BIND Is Most Popular DNS Server 452
bleachboy writes "Last week I completed a new DNS server survey, since D. J. Bernstein's hasn't been updated for years. Not surprisingly, BIND wins. Why is it so hard for alternate DNS servers to gain favor, especially when BIND can be so frustrating sometimes? And yes, I'm shilling."
probably (Score:5, Insightful)
arrr! (Score:0, Insightful)
De Facto (Score:5, Insightful)
Becuase no matter what ridiculous flaws it has in it, it's the de facto standard by which all other (frequently superior) systems are measured. People figure "gee.... I wanna learn DNS servers", they think BIND. They think "gee.... I wanna learn SMTP servers". They think sendmail.
It's the same flawed system that supports Windows, but executed to a much greater extent. People are familiar with it, so despite the fact that BIND and sendmail are absolute abominations, they get used.
The geeks bitch about people using Windows even though "such far superior" systems exist as alternatives, but we keep using the horrendous abortion that is BIND even though there are superior alternatives that are free. I guess we can't stand the taste of our own medicine, hm?
Re:probably (Score:5, Insightful)
Re:It is the default, and not hard to understand (Score:2, Insightful)
Also, BIND allows you to mix caching and authoritative services. Not only is this insecure in nature, it's insecure in BIND's implementation. Much safer to have them on different IP addresses.
-russ
sendmail shows this to be true (Score:3, Insightful)
I also know I am amungst the lazy ranks.
Re:De Facto (Score:3, Insightful)
With windows, you do not get that choice... either you use what Microsoft provides you or you don't use it at all. There is no choice. On Unix, there is.
Re:De Facto (Score:4, Insightful)
I haven't used sendmail in years, having switched over to exim a long while ago. Out of interest, what does sendmail offer you that exim doesn't?
Re:De Facto (Score:5, Insightful)
There's also the fact that, due to it's current dominance, if I buy a book about DNS it probably assumes BIND. Therefore in a lot of people's heads BIND = DNS. Heck, for that very reason if I had to set up a DNS server (I'm not a networking expert) I'd select BIND as then I know that there's going to be examples in a book I can adapt to suit what I want to do. If it's not my core area then I don't want to have to spend hours learning how to configure a system, I just want to copy something out of a book and for it to work. Looking at the MyDNS site that has a second strike against it, it requires MySQL. Not only do I have to learn to setup and configure the product I actually want but I also have to learn another unrelated product! At least BIND uses text files, I know how to edit those.
Stephen
Why they keep BIND around (Score:5, Insightful)
Re:You really see which DNS does heavy lifting. (Score:5, Insightful)
I think that the best definition of "heavy lifting" is not the size of the installed base or the average number of domains per server, but instead the total number of queries served. Those numbers of course are hard to estimate.
Other Servers? (Score:1, Insightful)
Re:probably (Score:5, Insightful)
Do you live in a DOS shell? It's "simple" - so is driving a golf cart or programming in BASIC.
Simple is not equal to good. Very few people would actually chose simple over capable any day.
Re:De Facto (Score:5, Insightful)
Not all IT majors are that dumb, some of them deserve some credit.
The other problem is that old pain in the butt standard programs like bind and sendmail are feature complete. Because they are old and used by tons of people they have all the features in them, workin properly. It may be a horrid pain in the ass to make them work, but it can be done. And while there are many nice new alternative programs that serve the same functionality in an easy clean fast way. You'll be hard pressed to find one that can do everything. I can't tell you how often Who will use a piece of software that they know is terrible, will admit to it being terrible, even complain about it being terrible, because it is the only one with a single feature that is necessary. Made up Example: One website someone visits often only works in IE. They love Firefox, but its too much of a pain to visit that one site.
There's some guy out there using bind who wants to use something else, but can't because he needs one tiny feature that nothing else has. This is a major weakness of Open Source because since software is under constant development and bug fixing and security hole patching is priority, few programs ever become feature complete.
Re:probably (Score:5, Insightful)
Ever see someone toss a coat on the floor rather than hang it up, and then go back later to hang it up anyway?
Most lazy people create an extraordinary amount of needless labor for themselves and then berate people who have a lot of free time because of their efficiency "lazy."
It's very peculiar.
KFG
If DJB were.. (Score:5, Insightful)
Look at where daemontools installs itself, and of course the other thingies from him, like djbdns and qmail. The default directories cannot be changed (/service,
He's still refusing to fix the extern int errno; problem, because he thinks that it is not a problem. (Everybody should follow his standards, not glibc or anything like that) He still does not apply QMAILSCANNER patch into qmail. You need to go and get netqmail for that, or apply the patches it provices manually. You cannot distribute a patched qmail, therefore you cannot distribute a proper qmail package for your distribution without begging him!
djbdns assumes that you have a.ns.yourdomain.com b.ns.yourdomain.com etc. The add-ns program does not even get any argument about that. (Of course, you can edit the files manually).
