Re: Securing bind..
On Mon, Dec 31, 2001 at 12:52:23AM -0500, P Prince wrote:
> > there are two major problems with all of bernstein's software. the
> > first is that it requires you to throw away your existing
> > configuration...no big deal for a caching only name-server or if you
> > only have one or two domains to serve. a severe pain in the arse if
> > you have hundreds or thousands of domains.
>
> This is crazy. Anytime you change software packages, you must rewrite
> your configuration.
it's not at all crazy to expect a new package which is supposed to
replace an existing service to provide some level of backwards
compatibility in order to facilitate the migration.
if not compatibility with the config or zonefile format, then at the
very least it should provide a 100% accurate automated translator.
djb refuses to understand that software migrations need to be planned,
they need to work smoothly with minimum fuss and minimum downtime, and
that backwards-compatibility with existing standards (de-facto or
otherwise) is mandatory. what he thinks of as "legacy crap" that should
be thrown away is actually "working configuration" that is serving the
needs of hundreds or thousands of users, all of whom will be extremely
pissed off if it stops working for a few days because of migration
difficulties.
until he understands this, most professional systems administrators are
going to ignore his code no matter how "superior" it is theoretically.
theoretical superiority is completely worthless in the face of practical
inability to use it.
i won't use his software for this reason, and because it's non-free.
both issues are show-stoppers as far as i'm concerned.
> And, if you or anyone you know manages thousands of domains, I'll mail
> you a crisp, clean 20 dollar bill. (In order to be eligible, you must
> provide the name of your employer, so that I can avoid their service.)
i manage hundreds of domains myself. around 700 primary domains and
around 950 secondaries.
i know several people who manage thousands of domains.
not everyone has tiny toy systems to design, develop, and manage. some
people have real systems to look after.
and you know what? even though i don't personally look after tens of
thousands of domains, or know anyone who does, i'm still able to
recognise that someone, somewhere might do exactly that and not dismiss
the idea as crazy or ridiculous. i can actually imagine a world bigger
than my current immediate needs.
> > named.conf doesn't work with djbdns - a minor problem.
>
> This is a stupid argument. httpd.conf doesn't work well with thttpd,
> and proftpd.conf doesn't work well at all with wu-ftpd.
as i said, named.conf is only a minor problem. it doesn't matter much.
the real problem is that bind's zone files don't work with djbdns.
that's beyond a mere problem, that's idiotic.
> > more importantly, bind style zonefiles don't work with djbdns - the
> > idiot invented his own stupid format for zone files. if djbdns had
> > been "backwards-compatible" with bind zonefiles then it might have
> > had some vague chance of replacing bind.
>
> Perhaps, but BIND invented its own zonefiles too. What you fail to
> realize is how bad BIND zone files suck.
yes, i do "fail to realise" that because they don't suck.
what, exactly, is wrong with them?
> > unfortunately, bernstein's software is severely limited by his
> > views.
> >
> > he's a fairly good programmer....but a lousy systems administrator,
> > with no concept of how real world sysadmins use tools or how they
> > automate them.
>
> I hope you don't consider youself a good systems administrator,
i do, actually. i'm only a mediocre programmer, but i'm a damn good
systems admin - which requires a completely different set of skills and
aptitudes than programming. i've only met a few people who are as good
as me at systems admin stuff, and even fewer who are better.
craig
--
craig sanders <cas@taz.net.au>
Fabricati Diem, PVNC.
-- motto of the Ankh-Morpork City Watch
Reply to: