1375685
story
Eric Sun writes
"After numerous release candidates and betas, the final stable release version of Bind 9 has been released. Looks like the homepage hasn't updated yet, but you can get a list of download servers from its page at Freshmeat."
LIND? (Score:1)
So... (Score:4)
--
About time :) (Score:1)
DNS Tutorial (Score:4)
Big fucking deal (Score:4)
Can't we please only get updates on important software.
It's not bind holds the entire net together or anything.
--Shoeboy
bind... (Score:3)
Re:LIND? (Score:2)
Re:LIND? (Score:1)
You'll have to excuse me. I run my Linux box as a client. Never had a need to run it as a DNS server...
Re:LIND? (Score:2)
BIND: providing remote root since 1993 (Score:4)
Re:Is there an exploit yet? (Score:2)
Release notes? (Score:2)
I was able to find ISC's plans for BIND 9 [isc.org], but not any realease notes - anyone made them available online yet?
Re:Yeah.. so what ?? (Score:1)
In answer to your question: I care. I find it interesting that the program that runs most of the DNS for the Internet has hit a new major version number after being in 8.x since 1997. This is stuff that matters.
Re:Big fucking deal (Score:1)
Re:Big fucking deal (Score:2)
Sigh. Whoever moderated this post as a troll either lacks a fundamental sense of humor, or (more than likely) just doesn't understand what BIND is...
For the record: Yes, it is news for nerds, it is important software, and BIND quite literally does hold the net together.
Shoeboy's post wasn't a troll, it was a fairly good parody of the "Why was this article posted?" trolls.
Re:LIND? (Score:2)
You probably knew that; I'm just posting to clarify for those who don't.
Re:bind... (Score:1)
and more reliable. bind 8 on linux sucked rocks, dumped core all of the time. djbdns/tinydns is great.
Re:DNS Tutorial (Score:2)
1) The cost of a venue - London venues are expensive
2) The cost of the speaker
3) The cost of promotion / expenses
These events are the sort of thing that you get your company to pay for if you're working, the whole choice of venue is chosen to keep the bosses happy. If we had a cheap venue the average narrow minded boss would think this isn't going to be any good and is not going to shell out for it. These events are only designed to cater for small amounts of delegates so the chance to ask individual questions is there.
If this event was run by a commercial organisation rather than a non profit org (the UKUUG) then the prices would be even higher, we just aim to cover costs and believe me they're expensive.
Prices in London for a decent venue are a rip off compared to other places in the UK.
Re:Release notes? (Score:1)
Re:Big fucking deal (Score:2)
As a matter of fact, it does, and I am thankful that bind was around ever since the net was made.
In my opinion, slashdot.org is easier to remember than its IP address, and that is thanks to bind.
But of course, maybe would you rather see 64.28.67.48 [64.28.67.48] News for Nerds. Stuff that matters. Or write your email address as drhelpful@216.214.2.25 [mailto]?
Come on. Be thankful that bind is around, and respect your elders.
Re:Big fucking deal (Score:2)
Shoeboy (currently?) is a troll. Apparently, as a protest to the 50 karma barrier, he is attempting to lose karma by posting trolls. (Actually, I guess his karma is currently ~125, so he's trying to get it down to "normal.") Taking a peek at his User Info [slashdot.org] I'd say he's failing right now. But I wish him luck - I'd like to be able to get karma above 50 like Signal 11 and FascDot Killed My Pr. The curse of the newbies.... never to get 3 digit karma...
Maybe I'll have to bid on FascDot Killed My Pr's account over at e-bay...
Re:About time :) (Score:3)
Too late ... (Score:5)
If it isn't, then it's way way too late - switch to Dan Bernstein's djbdns [cr.yp.to] instead. Read the security guarantee [cr.yp.to] and weep in relief. Notice the exceedingly small memory footprint. The lack of core dumps. That you can get rid of AXFR completely and just use rsync+ssh [rsync.org] to transfer to your secondaries.
Check out tinydns.org [tinydns.org] which has migration tools from BIND which im playing with atm.
