Re: bind -> unbound/nsd

[Matt Sporleder <msporleder%gmail.com@localhost>]

> On Aug 18, 2016, at 4:53 PM, Swift Griggs <swiftgriggs%gmail.com@localhost> wrote:
> 
>> On Thu, 18 Aug 2016, Greg Troxel wrote:
>> Is it about security track record?
> 
> I'm not wanting to get into the discussion of fiat versus consensus 
> decision making. However, I'd like to give my own personal answer on some 
> of the questions you raise, as a heavy DNS user/sysadmin.
> 
> Bind's security track record has been somewhere between "horrible" and 
> "really bad" depending on the version.
> 
> http://www.cvedetails.com/product/144/ISC-Bind.html?vendor_id=64
> 
> Bind 9 was released in 2000, IIRC. So, that is mostly just for the 9.x 
> code stream. Lots of folks still preferred the 4.x code base since 9.x 
> added so much that it became a huge mess. 4.x had terrible security, but 
> exhibited less inertia for getting started and maintaining the zones. So, 
> Bind 4.x was maintained for quite a while.
> 
> The trend is also not in decline. Note that in 2016 there were eight 
> vulnerabilities and that's the largest number since 2002. However, to be 
> fair, Bind has also had the maximum amount of beatings from every 
> high-profile hacking team you can imagine. Perhaps if competing projects 
> had the same amount of scrutiny they wouldn't fair well, either.
> 
>> Is unbound/nsd feature complete relative to everything that can be done 
>> with bind?
> 
> Not even close if you consider the whole list. Unbound can only function 
> as a recursive resolver. It has *no* ability to serve PTR and A records 
> directly. It does, however, have some DNSSEC functionality.
> 
>> Specifically, serving authoritative zones, DNSSEC, dynamic updates, and 
>> (for others) split dns?
> 
> It does not do split horizon because it can't be authoritative (same for 
> dynamic DNS).
> >

Don't ignore the NSD part of the subject.