Interview With Paul Vixie And David Conrad 45
rwm311 writes: "linuxsecurity.com is running an interview with [Paul Vixie] and [David Conrad] about the ISC and BINDv9. It's a pretty good read. Vixie talks about his days at DEC and his motivation behind BIND while both Vixie and Conrad speak of the future of BIND - features they would like to implement and things that will be going away (such as nslookup)."
Re:Ouch (Off Topic) (Score:2)
Re:Factoring Large Primes Easy (Score:1)
Have to preview more carefully from now on....
Re:nslookup (Score:1)
Re:Ouch (Off Topic) (Score:1)
Re:Ouch (Off Topic) (Score:1)
The Changes in BIND (Score:2)
This is very good news! The problem that scares me is that bind8 compatability may not be all there. This makes updating a large site to BINDv9 is going to be a problem for many ISP's etc.
There are still a couple of areas where we're deficient in support of standards, e.g., we don't support using DNSSEC with wildcards and a BIND version 9.0.0 slave does not forward dynamic updates to the master as it should according to the RFCs. Our intent is to fully implement the standards (and/or help revise the standards to make them more useful to the Internet community).
While waving off other name server implementations (DjbDNS) by saying it doesn't meet current standards, they admit that Bindv9 WON'T mean some of the current standards! In fact it seems that Mr Conrad is in favor of changing some of the standards. Is that to make them more useful, or make them fit Bindv9?
All in all ANYTHING has to be an improvement over the code of Bindv8. The proof will be after Bindv9 has been "in the wild" for a few months.
Re:Go Vixie! (Score:2)
Friday is Score 2: Troll Day. Join us!
And if you moderate this down, please email me and tell me exactly what you're trying to prove.
.88 magnum -- it goes through schools.
--
It's a
Not a Moderator, but I'll take a dollar ;p (Score:1)
Re:The Changes in BIND (Score:1)
My reading on the interview was that Bindv9 was one of the first or only implementations of some very new and rather complicated DNS standards. That they've implemented them and found some of them in need of upgrade only makes sense. If someone only draws a complex picture of a house and you're the first one to build the house as completely as drawn, you're likely to have some suggestions about the design of the house..
Rightly or wrongly, I think they probably have a certain sense of arrogance for having rewritten BIND from scratch (or nearly so) to begin with, let alone done so while implementing new standards.
Even if their arrogance is such that they think that the standards need to bend to fit the new BIND, who am I to complain? BINDv9 is much more likely to become the new open source standard for DNS servers (at least on unix) than DjbDNS ever was and there aren't a whole lot of other competitors in the Unix space -- might as well have the standards comply with BIND... Where BIND has to be careful is not getting supplanted by Microsoft's DNS implementation in Windows 2000. Microsoft's co-opting DNS for ADS was very clever of them, and puts real pressure on BIND from a feature standpoint as well as an interoperability standpoint.
Compatibility with v8 is a serious concern, but I'll bet that a lot of ISPs aren't terribly concerned about fancy features like dynamic updates and so forth -- they want to be able to serve MX, CNAME, A and NS RRs from their existing zone files with a minimal amount of redoing named.conf files. My guess is that zone files will work or nearly work (ie, run through some filter script) and that the v8 conf file format will travel to v9 with compatible syntax and new features. The world didn't stop when v8 supplanted 4.9.x in spite of the lack of compatibility in files.
Re:Of course bind is buggy! (Score:2)
Definition of Open Source [tuxedo.org] given in ESR [tuxedo.org]'s Jargon File [tuxedo.org].
Download Bind 8 Sources [isc.org]
Finally, the contents of the LICENSE file in the current BIND distribution:
## Copyright (c) 1993-2000 by Internet Software Consortium, Inc.
##
## Permission to use, copy, modify, and distribute this software for any
## purpose with or without fee is hereby granted, provided that the above
## copyright notice and this permission notice appear in all copies.
##
## THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
## ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
## OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
## CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
## DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
## PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
## ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
## SOFTWARE.
I didn't bother to C&P their address, which I'm sure is somewhere on their webpage [isc.org].
