Re: bind -> unbound/nsd

[Swift Griggs <swiftgriggs%gmail.com@localhost>]

On Thu, 18 Aug 2016, Greg Troxel wrote:
> Is it about security track record?

I'm not wanting to get into the discussion of fiat versus consensus 
decision making. However, I'd like to give my own personal answer on some 
of the questions you raise, as a heavy DNS user/sysadmin.

Bind's security track record has been somewhere between "horrible" and 
"really bad" depending on the version.

http://www.cvedetails.com/product/144/ISC-Bind.html?vendor_id=64

Bind 9 was released in 2000, IIRC. So, that is mostly just for the 9.x 
code stream. Lots of folks still preferred the 4.x code base since 9.x 
added so much that it became a huge mess. 4.x had terrible security, but 
exhibited less inertia for getting started and maintaining the zones. So, 
Bind 4.x was maintained for quite a while.

The trend is also not in decline. Note that in 2016 there were eight 
vulnerabilities and that's the largest number since 2002. However, to be 
fair, Bind has also had the maximum amount of beatings from every 
high-profile hacking team you can imagine. Perhaps if competing projects 
had the same amount of scrutiny they wouldn't fair well, either.

> Is unbound/nsd feature complete relative to everything that can be done 
> with bind?

Not even close if you consider the whole list. Unbound can only function 
as a recursive resolver. It has *no* ability to serve PTR and A records 
directly. It does, however, have some DNSSEC functionality.

> Specifically, serving authoritative zones, DNSSEC, dynamic updates, and 
> (for others) split dns?

It does not do split horizon because it can't be authoritative (same for 
dynamic DNS).

YADIFA, MaraDNS, Knot DNS, or Djbdns would all be better choices than 
Unbound if you want a "real" server. The idea behind Unbound is to provide 
a secure and fast client resolver. Here's how the other's would break down 
in a nutshell:

YADIFA 
Pros: BSD licensed. Fast. Full featured
Cons: Newer. Not even in pkgsrc yet. No recursion. No split horizon

MaraDNS:
Pros: Good security record, stable, most features available
Cons: Zany "Mara-DNS" license and weird layout / config

Knot DNS: 
Pros: Very full featured. Fast. Awesome YAML config setup
Cons: GPL'd, won't act as a recursive resolver

Djbdns:
Pros: Very secure. Fast. Public domain (no license) 
Cons: Missing features, spotty maintenance

> Please note that I'm not objecting; I'm just asking for the rationale to 
> be articulated.

In my mind the rationalization would be that most folks would probably 
have a secure resolver than a full-featured (potential) authoritative 
server. My guess is that a recursive server is what most folks want. The 
trade-off is essentially that you lose a bunch of features, but you also 
create a much smaller attack surface and gain Unbound's (slightly) more 
clear syntax.

If authoritative DNS is seen as indispensable for distribution in NetBSD, 
it might be expedient to track YADIFA (since it's got a compatible 
license). However, the trouble it's about 8 years behind Bind's feature 
set.

-Swift

<offtopic curmudgeon lament>
PS: It's sad that ISC decided to move to the MPL but I don't blame them 
much. It sucks to work on something for years that's "insanely popular" 
but nobody will contribute to or support. I'm sure folks know the feeling. 
I've read similar complaints from the OpenSSH team. I don't blame them a 
bit. Our 19[90|80]'s ideas about software freedom have been put to the 
test, and I'm not sure they've come out unblemished by the big-B-Billions 
of Internet ab^H^Husers. 
</lament>