[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bind -> unbound/nsd
> On Aug 18, 2016, at 4:53 PM, Swift Griggs <swiftgriggs%gmail.com@localhost> wrote:
>> On Thu, 18 Aug 2016, Greg Troxel wrote:
>> Is it about security track record?
> I'm not wanting to get into the discussion of fiat versus consensus
> decision making. However, I'd like to give my own personal answer on some
> of the questions you raise, as a heavy DNS user/sysadmin.
> Bind's security track record has been somewhere between "horrible" and
> "really bad" depending on the version.
> Bind 9 was released in 2000, IIRC. So, that is mostly just for the 9.x
> code stream. Lots of folks still preferred the 4.x code base since 9.x
> added so much that it became a huge mess. 4.x had terrible security, but
> exhibited less inertia for getting started and maintaining the zones. So,
> Bind 4.x was maintained for quite a while.
> The trend is also not in decline. Note that in 2016 there were eight
> vulnerabilities and that's the largest number since 2002. However, to be
> fair, Bind has also had the maximum amount of beatings from every
> high-profile hacking team you can imagine. Perhaps if competing projects
> had the same amount of scrutiny they wouldn't fair well, either.
>> Is unbound/nsd feature complete relative to everything that can be done
>> with bind?
> Not even close if you consider the whole list. Unbound can only function
> as a recursive resolver. It has *no* ability to serve PTR and A records
> directly. It does, however, have some DNSSEC functionality.
>> Specifically, serving authoritative zones, DNSSEC, dynamic updates, and
>> (for others) split dns?
> It does not do split horizon because it can't be authoritative (same for
> dynamic DNS).
Don't ignore the NSD part of the subject.
Main Index |
Thread Index |