How do the definition and the current BIND license (which I think we can expect to carry over to BIND9) not jibe? In fact, it's not just Open Source, it's Free Software [tuxedo.org] as defined by RMS.
Re:Security (Score:1)
Re:bind 9 is a buggy piece of SHIT (Score:2)
secure replacement for BIND (Score:2)
namedroppers [cr.yp.to]
David Conrad on nscd (Score:1)
My only request of Mr. Conrad is that they actually make it do something useful, unlike nscd. For those who don't know, nscd is the Name Server Cache Daemon in Solaris. In theory, it caches requests for passwd, group, and hosts requests to make repeated lookups faster. In practice, you can't tell a damn bit of difference whether it's running or not.
Even though I dig dig... (Score:1)
Re:Go Vixie! (Score:1)
I agree with everything you say. I'd like to know how postmodern literary criticism could be subject to checks, though! But the comment above really strikes a chord with me. Did you ever read Zen and the Art of Motorcycle Maintenance? Part of the story is about this guy who is convinced that most western thought is based on a mistake made by Plato which should have been picked up 2,000 years ago, and him thinking through the conclusions of what would have happened if the mistake had been noticed (which eventually sends him to the nuthouse). The theme is exactly this - that a clique of researchers cannot even conceive of an error in their underlying assumptions, let alone address the error, or respond to criticism. And that's even without postulating a vested interest - so where a vested interest exists, you can bet the problem is ten times worse.
Fortunately for the physical sciences, as you say, mistakes can be spotted. Relativity and uncertainty are the two things that come to mind. Which makes me feel that physics, next to mathematics, is the most trustworthy of sciences.
When you're talking about evolutionary biology, you wouldn't be thinking about Richard Dawkins, would you? ;) The man who is so sure that his ideas match reality that he's written a library of books convincing people not to believe in God. "Don't accept anything on faith," he says, not realizing he's one of the world's most faithful people (he sure has a lot of faith in his own correctness, despite a staggering lack of scientific evidence).
The only thing I think you have wrong here is where you rubbish statistics. Psychology wouldn't even exist as a science (which might not be so bad ...) if it wasn't for statistics. Statistical theory is all about determining what's noise and what isn't. I agree with your sentiment - sometimes I wonder if (for instance) microwave background radiation really proves that the big bang happened. But if statistics tells you there's a 95% chance of a meaningful correlation, that's what it means. Not that there is a correlation, necessarily, but just that if there wasn't a correlation, there's only a 5% chance that the results would look that correlated. Of course, 5% is good odds. If there was a correlation with 99.99999% probability I'd be inclined to accept it. Much psychology is based, as you say, on likelihoods of 5%, and there's significant doubt. Sadly, the popular perception of science is that it's infallible, so if someone publishes a paper that everyone in the scientific community knows is de facto questionable, the majority can still amend their entire world view based on this dodgy "knowledge". Give it a spin so Fox 11 news picks it up, and you've basically created a new "truth".
Witness, for instance, the "fact" of global warming. It's not like the Earth ever suddenly changed temperature before the industrial revolution ;) Like, say, in the ice age. I'm not saying global warming isn't happening, but it's highly contentious whether or not it's really due primarily to gaseous emissions. There's no doubt in the public mind to mirror the one in mine, however.
Oops, I got stuck in wibble mode. Bye!
.88 magnum -- it goes through schools.
--
It's a
Re:Your Taco has forsaken you! (Score:1)
I pick the pipe as the symbol for the replacement letter. It's underused in the English language. From now on, words like quick, que, and quack will be spelled |ick, |e, and |ack.
See how nice that is?
Re:security (Score:1)
---------///----------
All generalizations are false.
Dan's code is Not free software (speech) (Score:1)
If I wanted to Improve djdns and distribute it, i couldn't. Same applies to qmail. Only sysadmins with unlimited time install Dan's software, as no distribution can accept Dan's restrictions and distribute precompiled versions.
Re:security (Score:2)
Re:security (Score:1)
I do hope BIND9 is better then 4 and 8, but I don't think I'm going to use it now that I've got everything I need in djbdns.
