Perhaps you've heard of turd polishing?

Find something that supports IPv6 that isn't a security nightmare. They exist. Isn't that your job as a netadmin, anyway? It's because of lazy-assed admins that keep following turds like BIND -- religiously -- that it remains #1 in market share when it should have been kicked to the curb long ago for being the bloated, slow dog that it is.

Security isn't always easy. You've made your deal with devil. Tell me all about it when he calls the tune and your BIND box gets rooted on a weekend or while you're on vacation.

Even if you *did* have to do something custom for a BIND alternative, you only have to do it once and never worry about it again. You make it sound like you have to write the daemon yourself from scratch. Lazy.

Enjoy your patch cycle and watching over your shoulder while I enjoy restful sleep.

Hopefully you'd use that information for what software to *avoid*.

Joel Spolsky (the "Joel on Software" guy) advocates never throwing out the code and starting from scratch. Perhaps that's true in most cases, but not with BIND and any BIND derivatives.

IIRC the ISC tried that with BIND 9. Supposedly a rewrite, but I've read opinions that they imported a lot of the old code anyway. It doesn't really matter.

Sometimes you have to lose the old mindset and start with fresh eyes and a new attitude. Go back to basics and follow the KISS rule. DJB, whether you like him or not, did just that.

Part of the problem holding people back is the attitude that they need to retain all the old obscure features. I'm not interested in having a supposedly 'secure' way of transferring zone data when it becomes another vector for attack. I'll take good old ssh/scp, thanks.

Another BIND example I vaguely remember is it had lots of cool ways of logging information. Channels I think it's called. Wow, I could log various events (even security!) to different channels and different files... whatever. Having a secure DNS server in the first place removes the need for a lot of that crap. And seriously, do people actually view their logs to see who is querying their DNS server for what? It's masturbation that ranks up there with caring about who pinged you.

Whether you choose djbdns or an alternative doesn't matter. Just get something with a good security track record that moves away from the old (broken) model. Not to mention using software from a company, ISC, that has some bizarre disclosure policy of revealing fixes to paying clients first, then to the great unwashed 30 days later. I don't know if they still do that, but c'mon, that's a first clue there is something seriously wrong.

I honestly think BIND users are seriously misguided. How many times do you have to poke a stick in your eye before you stop? It was Marcus Ranum that first wrote about the idea of "not playing catch-up" with patches many years ago, and it's not just BIND he or I are referring to.

What a load of bullshit.

I don't know about you, I just want to sleep at night not worrying about any exploit du jour, and that definitely includes BIND.

Let me tell you how to update djbdns fast:

1. ssh to your slave.
2. scp your 'data' file.
3. run 'make'

You're seriously going to be a BIND apologist because you can't take 30 seconds to ssh/scp a file?

If you find yourself making DNS changes so often that this is a problem, take the time to automate it and focus on what you're doing, not going down some shit-happy path towards Kerberos enlightenment. Or figure out why you have to keep changing DNS records so often and come up with a better method.

I don't give a rat's ass about all the extra bells and whistles that BIND offers. If you don't need 'em, leave 'em. Simplicity is good for security. I just want my servers to answer queries, and not get DoS or hacked.

djbdns users are laughing at you right now. Yet another BIND problem, whether it's serious or not, and you're all in a tizzy to get the patch. How many times have you walked this path in the last 9 years? It's > 0. How many times have djbdns users worried about the latest patch for the latest problem? Exactly zero.

As for your last point, explaining to your boss, try this one:

10. Explain to your boss that you're not working on 'your project' because you're busy pissing around patching software that has a piss-poor security track record in a critical role. And that you must always be on the watch for patches. Then performing the patches/upgrading the software. Lather, rinse, repeat.

I guarantee that you spend more time patching your BIND crap (and worrying about it) than I spend scp'ing a file.

Sleep well.

..so I'm going to go out on a limb that some version of Linux is going to get mentioned.

Why are we even talking about this? The prof was either a complete idiot (and should put his Ph.D. back in the cereal box he got it from) or intentionally broke the law as some act of defiance. What is unclear? He knows he's working on a "secret" project used by the military. He probably got told 6 ways through Sunday he can't talk about it. And he goes to jail because he did what he was told to not do. To say he should not get jail time, or that he's from an academic world, defies logic and COMMON SENSE. Gee, this is a secret military project, I think I'll not only take the data/laptop to China, but I'll share it with Chinese and Iranian students. Gimme a break. It makes no sense. It's much more likely, IMHO, that he was giving a one-finger salute to the US. Even if he weren't, he's a moron, and ignorance of the law is not a valid defence.

Cite your source! I couldn't find it on Wikipedia so it can't be true.