And as far as I know, many distributions kicked his software out, including several *BSDs.
The alternatives (Score:5, Insightful)
tinydns, which was mentioned by the story submitter, is unmaintained, like most (if not all) software that Mr Bernstein has ever released. (This is especially problematic because Mr Bernstein refuses to license the software for a fork.) It does not even compile on modern systems, and it uses a non-standard zone file format. In the days of BIND 4 and BIND 8, all that pain was probably justified, but with BIND 9, things are rather different.
In my experience, in the area of caching full resolvers, BIND 9 simply lacks serious competition, feature-wise, and in terms of ease of administration and interoperability. For authoritative-only servers, RIPE's nsd is an alternative, but BIND 9 is typically not such a big trouble that running two different name servers is really needed.
Because it works. (Score:2, Insightful)
Re:probably (Score:2, Insightful)
I haven't a clue, but people do.
KFG
Re:De Facto (Score:5, Insightful)
I have at least one acquaintance who, on his very large enterprise, runs Sendmail at the edge (and Exchange internally, but that's not his choice). Why? Because that way, he doesn't need to worry about separate patch management for his MTA -- Sun makes sure his MTA is up to date, and he doesn't have to document "this is how to install the MTA" separately.
Is he using an inferior MTA? I believe so. So does he. But the ways in which Sendmail is less good don't affect him nearly as much as the way in which it is better -- by lowering maintenance costs (or, really, just rolling them into the ridiculous amount he pays Sun -- though he could get the patches for free, of course).
With respects to my fellow sysadmins here -- obviously, some of you are vastly superior to me in all matters technical -- we really should know by now that sometimes, we make technical decisions for reasons that are not purely technical. The reasons people choose Sendmail over Postfix are usually in that sort of category, as well as the reason people choose BIND over other DNS servers (BTW, BIND is also the default DNS server on Solaris).
I don't see this as a huge problem, except for (I guess) people who take it personally that not 'enough' people use the software they developed with great effort (though I don't see Wietse complaining "more people should be using Postfix!"). Unlike the Windows situation, it's not like the fact that, likely, most people I communicate with use Sendmail means I'm forced into using Sendmail. UNIX-based MTAs (Sendmail, Postfix, qmail, exim, other custom MTAs) mostly seem to be fairly standards-compliant, much like DNS servers (go ahead. Point out some obscure thing that 99% of people don't use where BIND doesn't follow the spec, just so I can laugh at you). So BIND and Sendmail dominate? Fine. I'll still run Postfix and
Re:De Facto (Score:1, Insightful)
The major objection to sendmail isn't syntax; it's security. sendmail is on
the very short list of programs I disallow on my network for security reasons.
Its security track record is every bit as bad as IIS, and the problem is a
core problem with the philosophy of the developers: they patch specific
vulnerabilities, but they don't have any interest in fixing the core design
that _leads_ to all those vulnerabilities.
Fundamentally, sendmail runs as root while processing untrusted data arriving
from the internet. That's a major fundamental security no-no. You just don't
*do* that. Apache doesn't do that. proftpd doesn't do that. There's no
*need* to do that, but sendmail does it anyway for arcane historical reasons.
> but then most perl programs look like line noise too
Now *you're* trolling. The only Perl programs that look like line noise
are the ones that are deliberately obfuscated, like my signature.
By that argument (Score:3, Insightful)
Here at
Seriously, I have nothing against BIND. But you should always that there are liars, damn liars, and statictians.
They use BIND for same reason others use Windows (Score:2, Insightful)
BIND is ***MORE*** frustrating than SQL??? (Score:3, Insightful)
I've never understood what problem people have with BIND. It's as simple as it could possibly be. Everything makes clear sense. The config files are plaintext. It's backwards compatible almost to eternity. I use it because it's the best solution, not the only one.
Re:The alternatives (Score:3, Insightful)
qmail was recently forked into something called 'netqmail' that integrates the most popular, bug-fix packages that are out there.
...which can only be distributed as a set of patches against the original code. This means no binary packages, either. djb's license forbids the distribution of modified versions. qmail is not open source. It's actually a lot closer to Microsoft's shared-source license.
Re:De Facto (Score:4, Insightful)
I was unaware DNS servers really needed much in the way of features for most people. In fact, I thought it was about the simplest thing in the world - get a request, look it up in a table and return the results. Not exactly rocket science, and the BIND configuration file's pretty ugly looking if my memory serves.
