djbdns: An alternative to BIND

Sat Apr 9 03:40:52 UTC 2005

woody wrote "and the usual kids-ranting-at-each-other" and so i'm back again:

> > No IXFR, no automatic notification of bind slaves (you get to run a
> > separate notify script) ...
> 
> No RFC requires a specfic system of notification.

true enough, RFC1996 (thanks again randy!) isn't actually required -- it's
just convenient to speak the same protocol between all authority servers
for a given zone.  i guess sometimes that's rsync.

> Seperate notify scripts are ok, rsync is even better!
> Oh wait, does bind support rsync ?

back before rsync, there was rdist.  and because BIND4.8 was horrid at AXFR,
i admit that i used rdist to move zones around.  rsync is quite a bit better,
and i know of people who use it to move zones around between BIND9 authority
servers because the access control and secrecy features can use the same
configuration infrastructure as their other sysadmin-related file sharing.

i myself am quite comfortable with DNS I-N-D (IXFR, NOTIFY, DYNUPD) and so
i move zones using IETF protocols rather than rdist/rsync/etc.  but there's
nothing that prevents multiple BIND servers from all thinking of themselves
as "masters" and having their "zone files" managed by external programs such
as rdist or rsync.

> > ... (as in it returns all the A records in the same order
> > every time, whereas bind does this in a different order ...)
> 
> Bind should patent this.

BIND's publisher is a public benefit corporation, so our only reason for
filing a patent would be for defense, and we consider the prior art strong
enough in the case of round-robin DNS that no defensive patent is needed.

> > No v6 support without a patch either 
> > 
> > Oh yes, patch, patch ... welcome to patching hell if you run qmail or
> > any other djb ware :)
> 
> Yeah we tech folk hate patching.

people with a lot of servers to run have to use configuration control on
their operating systems and utilities and config files.  if a vendor will
offer patched binaries through "rpm" or "/usr/ports" or whatever then
everything gets easier.  djb's license precludes this kind of repackaging,
is what i'm hearing.  ISC uses a BSD-style license, and i personally think
that anything more restrictive, even GPL or LGPL, is suboptimal.  apparently
DJB's license is even more restrictive than GPL, which is hard to fathom.

> As I mentioned earlier, djb - non-djb is a religion thing:

perhaps to you it is.  perhaps to DJB it is.  perhaps to many, DJB is.
but the arguments i'm seeing tonight for/against djbware are engineering
arguments, not religious arguments.

> rfc-wise, feature-wise (bind supports something, tinydns should too).

the people who are happy with djbware are VERY happy with it.  no argument
from me on that point.  in <http://www.circleid.com/article/774_0_1_0_C/>,
i wrote:

        ...

        Those are good articles. But Jacco's site at
        <http://www.bind9.net/> is also very good, and includes all kinds
        of useful links. Education is good.

        Administrators can also look at alternatives to BIND such as DJBDNS
        located at http://cr.yp.to/djbdns.html.

        OK, so some of you were wondering why I bothered to respond to this
        obvious "hit piece" written by someone without much background in
        the field -- maybe the same yet-to-be-fired marketing wizard who
        came up with the name "Internet Storm Center" when the term ISC had
        another, much stronger, much older, meaning. I was going to Just
        Hit Delete -- something you should never do with spam, by the way!
        Until I saw the DJBDNS reference. Mr. Bernstein has what could
        politely be called a grudge against... well, almost everybody. His
        software seems to work, and it has a loyal and committed user
        base. But if you're going to look at alternatives to BIND, you need
        more options, and you need a better reason.

        For more options, check out Nominum's ANS and CNS products, and
        NLNetLabs' "NSD", and Cisco's DNS/DHCP Manager, and Microsoft's
        Advanced Server product. (I'm sorry if I'm leaving somebody out,
        that's off the top of my head.)

        For a better reason, discard "I don't want to have to learn about
        patches and apply them every year or two" since no vendor will ever
        be able to guaranty this. If you want help staying patched, talk to
        ISC about BIND support, or talk to your operating system vendor, or
        talk to your ISP. Help is out there.

        ...
-- 
Paul Vixie