Good news for large domains. (Score:5)
Re:Release notes? (Score:1)
Found 'em - ISC has the release notes [isc.org] up now. They also have the BIND 9 Administrator's Reference [nominum.com] available as a pdf; though it looks like the same docs come with the distribution in html & man format.
Get DJBDNS and worry no more (Score:4)
So instead of worrying about the next serious security hole in BIND, replace it with DJBDNS and make your server a lot more secure.
Homepage: http://cr.yp.to/djbdns.html [cr.yp.to]
For OpenBSD users: cd
BIND 9 is EXTREMELY IMPORTANT!!! (Score:1)
Re:Big fucking deal (Score:1)
Yeah, I know he's trolling... this particular poast, though, didn't have the same flavor as his other trolls; unless he was trolling for clueless moderators, in which case, he was aparently successful.
Security Exploit (Score:1)
kinda like pkzip 3.0 and Thedraw 5.0, back in the day ... they also did it with a version of NAV, and I'm sure many others
just a thought
Hopefully (Score:2)
By the way, Eric Sun, who submitted this story, runs a great domain registrar called Alphapython. [alphapython.com] I can't even begin to express how happy I've been with their service, and their pricing is great, too. If you get a chance and need high-quality, affordable domains, check them out.
Re:BIND 9 is EXTREMELY IMPORTANT!!! (Score:1)
What's the use of a IPv6 address when most of your apps, let alone the DNS, cannot handle them ?! =)
Re:Big fucking deal (Score:1)
Re:Big fucking deal (Score:1)
When did that start? Why? Did I miss a meeting?
Re:Good news for large domains. (Score:4)
views
this allows one daemon on one server to present different data to different groups depending on where the request comes from.
if request is from internal reply with www=192.168.1.1
if request is from external reply with www=63.1.1.1
the config file would look something like this
view "internal" {
match-clients { localhost; localnets; 192.168.0.0/24; };
recursion yes;
zone "." { type hint; file "root.cache"; };
zone "0.0.127.in-addr.arpa" { type master; file "named.local"; };
zone "pricegrabber.com" { type master; file "db.pricegrabber.com.internal"; };
};
view "external" {
match-clients { any; };
zone "pricegrabber.com" { type master; file "db.pricegrabber.com.external"; };
};
This is _very_ cool! If you run two name servers(master and slave), before you would actually have to run four servers. two for 'internal users' and two for 'the world'.
Christopher McCrory
"The guy that keeps the servers running"
chrismcc@pricegrabber.com
http://www.pricegrabber.com
PriceGrabber.com - The Smart Place to Start Your Shopping
"Linux: Because rebooting is for adding new hardware"
I'm being defamed! (Score:2)
Actually I'm just a jackass. I participate in the troll forums because they have intelligent discusions there. I'm certainly not in the same league as em, 80md, er or jsm.
I'm more of a prankster.
Apparently, as a protest to the 50 karma barrier, he is attempting to lose karma by posting trolls.
I am protesting nothing, I'm just treating
(Actually, I guess his karma is currently ~125, so he's trying to get it down to "normal.") Taking a peek at his User Info I'd say he's failing right now. But I wish him luck -
Oddly enough karma has frozen again - so I'll be stuck at 62 until taco unfreezes it. I don't care what my karma is, I just like to post "Moderate this down - I need to lose 15 karma points by midnight" stuff to mess with people's heads and entertain them. Judging by the moderations I get, it seems to be working.
--Shoeboy
Interesting points with BIND 9 (Score:5)
The Internet needs a powerful name server and name resolver, but USEFUL tools don't use structure to obscure the content.
Re:Too late ... (Score:1)
Re:I'm being defamed! (Score:1)
Bind 9.0 web page is posted, but not linked (Score:5)
Re:bind... (Score:3)
If you want dns server, go for tinydns.
Re:Hopefully (Score:1)
Apparently BIND is just "speghetti" code, and the last audited BIND was 4.9.7. As you can probably imagine auditing such a mess would be awfully time consuming.
Re:Hopefully (Score:1)
Re:Too late ... (Score:2)
Re:Interesting points with BIND 9 (Score:3)
I haven't actually compiled Bind 9 yet, but the page at http://www.isc.org/products/BIND/bind9.html says "To build shared libraries, specify "--with-libtool" on the configure command line.", so it seems you're inaccurate on one point.
Re:Hopefully (Score:2)
Re:DNS Tutorial (Score:2)
A less abusive way to publicize your class is to take some of the materials and put them on the web. This web page would be universally useful (and thus linkable) and is a legitimate place to advertise your product.
While we're on the subject, if every Slashdotter would please briefly visit www.nakedteenagebimbos.com [nakedteenagebimbos.com], I'll be able to retire three years early. Thanks for your support.
Re:Too late ... (Score:1)
Re:LIND? (Score:1)
however, every linux distro (RedHat, Mandrake, Slackware, etc.) that I know of uses the "named" daemon that is in the "bind" package to serve the DNS protocol.
You say you've never had a need for it... It's pretty handy to be able to define your own names and to rename things that you want to rename. try it.
Re:Interesting points with BIND 9 (Score:2)
Oh, wait... That's damning, isn't it?
Re:Big fucking deal (Score:1)
Reasons not to use djbdns Re:Too late ... (Score:1)
* Anyone with a security guarantee is smokin' something
* Yes, djbdns doesn't to AXFR/IXFR transfers. Yes, that'll increase security. But goodby to interoperability with someone who doesn't use djbdns.
Re:Too late ... (Score:2)
This is the topic of recurring flame wars on the dns-bind list, and I don't want to start it here. But do note that djbdns is not a drop in replacement.
Re:Reasons not to use djbdns Re:Too late ... (Score:1)
You are wrong about AXFR. See
Re:Good news for large domains. (Score:1)
Re:Remember the AMDROCKS attack? (Bind 8.2.1) (Score:1)
it as user 'named' by default...
Re:Too late ... (Score:1)
Dan says the same thing about BIND. <shrug>
AXFR/IXFR are RFC standards, and he makes it "optional".
They are optional with BIND, too. But they are enabled by default. Most people don't need 'em.
djbdns turns of TCP queries by default.
No it doesn't.
This is the topic of recurring flame wars on the dns-bind list, and I don't want to start it here.
Yes you do, otherwise you wouldn't have posted about it.
Re:Interesting points with BIND 9 (Score:1)
You mean if NSI/ICANN would deploy it, and setup a secure channel for collecting keys from domain registrants.
Re:bind... (Score:1)
Re:Too late ... (Score:1)
> No it doesn't.
What about this FAQ [cr.yp.to]: How do I answer TCP queries? Why does tinydns answer only UDP queries?
It sure looks like it is off by default according to the author.
Re:Too late ... (Score:2)
He's a great programmer, shame the elevator doesn't go all the way to the top.
Re:Interesting points with BIND 9 (Score:1)
Re: (Score:2)
Re:Too late ... (Score:2)
Re:Too late ... (Score:3)
IFXR is an incremental method of zone transfering, which is completely useless if you use something like rsync and ssh. djbdns stores all of its zone data in a highly efficient CDB file. All you have to do to update your secondaries is to push the CDB file out. If you use rsync, then only the differences get pushed, the file gets updated atomically, and you're laughing.
If you use djbdns consistently, you have absolutely no need whatsoever for AFXR or IFXR. If you do secondary with other BIND servers then you'll need to run an AFXR process, unfortunately.
Re:Hopefully (Score:2)
OpenBSD comes with BIND4, which has been audited. BIND8, djbdns, and BIND9 are available in the ports tree.
Re:Get DJBDNS and worry no more (Score:1)
Re:Too late ... (Score:1)
Try running the software instead of judging it just from the author's rants. djbdns fully supports CNAME records. DJB simply does not provide a command line utility for adding them, like it does for A, NS and MX records. Big deal. The utilities are provided as a quick-start for newcomers.
