Each domain or subdomain has one or more authoritative DNS servers that publish information about that domain and the name servers of any domains "beneath" it. The hierarchy of authoritative DNS servers matches the hierarchy of domains. At the top of the hierarchy stand the root nameservers: the servers to query when looking up (resolving) a top-level domain name (TLD).

      DNS resolvers
      A resolver looks up the resource record information associated with nodes. A resolver knows how to communicate with name servers by sending DNS queries and heeding DNS responses.

      A DNS query may be either a recursive query or a non-recursive query:
      • A non-recursive query is one where the DNS server may provide a partial answer to the query (or give an error). DNS servers must support non-recursive queries.
      • A recursive query is one where the DNS server will fully answer the query (or give an error). DNS servers are not required to support recursive queries.
      The resolver (or another DNS server acting recursively on behalf of the resolver) negotiates use of recursive service using bits in the query headers.

      Resolving usually entails iterating through several name servers to find the needed information. However, some resolvers function simplistically and can communicate only with a single name server. These simple resolvers rely on a recursive query to a recursive name server to perform the work of finding information for them.
      • It's not about "servers" vs. "resolvers". All DNS Servers ARE servers. That's where the confusion comes from! It's really not that complex, though. In fact, the concepts are familiar to anyone who knows the difference between a web server and a web proxy.

        The most important kind of DNS servers -- the ones that make up the DNS hierarchy -- are called AUTHORITATIVE servers. These are what actually provide information about domains' hosts. You set one up when you're serving DNS for a domain (an internet dom
    • by argent ( 18001 ) <peter&slashdot,2006,taronga,com> on Wednesday May 21, 2008 @07:46AM (#23491120) Homepage Journal
      Slashdot Barbie says "research is hard".
    • Re:It's not... (Score:5, Informative)

      by spinkham ( 56603 ) on Wednesday May 21, 2008 @07:48AM (#23491144)
      It IS a DNS server, just not an authoritative server. DNS servers come in 2 flavors, authoritative servers (which hold the actual info) and recursive servers (which do the looking up for a client).
      Most DNS servers do both, so "DNS server" means many different things depending on the context. When your ISP gives you a "DNS server" to use, it's a recursive server, not an authoratative server.
      The end user has a "stub resolver", which does not qualify as a server.

      For a more indepth discussion of DNS architecture and DNSSEC, you can check out "DNS for Rocket Scientists" here http://www.zytrax.com/books/dns/ [zytrax.com] or a talk I gave on DNS security here:
      http://www.mavensecurity.com/presentations [mavensecurity.com]
      • Most DNS servers do both, so "DNS server" means many different things depending on the context.

        From the unbound site:

        Unbound is an implementation of a DNS resolver, that does caching and DNSSEC validation.

        Seems clear to me.

        I don't see how describing how servers can behave as clients to/among one another is informative or useful, nor does it make a server a non-server, at least not in the traditional sense. Unbound does lookups and caching, and from what I see, it can make use of some localhost zone files.

        T

      • Re: (Score:3, Insightful)

        by hey ( 83763 )
        Wouldn't "proxy DNS server" be a better term?
        • by spinkham ( 56603 )
          No. That could refer to a proxy for an authoritative name server, a proxy for a resolver, etc.
          A recursive resolver does much more then simply proxy requests, it searches down the DNS namespace to find the information you are looking for.
          You ask for www.amazon.com, and it queries multiple servers get more and more specific information, then returns the result to you.
          There are good definitions for the terms name server, authoritative name server, resolver, recursive resolver and more in the DNS world, but "D
      • Re:It's not... (Score:5, Interesting)

        by Omnifarious ( 11933 ) <{gro.suoirafinmo} {ta} {hsals-cire}> on Wednesday May 21, 2008 @09:05AM (#23492012) Homepage Journal

        Perhaps most pieces of DNS software can do both. But actual DNS installations should not be configured that way [measurement-factory.com]. In fact, I've seen a rise in DNS cache poisoning attempts [slashdot.org] against my authoritative DNS server.

