[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing bind..



On Tue, Jan 01, 2002 at 01:18:43PM +1100, Donovan Baarda wrote:
> An interesting thing about djb is he does have knack for identifying
> real problems with existing defacto standard software and re-inventing
> it.

he also reinvents things that don't have any significant problems,
sometimes just because he won't admit that a particular programmer has
ever done anything of worth.  ucspi-tcp, for example...this abomination
is a clumsy mess compared to the inetd + tcpd that everyone else uses.

> What then follows is fierce flamewars about the relative merits of the
> old vs djb software/licence/etc. In summary the djb implementation is
> full of good ideas and raises valid concerns about the original
> implementation, but is crippled by a crappy licence, disrespect for
> standards, and wierd configuration paradigm.

well said!


> Eventually, this leads to yet another implementation or three that
> takes djb's ideas and addresses the licence, standards, and
> configuration issues.

while it's true that he's sometimes the first to actually write code to
provide alternative implementations (and action is worth a lot more than
mere talk), it's not true that they're solely his ideas.  people had
been bitching about sendmail for many years before qmail came along,
many of the flaws (both implementation detail AND design) were well
known.


> The sad thing is if djb stopped using his crappy licence, there would
> be no need for the n+1 implementations his re-invention spawns,
> because the community could adopt his software and resolve the other
> issues to their own satisfaction.

well said, again.

you've hit the nail right on the head.

while his stuff can often be used as a "sign-post" pointing out
directions to take (and to avoid), but it can't be used unless you're
willing to trap yourself into a dead-end...i almost fell into that trap
with qmail (actually did on a few servers), but won't fall for it again.
djb's software isn't free, and can't/won't evolve to meet future needs.


someday soon, someone's going to take the good ideas from djbdns,
combine it with the good stuff from bind (including backwards
compatibility with bind config & zonefile formats), add a few useful new
ideas (e.g. an "RXFR" protocol that embedded the rsync protocol
directly) to produce a fast, secure DNS daemon, and release it with a
GPL-compatible license.  this will blow both bind & djbdns out of the
water.

...kind of like postfix did to sendmail & qmail.

i had high hopes for the DENTS project a few years back they looked like
they were really going to solve many of bind's problems, and their stuff
was GPLed.  it got off to a great start but unfortunately, the project
seems to have died.


maybe there's still some hope...sourceforge lists several DNS daemon
projects: 

http://sourceforge.net/softwaremap/trove_list.php?form_cat=149&discrim=238

moodns & CustomDNS are two that i hadn't heard of before.  moodns sounds
a bit like what DENTS was going to be.  CustomDNS is in java so i can't
bring myself to take it seriously.

La MaraDNS i looked at about a year ago and it has an even dumber
zonefile format than djbdns (if that's possible).


craig

-- 
craig sanders <cas@taz.net.au>

Fabricati Diem, PVNC.
 -- motto of the Ankh-Morpork City Watch



Reply to: