Haim Ashkenazi wrote:
On Mon, 2002-11-18 at 18:14, Tim Dijkstra wrote:Hi, Is there any reason to stick with bind8 other then convenience? I'm asking this because bind9 seems pretty mature, but the default bind is still bind8 I think...bind 9 works for me great for over a year. it serves about 20 domains and it doesn't have any problems. but, unless you need some special features (views for one), there is no reason to upgrade.
We've also been using Bind9 for over a year, for about 500 domains.My observations are that a complete reload of _all_ domains or a restart is slower than with bind 8, but you can force a reload of a single zone with
rndc reload newzone.whatever A few observations however:Bind 9 will not load if there are errors in named.conf other than errors in the logging config. Bind 9 will not load zones with errors in the zone file, but bind9 itself will load.
It's a really good idea to use named-checkzone and named-checkconf before commiting any changes - they will tell you of any possible problems before you kill your server!
In terms of the security history, my impression is that the large bug count for bind 9 is because it's a total rewrite. Bind 8 has many many versions to shake out the bugs, bind 9 nowhere near so many, so in fact the security bug count is fairly low.
If you run bind9 chrooted your risk is very low.Do spend the time trying to decode the documentation on the DNSSec and TSIG stuff - it's very very important so you can setup rndc properly, and so you can control dynamic updates.
You also want to read the FAQ at ISC.org to see how to fix the spam in your logs caused by malconfigured win2k boxes trying dynamic updates all the time.
Use the Access Control lists to control AXFR and IXFR, and to blacklist attempts to dos your server (possibly not completely effective, but I'm sure it helps, consider it a PART of the solution)
Hope this helps, John P Foster (not the guy who makes the beer) Senior Research Scientist Golden Orb Technologies