        • by spinkham ( 56603 )
          Correct. I was just referring to the ambiguity of the term "DNS Server", since the parent claimed that unbound was not one. Name server, authoritative server, resolver, etc are all strictly defined, but DNS server can mean any of the above.
      • by Lars T. ( 470328 )

        It IS a DNS server, just not an authoritative server. DNS servers come in 2 flavors, authoritative servers (which hold the actual info) and recursive servers (which do the looking up for a client).
        To put it simple: you can replace BIND with Unbound if you don't have Zone files, right?
    • Re: (Score:2, Funny)

      by calmond ( 1284812 )

      Huh, frontpage-information is always quite hard to get.
      Uh, no it isn't - just go to the frontpage website http://office.microsoft.com/en-us/frontpage/default.aspx [microsoft.com] Duh
  • djbdns (Score:3, Informative)

    by khundeck ( 265426 ) on Wednesday May 21, 2008 @07:14AM (#23490808)
    I've been using djbdns as my BIND alternative for the last couple of years, and I've been very happy with it. Technically it was pretty straightforward to build/install. The only consideration seems to be whether you like the djb way of doing things (I do!) and the few Freedom wrinkles in the license. :-)

    http://cr.yp.to/djbdns.html

    Kurt
    • Re:djbdns (Score:5, Informative)

      by oyenstikker ( 536040 ) <slashdot @ s b y rne.org> on Wednesday May 21, 2008 @07:24AM (#23490882) Homepage Journal

      the few Freedom wrinkles in the license.

      djbdns is now in the public domain (as of December 2007). Before that, there was no license.

      http://cr.yp.to/distributors.html [cr.yp.to]
      • Re:djbdns (Score:5, Insightful)

        by Anonymous Coward on Wednesday May 21, 2008 @08:14AM (#23491400)
        It's also very small, extremely fast, highly modular, and extraordinarily robust. It could take the load of a root name server, if you had the bandwidth. It actually approaches the almost-mythical status of "bug-free software"; I certainly would be surprised by any remaining security or stability issues being discovered in it.

        The man himself can often come across as arrogant - but you can't deny with djbdns he's written extraordinarily stable, virtually bug-free code that he has now (along with almost all of his other work) explicitly gifted to the public domain. He deserves a little credit for that, imho, and djbdns certainly deserves being considered alongside any other DNS server.
        • Re: (Score:3, Insightful)

          Yes but he deserves scorn for the atrocity that is qmail.

          • Re: (Score:3, Interesting)

            by profplump ( 309017 )
            I generally agree, and have recently switched from qmail-ldap to postfix myself. But keep the historical context in mind. Back in say 1998, postfix wasn't an option (version 1.0 in 2001), and qmail was waaaaaay better than sendmail.

            Also keep in mind that qmail proper is 10 years old, and things like RFC 2822 didn't exist when it was written. qmail-ldap provides a much more modern view on email -- including all the goodies like TLS/SSL support, pre-acceptance address verification, etc. -- to the same basic s
            • Oh I know :) ... just remember it being a nightmare when I had to support it. Nothing like being a sendmail/postfix guy and being handed a server and instructions to "support this!"

              Qmail like most of DJB's stuff suffers from being so different that people miss the good points (sort of like the windows vs. linux argument). Sure sendmail sucked but at least one knew where the mail was stored and obvious places to find the config.
        • It's also very small, extremely fast, highly modular, and extraordinarily robust. It could take the load of a root name server, if you had the bandwidth. It actually approaches the almost-mythical status of "bug-free software"; I certainly would be surprised by any remaining security or stability issues being discovered in it. The man himself can often come across as arrogant - but you can't deny with djbdns he's written extraordinarily stable, virtually bug-free code that he has now (along with almost all of his other work) explicitly gifted to the public domain. He deserves a little credit for that, imho, and djbdns certainly deserves being considered alongside any other DNS server.

