[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bind -> unbound/nsd
On Thu, 18 Aug 2016, Greg Troxel wrote:
> Is it about security track record?
I'm not wanting to get into the discussion of fiat versus consensus
decision making. However, I'd like to give my own personal answer on some
of the questions you raise, as a heavy DNS user/sysadmin.
Bind's security track record has been somewhere between "horrible" and
"really bad" depending on the version.
Bind 9 was released in 2000, IIRC. So, that is mostly just for the 9.x
code stream. Lots of folks still preferred the 4.x code base since 9.x
added so much that it became a huge mess. 4.x had terrible security, but
exhibited less inertia for getting started and maintaining the zones. So,
Bind 4.x was maintained for quite a while.
The trend is also not in decline. Note that in 2016 there were eight
vulnerabilities and that's the largest number since 2002. However, to be
fair, Bind has also had the maximum amount of beatings from every
high-profile hacking team you can imagine. Perhaps if competing projects
had the same amount of scrutiny they wouldn't fair well, either.
> Is unbound/nsd feature complete relative to everything that can be done
> with bind?
Not even close if you consider the whole list. Unbound can only function
as a recursive resolver. It has *no* ability to serve PTR and A records
directly. It does, however, have some DNSSEC functionality.
> Specifically, serving authoritative zones, DNSSEC, dynamic updates, and
> (for others) split dns?
It does not do split horizon because it can't be authoritative (same for
YADIFA, MaraDNS, Knot DNS, or Djbdns would all be better choices than
Unbound if you want a "real" server. The idea behind Unbound is to provide
a secure and fast client resolver. Here's how the other's would break down
in a nutshell:
Pros: BSD licensed. Fast. Full featured
Cons: Newer. Not even in pkgsrc yet. No recursion. No split horizon
Pros: Good security record, stable, most features available
Cons: Zany "Mara-DNS" license and weird layout / config
Pros: Very full featured. Fast. Awesome YAML config setup
Cons: GPL'd, won't act as a recursive resolver
Pros: Very secure. Fast. Public domain (no license)
Cons: Missing features, spotty maintenance
> Please note that I'm not objecting; I'm just asking for the rationale to
> be articulated.
In my mind the rationalization would be that most folks would probably
have a secure resolver than a full-featured (potential) authoritative
server. My guess is that a recursive server is what most folks want. The
trade-off is essentially that you lose a bunch of features, but you also
create a much smaller attack surface and gain Unbound's (slightly) more
If authoritative DNS is seen as indispensable for distribution in NetBSD,
it might be expedient to track YADIFA (since it's got a compatible
license). However, the trouble it's about 8 years behind Bind's feature
<offtopic curmudgeon lament>
PS: It's sad that ISC decided to move to the MPL but I don't blame them
much. It sucks to work on something for years that's "insanely popular"
but nobody will contribute to or support. I'm sure folks know the feeling.
I've read similar complaints from the OpenSSH team. I don't blame them a
bit. Our 19[90|80]'s ideas about software freedom have been put to the
test, and I'm not sure they've come out unblemished by the big-B-Billions
of Internet ab^H^Husers.
Main Index |
Thread Index |