Re: bind -> unbound/nsd

[Mike <ginger%email.su@localhost>]

On Thu, Aug 18, 2016 at 02:53:38PM -0600, Swift Griggs wrote:
> On Thu, 18 Aug 2016, Greg Troxel wrote:
> > Is it about security track record?
> 
> I'm not wanting to get into the discussion of fiat versus consensus 
> decision making. However, I'd like to give my own personal answer on some 
> of the questions you raise, as a heavy DNS user/sysadmin.
> 
> Bind's security track record has been somewhere between "horrible" and 
> "really bad" depending on the version.
> 
> http://www.cvedetails.com/product/144/ISC-Bind.html?vendor_id=64
> 
> Bind 9 was released in 2000, IIRC. So, that is mostly just for the 9.x 
> code stream. Lots of folks still preferred the 4.x code base since 9.x 
> added so much that it became a huge mess. 4.x had terrible security, but 
> exhibited less inertia for getting started and maintaining the zones. So, 
> Bind 4.x was maintained for quite a while.
> 
> The trend is also not in decline. Note that in 2016 there were eight 
> vulnerabilities and that's the largest number since 2002. However, to be 
> fair, Bind has also had the maximum amount of beatings from every 
> high-profile hacking team you can imagine. Perhaps if competing projects 
> had the same amount of scrutiny they wouldn't fair well, either.
> 
> > Is unbound/nsd feature complete relative to everything that can be done 
> > with bind?
> 
> Not even close if you consider the whole list. Unbound can only function 
> as a recursive resolver. It has *no* ability to serve PTR and A records 
> directly. It does, however, have some DNSSEC functionality.
> 
> > Specifically, serving authoritative zones, DNSSEC, dynamic updates, and 
> > (for others) split dns?
> 
> It does not do split horizon because it can't be authoritative (same for 
> dynamic DNS).
> 
> YADIFA, MaraDNS, Knot DNS, or Djbdns would all be better choices than 
> Unbound if you want a "real" server. The idea behind Unbound is to provide 
> a secure and fast client resolver. Here's how the other's would break down 
> in a nutshell:
> 
> YADIFA 
> Pros: BSD licensed. Fast. Full featured
> Cons: Newer. Not even in pkgsrc yet. No recursion. No split horizon
> 
> MaraDNS:
> Pros: Good security record, stable, most features available
> Cons: Zany "Mara-DNS" license and weird layout / config
> 
> Knot DNS: 
> Pros: Very full featured. Fast. Awesome YAML config setup
> Cons: GPL'd, won't act as a recursive resolver
> 
> Djbdns:
> Pros: Very secure. Fast. Public domain (no license) 
> Cons: Missing features, spotty maintenance
> 
> > Please note that I'm not objecting; I'm just asking for the rationale to 
> > be articulated.
> 
> In my mind the rationalization would be that most folks would probably 
> have a secure resolver than a full-featured (potential) authoritative 
> server. My guess is that a recursive server is what most folks want. The 
> trade-off is essentially that you lose a bunch of features, but you also 
> create a much smaller attack surface and gain Unbound's (slightly) more 
> clear syntax.
Totally agree. Not only this, but in general... Bind I think is
really horrible  in terms of security - have only this, I see no reason 
to keep it in the base system nowadays. And also because there is a
decent alternatives.(besides, I'm also think that most users don't
 need more than unbound). Bind configuration in my point of view(I
really did not mean to offend anyone of it's developers....) is a
nightmare, unfortunately, too.
Except unbound, at least djbdns looks like a good choise.
> 
> If authoritative DNS is seen as indispensable for distribution in NetBSD, 
> it might be expedient to track YADIFA (since it's got a compatible 
> license). However, the trouble it's about 8 years behind Bind's feature 
> set.
> 
> -Swift
> 
> <offtopic curmudgeon lament>
> PS: It's sad that ISC decided to move to the MPL but I don't blame them 
> much. It sucks to work on something for years that's "insanely popular" 
> but nobody will contribute to or support. I'm sure folks know the feeling. 
> I've read similar complaints from the OpenSSH team. I don't blame them a 
> bit. Our 19[90|80]'s ideas about software freedom have been put to the 
> test, and I'm not sure they've come out unblemished by the big-B-Billions 
> of Internet ab^H^Husers. 
> </lament>