          Your code would probably be pretty secure too if you called all your variables and functions by single letters of the alphabet and made it harder to decipher.

          Honestly, djbdns is great software, but having tried to look through the code a while back (because of a compilation problem that I later was able to find a patch for due to his lack of updates and the changes in compilers since he last released it) it's difficult as hell to understand simply because it code like:

          void f(int a, int b, int c)
          {
          do(a)

    • ldapdns (Score:3, Interesting)

      I use a perhaps not-well-known alternative called ldapdns [sourceforge.net], which used to be based on the DJBDNS code. It gets its DNS information from LDAP, which is very, very nice -- I can make a change in LDAP and the change is instant as opposed to making a change to the BIND stuff, which I then have to restart BIND, etc.
    • Feh.... (Score:2, Interesting)

      Dan Bernstein's public demeanor makes Theo de Raadt look like Miss Manners. I'll stick with bind, thanks. It just plain works and I'm not stuck with an angry maintainer for updates. :D

      • by argent ( 18001 ) <peter&slashdot,2006,taronga,com> on Wednesday May 21, 2008 @07:44AM (#23491096) Homepage Journal
        I can't decide if that should be a new emo superhero or a BOFH-themed ceiling-cat variant.

        "Angry Maintainer is watching you masturbate." "Eww." "Why do you think he's angry?"
      • Re: (Score:3, Funny)

        by lysse ( 516445 )

        Dan Bernstein's public demeanor makes Theo de Raadt look like Miss Manners.
        "It's my estimation that every man ever got a statue made of him was one kind of sommbitch or another." (Jaynestown)
      • Re:Feh.... (Score:4, Insightful)

        by Russ Nelson ( 33911 ) <slashdot@russnelson.com> on Wednesday May 21, 2008 @09:39AM (#23492448) Homepage
        Why do you need updates? I think that's one of djb's point: that if the software is written well, it doesn't need to be updated, and thus you don't need to form a relationship with the author.
        • There's always the possibility of the protocol itself being updated, or of either protocol or your users demanding new features.

          There's also the possibility of DJB deciding on his own interpretation of the protocol, often going back to the actual RFC, and ignoring how it's implemented. I wouldn't mind this, if there was a "plays nice with others" option to enable, but there isn't -- about all I could do is edit the source myself and recompile, or download someone else's patch and hope it applies properly.

          An
        • by Monkey ( 16966 )
          When your code won't compile as is against a modern C compiler and libraries, thats sort of an issue.
        • Why do you need updates?

          Because you want to experiment with IPv6? Because your backup DNS supports IXFR just like every other server on the planet, and they won't enable rsync just for you?

    • by EllynGeek ( 824747 ) on Wednesday May 21, 2008 @10:03AM (#23492764)
      djbdns is abandonware. It hasn't had an update since 2001, and you can believe in perfect code that doesn't ever need updating if you want to, but I don't. DJB's crazy licensing meant that only patches could be distributed, not modified sources or binaries, which effectively killed any community support. Now that it's public domain it's possible for someone to pick it up and start maintaining it again, and I'll wait until that happens before using it again. I can live with DJB's complete disregard of filesystem conventions and stuffing a whole lot of new top-level directories for no good reason into the system, and creating a bunch of unnecessary new management daemons (daemontools). But not maintaining his own software makes it a no-go, especially something as crucial as name services.
      • Re: (Score:3, Insightful)

        by Sivar ( 316343 )
        Isn't it funny how Dan Bernstein is the only guy to develop a bulletproof mail and DNS server, yet all he gets is criticism for his work?

        Maybe he didn't want his sources modified because nobody else seems to be able to write secure software, and he doesn't want his name on a security bulletin for someone else's Qmail/DJBDNS mistake.

        Tell me again how many mail and DNS servers have had zero security holes?

        Not that it matters anymore, as these have all been placed in the public domain.