-Peter
Re:Dan's code is Not free software (speech) (Score:2)
OpenBSD 2.8
[root@brick
[root@brick djbdns]# make install
Unlimited time? Not so hard I think
Re:Security (Score:2)
I want a nameserver that doesn't suddenly disappear out from under me for no reason, or that has a memory management policy of 'help! restart me!'.
Deal with the REAL issues first, add cute features later.
I can factor large primes trivially! (Score:1)
--
bind 9 is a buggy piece of SHIT (Score:1)
about 50000 or so separate clients throughout the day, and found a number of bugs. Some of the
bugs prevent bind9 from answering queries,
as it has a mechanism to prevent more then 1000
simultaneous queries by default. Raise it and
BIND fucks up with strange bugs which make it loop
and eat all CPU. Time for the debugger. Or,
maybe http://www.dents.org/
Re:Security (Score:2)
Since some people don't like clicking links for some reason, here's DJB's comments on DNSSEC (a few of them at least):
Taken from http://cr.yp.to/djbdns/forgery.html [cr.yp.to] ; ;Read the rest of that page for his idea for a quick-fix.
Re:security (Score:1)
Take the classic problem, the buffer overflow. Some programmer makes an incorrect assumption about the size of a chunk of data, and ka-blooie, you've written garbage all over memory. Although this can, with a lot of trickery, turn into a security problem, it's really just bad programming.
Good programming is all about making sure that your code does only what it's supposed to, neither more nor less. As part of making a program robust, you'll automatically take care of most of the sloppiness that leads to security flaws.
This isn't to say that security is easy or unimportant, but the first poster is right; security is mainly a design issue. From the perspective of a coder, security errors are a small subset of the errors you aim to eliminate when coding for maximum reliability.
Re:A chiling thought from David C. (Score:1)
My my my (Score:1)
Security (Score:3)
Go Vixie! (Score:1)
Re:Security (Score:1)
So it does zone transfers, but are they by the standards? What about DNSSEC and TSIG? And DDNS? These are all pretty important standards...
Re:Security (Score:1)
Re:security (Score:3)
Maybe it's just you. Good programmers know that stable, correct code is the cure for 99% of all security problems. The other bit is security problems due to design flaws (such flaws would exist in the RFC, for example).
If you spend the time required to do something _right_, if you make the code robust and stable, then it will be secure. It IS a side effect of programming for stability.
Re:Security (Score:1)
---------///----------
All generalizations are false.
Re:security (Score:1)
But immediately below Conrad states:
Re:Security (Score:1)
Amusing quote (Score:5)
Seems like everyone makes this mistake sooner or later!
(for the confused: he meant "factor products of large primes trivially".)
Torrey Hoffman (Azog)
Factoring Large Primes Easy (Score:1)
Hopefully, the easing of US crypto controls earlier this year doesn't mean that someone has figured out how to factor large primes trivially... :-)
All prime numbers (including large ones) have exactly two factors, themselves and 1.
security (Score:5)
"...it was an indirect goal. We wanted to produce a rock solid, commercial grade, open source DNS implementation in the tradition of BIND..."
translation: bind 9 will be just as buggy as the old bind!
"...and with high compatibility with BIND. One important side effect of all that is security."
is it just me, or does the concept of security as a "side effect" seem very frightening?
you'd think that with all the problems in the past with bind, they would have considered security to be a primary goal, not a "side effect".
--
nslookup (Score:3)
Interesting, I didn't expect them to admit to that sort of thing.
And it's not really that nslookup is going away, at least not the way that I think of it (a command line tool to quickly find an IP address) - they indicate that it was because nslookup currently is closely mapped to the BIND8 API which has been changed all around. I think they want something more abstract which will allow users to get the info they want without being closely tied to the underlying protocol. (Abstraction! Egad!)
All in all, it sounds like good news.
A chiling thought from David C. (Score:1)
Re:Security (Score:1)
Re:nslookup (Score:1)
BINDv9, security and damage control (Score:1)
Having said all that I must admit the comment about security being "an indirect goal [linuxsecurity.com]" by Paul was a bit disconcerting to me too. But then David's comment that it was a "core requirement." Different viewpoints ? Quick damage control by D.C. ?