I think overcomplexity is one of the biggest problem with the software world as it is today. It's worst on Windows, of course, but Sendmail and BIND are proof that Unix has similar problems too.
D
Some other reasons (Score:2, Insightful)
Can be rewritten as:
"Why people don't switch to djdns (which install in stupid places, is mostly unmaintained, is written by an offensive asshole, and that you cannot fork/modify) ?"
or
"Why people don't switch to MyDNS (that just reached version 0.11, indicating that it is really stable) ?"
Jezus. What are people thinking ? He versions his software as 0.11 and then complains publically on
Re:Reasons why DJBDNS is not more common (Score:1, Insightful)
That's a hallmark of djb programs. File formats are very easy for machines to parse. Easy to parse tends to equate with being less human friendly.
Re:sendmail shows this to be true (Score:3, Insightful)
Re:The alternatives (Score:3, Insightful)
Others offer (well, sort-of) working DNSSEC implementations, which might be a reason to use these implementations instead of tinydns. Of course, the overall need for DNSSEC implementations is pretty low on the current Internet, even though everyone wants a secure DNS (kind of a chicken-and-egg problem).
Re:Reasons why DJBDNS is not more common (Score:5, Insightful)
I have to say that this is the largest and most insurmountable reason for me against using either his DNS server or his mail server.
I was a big fan of his back in the days of UUCP, but his unwillingness to let distributions of BSD, Linux, etc. modify and distribute his software (without some kind of source-based patching hack sans binaries) was a snub to all of us who have contributed to open source software over the years, and a clear indication of a lack of concern over the larger needs of his audience.
Let me be clear: he's WELL WITHIN HIS RIGHTS, and he's even going out of his way to distribute his stuff, which is great. But to say "I'm going to play ball with you, but only if you use my ball, and in the following ways" doesn't fly for me. There are many good alternatives to his code, and they all have their own advantages and disadvantages. Thanks for playing, though.
Re:If DJB were.. (Score:5, Insightful)
You can be very confident that it will be. Postfix uses privilege separation, runs as its own user account (not root), and is designed with a chroot environment in mind. It's also very componentized and designed so that a breach in one component can be isolated without a risk to the others. To the best of my knowledge, there has never been a remote code execution vulnerability in Postfix.
The last major security problem was a year ago and was just a DoS possibility. Even qmail has DoS problems [secunia.com]. Before the DoS, in 2002 there was a problem that might allow someone to use Postfix to portscan another system (no risk to the system running Postfix). Both of these were in the older 1.1 version. The 2.x series, released in 2002, has never had a security problem bad enough to warrant an advisory for.
The only other thing I could find is djb ranting [cr.yp.to] about a Postfix problem that has been fixed for over 6 years.
Re:sendmail shows this to be true (Score:2, Insightful)
i don't think the situation is all that analogous with DNS servers, though. sendmail is and always was an unbelievable mess to set up and maintain; the mere fact that a bunch of m4 macros was considered an improvement on the config system that preceded them should tell you something. (if it doesn't, you haven't had much exposure to m4. count that a blessing and keep away from the thing.)
by comparison, BIND versions >= 8 are simple, straightforward and eminently sensible both to configure and to keep running. as well, BIND's had its share of security problems, but nothing has nearly as awful a security track record as sendmail, not by a long shot.
finally, the cricket book is about half the size of the bat book, maybe less. i don't know about you, but that tells me BIND is a smaller, easier to learn system than sendmail.
Re:MyDNS/MySQL (Score:2, Insightful)
I mean....yes, it's incredibly fast. Scalable. Low overhead. But when everything from e-mail to DNS depends on MySQL....it gets a little sickening
You don't need a datbase server for everything, no matter how it is that you can say "I run my DNS servers off of a MySQL database." It's still way overused.
Re:De Facto (Score:3, Insightful)
You're over-complicating things for simple applications if you use the software meant to distribute DNS over an entire network of servers for your single web site which just needs to receive a request for www.amazing.com and return an addresss.
D
Re:probably (Score:2, Insightful)
This is a fun weekend project as you get to walk around your place with your SO and figure out 'exactly' where things should go.
Re:Feature Complete? (Score:3, Insightful)
Hm..I consider most software to be an evolutionary process. You start out with a need, you write the software, and then someone else sees a little bit further out and says, "gee, I like what you've done, but it would be so much more useful if it [insert most wanted feature here]". I can't think of a single piece of software I've used that had everything I wanted. I don't think there will ever by one, either. It's like the bear and the mountain - each new version is another mountain, and once we get to the other side, we're apt to see more things we'd like the software to do for us.
Re:dude, tinydns syntax is WAY better (Score:2, Insightful)