        One might request new fea
        • True, there has been only one security hole I can recall, where a correctly-formed "packet of death" cleared the recursive cache. The result is like a DoS attack. There was a third-party patch released, but then there's the same old problem of having to manually apply the patches, and knowing which third-party patches to trust. But it's not just bugs or security problems that make it a no-go for me- it's out of date as well.

          It doesn't support IPv6, or SRV, NAPTR, or RP records and other new record types, an
  • by Anonymous Coward on Wednesday May 21, 2008 @07:15AM (#23490816)
    Java seems like a logical way to go with this, considering the great track record of other Java web technologies (Tomcat, Jetty, etc).

    Is there anything out there?
  • by molo ( 94384 ) on Wednesday May 21, 2008 @07:19AM (#23490844) Journal
    This posting makes it sound like bind9 is not sufficiently open/free. That is not correct, and kdawson should do a better job of editing to prevent biased postings like this.

    Bind9 is licensed under the ISC license, a BSD-like license. The full text of the license follows.

    -molo

    Copyright (C) 1996-2001 Internet Software Consortium.

    Permission to use, copy, modify, and distribute this software for any
    purpose with or without fee is hereby granted, provided that the above
    copyright notice and this permission notice appear in all copies.

    THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
    DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
    IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
    INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
    INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
    FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
    NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
    WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
    • by Anonymous Coward
      Plain and simple.
    • by bsDaemon ( 87307 )
      This is what I thought. Next thing, we'll be hearing of an "open source" alternative to Apache or some such nonsense.
    • To me it just sounded like somebody is proposing another open source alternative without a barrage of security holes being discovered. I think the implication is that ISC Bind has bad code quality, and this is an alternative.
    • by lysse ( 516445 )
      Not only that, but what must be its most prominent competitor, djbdns, is also now free software (public domain, like the rest of DJB's stuff, as of last year). So "open source DNS" is a bit more crowded a field than it used to be these days...
    • I guess I can see how the title might have been interpreted that way, but I don't think it was an intentional mis-statement.

      The title is "Open Source BIND Alternative Launches". You could interpret that in two ways -- one, that there's a new alternative to BIND that's open source, with the implication that it's the open-source-ness that differentiates it from BIND (and thus that BIND is not open source); two, that there's a new alternative to BIND, which happens to be open source, full stop. The latter in
  • by bleh-of-the-huns ( 17740 ) on Wednesday May 21, 2008 @07:21AM (#23490854)
    Anything with Verisign's named attached to it?
  • by Manip ( 656104 ) on Wednesday May 21, 2008 @07:23AM (#23490878)
    Both pieces of software are released under the same open source license, namely BSD.

    On top of that, given the history of security problems in this line of software I would wait a while before deploying Unbound on anything serious.

    Especially given the fact it sells its self as being more complex and big than its predecessor.
  • but what if I like bondage? What would the Internet be without a little (okay, well, a lot) of bondage?!
    • but what if I like bondage? What would the Internet be without a little (okay, well, a lot) of bondage?!
      So, you want to be tied up with a cat-5 cable or have you upgraded to fiber?

      • by doon ( 23278 )
        I old skool We use Waxed string here to abuse our cables....
      • Re: (Score:3, Funny)

        by Enry ( 630 )
        So I guess goths go for vampire taps?
      • I use Microsoft. Its vendor lock-in strategy surpasses every bondage artist's skill and administering Windows boxen makes my inner masochist cry from glee. And pain, of course.

        They also eat cute little puppies, which is fine with me as I'm a cat person.
  • maradns (Score:3, Informative)

    by TheSlashaway ( 1032228 ) on Wednesday May 21, 2008 @07:34AM (#23490982)
    This is one of the best: http://www.maradns.org/ [maradns.org]
    • Re: (Score:3, Informative)

      by EllynGeek ( 824747 )
      I agree, Maradns is an excellent authoritative name server and caching resolver. Unlike the horrid lardy mess that is BIND, it handles very large loads, and it is easy to configure. BIND is a gawdawful bloated mess that should have been laughed into oblivion years ago. Maradns, NSD, and Powerdns are all far superior to BIND. They're sane to administer and much more robust. For LAN DHCP and DNS, try Dnsmasq. Friends don't let friends use BIND.
      • by Rysc ( 136391 ) *
        I would caution against dnsmasq. It's dead simple to set up, but even on my very small network (~10 boxes) the load was too much for it. I had a script to recycle it whenever it died, which it would do several times per week. I got so annoyed I just threw ISC bind and dhcpd. Sure they're annoying to set up but at least they don't go down on me.
        • I suspect the problem lies elsewhere, because I've set up Dnsmasq for a large number of my customers and have been using it for years. On the largest network it's supporting around 90 nodes without any problems. The smallest one is about 15 users. It just works.
    • This is one of the best: http://www.maradns.org/ [maradns.org]

      I considered Mara for our authoritative name server, then decided it has two significant limitations:

      • its support for IPv6 was nonexistent at the time, and is still very much limited;
      • it uses a non-standard format for zone files, which means that you cannot test it conveniently before comitting to switch.

      The name server is the one place where you want to deploy IPv6 support as early as possible, since it will be needed as soon as you have a single IPv6

  • by mseeger ( 40923 ) on Wednesday May 21, 2008 @07:42AM (#23491076)
    Hi,

    DNS is one of the bottlenecks to come. For nearly every ISP, DNS traffic grows faster than the overall traffic.

    i'm doing a lot of consulting for large ISPs on DNS problems. BIND is good for small and medium ISPs but bad for large ones (as resolver, as primary or secondary nameserver).

    It doesn't work very well with Cache above 1GB and the multithreading is not very efficent. Startup (for servers with 100K zones) is very slow, restart (after changing the configuration) is risky if you decreased the number of masters for a secondary zone (core dump). The readability of the code is far from perfect and it doesn't seperate different functions very well (e.g. you cannot easily replace the caching algorithm). The handling of slow or dead servers could be improved too...

    So, i personaly welcome the new contender in the OSS nameserver arena ;-). Let the games begin...

    The best results (up today) i got with Nominum [nominum.com] ANS and CNS. It's neither FOSS nor cheap but really, really fast. We replaced at one customer 4 overloaded BIND systems (3 Ghz Dual Xeon, 4GB RAM, 2 BIND processes per system) with CNS on the same hardware (but only 2 systems) and the load barely reached 10%.

    Sincerely yours, Martin

    • Re: (Score:3, Insightful)

      by darkuncle ( 4925 )
      If DNS traffic is your bottleneck, you don't have a bottleneck.

      Seriously, "DNS traffic grows faster than the overall traffic"? Maybe if you're doing a lot of TCP-over-DNS (thanks, Dan Kaminsky), or if you are providing DNS hosting services. Otherwise, I fail to see how a primarily UDP-based, extremely lightweight protocol (designed for cacheing at every layer, mind you) can grow faster than HTTP or whatever your traffic is.

      Again, if DNS is your bottleneck, you've got something that's not designed properly,
      • by mseeger ( 40923 ) on Wednesday May 21, 2008 @09:37AM (#23492430)
        Hi,

        If DNS traffic is your bottleneck, you don't have a bottleneck.

        Sorry, you missunderstood me. I didn't say DNS traffic is a bottleneck. I said DNS is the bottleneck and i meant the number of requests.

        Why do we get so many more DNS requests today:

        • Anti-SPAM-Systems use DNS to make their decisions.. A SPAM mail may cause several DNS requests on the receiving side.
        • Everyone and his dog is using small firewalls which regularly do a reverse DNS query per incoming connection. A new worm (even without any infection) can cause millions of DNS requests for a large ISP.
        • Web-Sites are heavily loaded with images/adds from other servers. This means a dozen or more DNS requests for a singe web page.
        • etc...

