Re: bind8 vs bind9

To: debian-user@lists.debian.org
Subject: Re: bind8 vs bind9
From: "Gary Hennigan" <glhenni@sandia.gov>
Date: 18 Nov 2002 14:18:57 -0700
Message-id: <[🔎] nhxfztyo9tq.fsf@sadl12238.sandia.gov>
In-reply-to: <[🔎] 87ptt2oehm.fsf@pooh.lan.honeypot.net>
References: <5EOJ9C.A.cIG.rXS29@murphy> <[🔎] nhxwunaoigy.fsf@sadl12238.sandia.gov> <[🔎] 87ptt2oehm.fsf@pooh.lan.honeypot.net>

"Kirk Strauser" <kirk@strauser.com> writes:
> At 2002-11-18T18:12:13Z, "Gary Hennigan" <glhenni@sandia.gov> writes:
> 
> > ...if security is *the* major concern in a DNS installation it's probably
> > a good idea to stay away from BIND altogether.
> 
> I'd disagree for one main reason: BIND is Open Source, and tinydns is not.
> More security compromises have been found in the former, but it has perhaps
> 100 times the number of users testing it and programmers examining it.
> Frankly, as a programmer, I would not waste my time auditing tinydns when I
> could make a bigger contribution to BIND.

It's not "Open Source" perhaps by some formal definition, but you can
certainly look at the source code and publish patches and, according
to Bernstein, modify your own copy. So if you're hard-core "Open
Source" then you will probably want to avoid all the controversy
surrouding Bernsteins licensing. But, he does stand behind the
security of his software with cash. Granted, not a lot of cash, but
it's a refreshing change from the big companies. Even open source
companies that put out sendmail and bind don't do that.

Also, getting away from the the licensing controversy, as someone who
didn't cut his teeth on BIND, I find the configuration of tinydns much
easier. Those BIND config files are not easily understandable and the
fact that losing a trailing period (".") can cause the whole thing to
come crumbling down was a bit frustrating.

Please remember too that I'm coming from the perspective of a small
home LAN sysadmin that doesn't have to do things like zone transfers
and worrying about root servers. I just have a handful of computers,
all locked behind an OpenBSD firewall, using 192.168.0.0/16 addresses,
that I want a DNS server for. tinydns suited me much better than BIND.

As an aside I also tried qmail. Uggh, what a nightmare to configure!
All those small config files hanging out in weird places! After about
5 hours I surrendered and reinstalled Exim. Maybe it's not as secure
but I had it up and running in less than an hour with Anomy and
bogofilter for my families email.

Just my opinion.
Gary

Reply to:

References:
- Re: bind8 vs bind9
  - From: "Gary Hennigan" <glhenni@sandia.gov>
- Re: bind8 vs bind9
  - From: Kirk Strauser <kirk@strauser.com>

Prev by Date: Re: mozilla and dns
Next by Date: Re: Missing base-*.bin files ?
Previous by thread: Re: bind8 vs bind9
Next by thread: Cannot access box after hdparm experimenting
Index(es):
- Date
- Thread