Here is the small list of things djbdns does not support, but BIND does:
There are some other esoteric BIND features missing from djbdns, but simplicity is one of djbdns' features. It was never meant to be a replacement for BIND, so criticizing it for not being a drop-in misses the point. I simply don't care about the missing features, djbdns meets my needs, and in my environment, it does many things better than BIND, or at least allows me to more easily and securely support the things I need to do. I think it would for a lot of people, too.
Security guarantee is limited (Score:2)
djbdns doesn't do AXFR transfers. You have to run the included axfrd to serve AXFR, or run axfr-get to retrieve records using AXFR.
-russ
Re:Too late ... (Score:2)
-russ
djbdns supports TCP queries. (Score:2)
-russ
Yes, AXFR support is optional (Score:2)
-russ
Re:BIND 9 is EXTREMELY IMPORTANT!!! (Score:1)
Hey, Solaris has supported IPv6 for a coupla years know. What's taking you folks so long? =P
~dlb
Re:Too late ... (Score:2)
Try running the software instead of judging it just from the author's rants. djbdns fully supports CNAME records. DJB simply does not provide a command line utility for adding them, like it does for A, NS and MX records. Big deal. The utilities are provided as a quick-start for newcomers. There are some other esoteric BIND features missing from djbdns, but simplicity is one of djbdns' features. It was never meant to be a replacement for BIND, so criticizing it for not being a drop-in misses the point.
Alright, my bad. I sure thought i had read somewhere that it simply couldn't serve them up.
That's OK tho. There are plenty of other things wrong with djb software. like the licensing, and the attitude.
What about Gag? (Score:3)
Yes, as did BIND 8 (Score:2)
Re:BIND 9 is EXTREMELY IMPORTANT!!! (Score:1)
< > The IPv6 protocol (EXPERIMENTAL)
Re:Get DJBDNS and worry no more (Score:1)
Just Upgrade Binary? (Score:1)
-Waldo
Re:Interesting points with BIND 9 (Score:1)
BIND can be a recursive acronym. (Score:2)
<O
( \
XGNOME vs. KDE: the game! [8m.com]
Re:Big fucking deal (Score:1)
Re:Big fucking deal (Score:1)
ISC Bind 9 URL (Score:1)
http://www.isc.org/products/BIND/bind9.html
Re:Security guarantee is limited (Score:2)
Re:Good news for large domains. (Score:2)
All my interal hosts use 192.168.*.* and I use ciscso NAT to get the right exteranal address mapped to the correct internal addresses and cisco nat will automagicly fixup dns packets on the fly but only if they are udp. The result is that I have one exteranl address for exteranl zone transfers, one for external name service and one for internal use.
Re:Get DJBDNS and worry no more (Score:1)
WINS resolution in resolver (Score:1)
Re:Get DJBDNS and worry no more (Score:2)
-russ
p.s. Sheesh!
Re:I'm being defamed! (Score:2)
--Shoeboy
Thank god for Al Gore (Score:1)
Broken Analysis (Score:1)
You do not need to use AXFR for zone transfers with other BIND servers. The only time you will ever need to support AXFR is if you have customers or providers that refuse to support sane protocols, like secure rsync. Synchronizing BIND servers with rsync is no more challenging than synchronizing tinydns servers.
Additionally, if you are making the mistake of using or relying on BIND anywhere in your infrastructure, reloading the zone files will give you an opportunity to free up all the memory that the infinitely-expanding BIND "cache" consumes.
You should very carefully read and consider DJB's analysis of whether you want offsite secondary DNS support before you rely on anyone else's nameservers. Most people DON'T want offsite secondaries, even if they think they do.
If you do need offsite secondaries, you should very carefully consider whether you want to rely on providers that rely on insecure, unreliable, antiquated software.
Re:Security guarantee is limited (Score:1)
definite financial interest in pushing BIND and
BIND-features-masked-as-DNS-standards. Vixie is
an officer of Nominum, "the BIND company", a commercial enterprise devoted to BIND in the same
manner as Sendmail, Inc. is devoted to Sendmail.
Some of the largest sites in the world still depend on Sendmail, too. But would you run Sendmail in your infrastructure? Most people wouldn't, opting instead for Postfix or qmail,
both of which have proven themselves in large
sites as well.
DNS Standardization (Score:2)
Learn what "standardization" means, and how to read and interpret an RFC. You're talking out of your ass.
AXFR has been "optional" in BIND for years --- BIND's configuration allows them to be restricted by IP address, and competant admins have been restricting them with filters long before that feature was available. djbdns does exactly the same thing, but takes it a step further by running AXFR service from a seperate server context, for added security, speed, and reliability. This violates no aspect of the standard.
IXFR is not a "DNS Standard". All RFCs are not standards. Many RFCs are proposed extensions to the standards, which is exactly what IXFR is. djbdns doesn't support IXFR because IXFR isn't required by the standards and, thankfully, isn't in widespread use.
Bernstein's take is that secure rsync IS in widespread use, is a general-purpose, modern tool, and is more available to the DNS operations community (even the BIND advocates) than IXFR is. I think it's clear that many of the supposed "standards" being tossed about in this debate are nothing more than features of BIND being wrangled into standards documents. Welcome to OSI, circa 2000AD.
Having addressed your straw-man argument over AXFR/IXFR, why don't we move on to ACTUAL standards compliance? BIND up to and including 8.1.2 applied DNS compression to SRV records, blatantly violating the most basic aspect of the DNS standards (the on-the-wire encoding of actual DNS records).
You're also completely wrong about the ability to do zone transfers with secure rsync and BIND. People already do this. Where'd you get your information from?
djbdns uses TCP queries when necessary, automatically. Can you come up with an actual interoperability problem djbdns has caused? What you're saying sounds *exactly* like what the Sendmail drones said when qmail was released.
I don't expect everyone on Slashdot to understand how the IETF works and what the forces are that bear on it, but I do expect that everyone here is familiar with the term "loose consensus and working code". djbdns works. BIND has been a disaster for years. If you're going to deify the IETF in your arguments, try to understand its spirit first.
Re:Release notes? (Score:1)
Re:Security guarantee is limited (Score:1)
I used to run one of the only sites for DISA that never got hacked. Even the tiger teams failed to hack it and it was runing sendmail properly configured. Out of the several thousand sites they hacked in DISA, there were only about 6 that they couldn't crack and all of thouse were running sendmail.
All programs have flaws and some times thouse flaws open it up to abuse. A secure server must keep on top of thouse flaws. At this point I think that sendmail is much more secure than postfix and qumail. I managed to get postfix to dump core a few times on the mandrake 7.1 that I'm runnng at home. Users should not be able to cause programs started as root to core dump.
Re:Too late ... (Score:2)
So, if you're out of technical arguments and are down to social ones, considering BIND is the Sendmail of the 90's and Weitse hasn't attacked DNS as a project I think you're out of wind.
Look at the code, don't rush to judgement. Look at BIND's code. Compare and contrast.
I actually *like* BIND, but running it is always scary, even chrooted.
Paul
Re:Security guarantee is limited (Score:2)
> times on the mandrake 7.1 that I'm runnng at
> home. Users should not be able to cause
> programs started as root to core dump.
a) How did you get it to dump core exactly.
b) Where's your bug report? Wieste's always been extremely good at fixing actual bugs.
c) Postfix drops root _very_ quickly for the parts of the system that need it. It's not monolithic and all the parts don't run as root.
I don't know *anyone* in the security community that I respect who'd run Sendmail under any circumstance that wasn't "We need a specific feature that nothing else supports" and even then it'd be on a gateway downstream of something else.
Paul
Re:Interesting points with BIND 9 (Score:2)
$ rpm -qf
glibc-devel-2.1.92-5
It is up to glibc to decide what the interace will be. If and when glibc uses bind 9's resolver, we shall see what their stragegy is with the API.
It's just like
What I'm waiting for personally is dhcp 3.0 final, so I can connect my dhcp with dyndns and head off w2k...
Re: (Score:2)
"All programs have flaws"? (Score:2)
There are none.
-russ