        While DNS is still a small percentage of the overall traffic, it can be a bottleneck. I slow caching nameserver (if its overloaded or as inefficent as a BIND in a large ISP environment) can severely decrease the "speed experience" of a fast DSL line. If you have an average answer time of 300ms for a DNS request from a caching nameserver, it really hurts. Just believe me...

        Iw ould agree that BIND nearly never is your biggest problem. But for big ISP it can be a big problem anyway. A lot of them already dumped BIND.

        Regards, Martin

        • yes, yes there are lots of DNS requests. And there is cacheing at every single layer of the infrastructure, including most importantly:
          * client resolver library
          * client's upstream nameservers (recursive-only generally, operated by their ISP)
          * any add'l upstream DNS architecture between the client's nameservers and the SOA

          point being that billions of DNS requests generated daily for e.g. google.com are NOT all individually served by Google's nameservers. A small percentage of the total actually comes all the way through; the rest are handled by cacheing (one of the primary design goals of the protocol).

          A proper architecture will do more to improve site performance (and reduce burden on the network) than any amount of changes to the software you're using to serve DNS. The slowdown you're referring to is much more likely to occur closer to the edge than in the core of the ISP (where DNS server performance are a factor).

          BIND is not the problem. DNS isn't even the problem (unless you've got some really boneheaded setups). _architecture_, in a general sense (from systems to storage to networking to web page content to CDN to GSLB to peering to geographic distribution of datacenters), is the problem. DNS is a very small facet of the overall problem (it can be a problem, granted - but it's hardly the most significant one, or even in the top 5 the vast majority of the time).
    • Re: (Score:3, Insightful)

      by Russ Nelson ( 33911 )

      DNS is one of the bottlenecks to come. For nearly every ISP, DNS traffic grows faster than the overall traffic.
      Martin, have you tried setting your TTL larger than ten seconds?
      • by mseeger ( 40923 )

        Martin, have you tried setting your TTL larger than ten seconds?

        The problem are not the requests to the primary/secondary name servers. The bottleneck are more the caching name servers of the access providers.

        Regards, Martin

    • by dodobh ( 65811 )
      PowerDNS works quite well at those scles, FWIW. It's also Free
      • Re: (Score:2, Informative)

        by mibh ( 920980 )

        PowerDNS works quite well at those scles, FWIW. It's also Free
        PowerDNS is GPL. BIND and Unbound (and NSD) are BSDL. Many users or operators will choose one or the other based on license alone. All of these servers work fine according to the people who are using them.
  • Using DNSSEC it is possible to send out special replies to known or not yet known users. In that way authorization based on DNS is possible. This will also open possibilities to use ENUM how it is supposed to.
  • by hitech69 ( 78566 ) on Wednesday May 21, 2008 @07:45AM (#23491104) Homepage
    Am I missing something, when did BIND not qualify as Open Source?
  • I understand they may be experts on Tuesday, but they know jack shit about the rest of the week.
  • try nsd instead (Score:2, Informative)

    by frn123 ( 242374 )
    If you need a small and simple authorative DNS server, i suggest
    # apt-get install nsd

    Simple to install. Simple to configure.

    According to the homepage, it can handle big loads too.
    http://www.nlnetlabs.nl/nsd/ [nlnetlabs.nl]
  • by treat ( 84622 )
    Who would trust a new DNS server for production use until it has been around for some years.

    I made the mistake of trusting djbdns for an important deployment until I started to realize limitation after limitation caused by djb's mental illness. (similar to the qmail story, I guess).

    Microsoft DNS was pretty scary - although now I see real networks built around it. They convinced people to switch because of the vague threat that they might break other DNS server's ability to co-exist with Active Directory. Bu

How many hardware guys does it take to change a light bulb? "Well the diagnostics say it's fine buddy, so it's a software problem."

Working...