You know, you're not the first person who wants me to do all kinds of work and doesn't want to pay me, and you won't be the last one.

I have blogged about this before, and it comes down to this: If you want to be treated like a customer of MaraDNS, you first must become a customer of MaraDNS.

If you don't want to pay me money, you have the source code. You are free to either submit patches (which I would gladly host), or to make your own fork of the code.

You would be a more productive person by "lighting a candle" -- either paying me or by submitting patches -- than by "cursing the darkness" -- complaining that open source developers are not at your beck and call.

I would hardly call calling a single program bundled with MaraDNS before running it the first time a "stupid convoluted hoop", especially when said program is run by the built-in install.bat script and requires no user-interaction to run.

But, hey, if you would rather have CryptGenRandom() in the MaraDNS and Deadwood binary itself, show me the money and we'll talk.

I no longer implement features just because some anonymous identity on the web wants it, but money talks. Please discuss rates with me in private email before paying me.

While there pretty much isn't anything out there -- besides Windows -- without /dev/urandom, MaraDNS' Deadwood has a built-in default random "magic hash number" that changes for each and every point release of Deadwood.

On Windows, Deadwood includes a program for creating a random entropy pool file which is run when running the Deadwood install scripts. Deadwood will, by default, complain if it doesn't find that entropy on Windows.

You know, I knew this issue would come out of the woodwork one day; I went to some bother to have a randomized hash compression function for MaraDNS 2.0's recursive resolver (Deadwood).

From the relevant man page (this part was last updated in September of 2010):

To protect Deadwood from certain possible denial-of-service attacks, it is best if Deadwood's prime number used for hashing elements in the cache is a random 31-bit prime number. The program RandomPrime.c generates a random prime that is placed in the file DwRandPrime.h that is regenerated whenever either the program is compiled or things are cleaned up with make clean. This program uses /dev/urandom for its entropy; the file DwRandPrime.h will not be regenerated on systems without /dev/urandom.

[...]

If using a precompiled binary of Deadwood, please ensure that the system has /dev/urandom support (on Windows system, please ensure that the file with the name secret.txt is generated by the included mkSecretTxt.exe program); Deadwood, at runtime, uses /dev/urandom (secret.txt in Windows) as a hardcoded path to get entropy (along with the timestamp) for the hash algorithm.

Personally, I think it this is a pretty obvious attack to think of when designing a hash compression function.

Sorry to be completely off-topic, but you once mentioned on Slashdot that you stopped using MaraDNS because Unbound is more snappy for you.

I encourage you to join the MaraDNS mailing list and become an active member of the MaraDNS community. I have been able to get some funding to work on some of MaraDNS' slowdown issues you have complained about.

If you could become a part of the MaraDNS community, you could help us by giving us constructive bug reports where you see MaraDNS 2.0's resolver acting more slowly than Unbound resolver. Indeed, I got reports from over a year ago about Unbound being faster and did fix some bugs which were slowing down its recursive resolution; I closed the bug when MaraDNS was as fast as Unbound on my internet connection.

- Sam

Your information is out of date; I completely, from scratch, rewrote the recursive code of MaraDNS starting four years ago with far cleaner code.

That code was declared stable over a year ago and looking at its source code won't make you blind.

- Sam

Please stop spreading FUD. There have been 0 remote security holes discovered in djbdns.

Please lay off the crack, wake up, and smell the coffee. This kind of denial is flat-out dangerous.

I have a blog entry detailing the three security holes in djbdns and DJB paid the $500 security hole prize for djbdns years ago.

The most dangerous hole in an unpatched djbdns 1.05 install is the TCP "packet of death" that forces dnscache to restart (since SIGPIPE isn't caught by dnscache). I really should file a CVE for that security problem.

There is also CVE-2008-4392 as well as CVE-2009-0858; more information is in Debian's security page on djbdns.

Don't get me wrong, djbdns is an excellent DNS server. Unfortunately, it hasn't been updated for over 10 years and, since then, three different security holes have been discovered the djbdns package, the root server list has been updated, errno has been changed to make Linux more thread safe (requiring a patch to compile it), and so on.

djbdns can work -- but it requires patching by hand or using an unofficial fork like Zinq (which appears to still be supported -- the last release was done this year).

(I can also murmur darkly about the fact that djbdns uses a circular queue instead of a LRU for its cache, its lack of a Windows port, its need to use external helper programs to configure the server, etc., but, then again, its core recursive binary is even smaller than MaraDNS 2.0's tiny recursive binary. And three security bugs in the last decade is better than the 13 security issues in MaraDNS I have had to patch against.)

And, of course, there is Power DNS, another excellent DNS server.

Then again, there's something to be said for being able to set things up using only a three-line configuration file and a 64k binary works nice for embedded places like OpenWRT where Unbound and PowerDNS won't fit.

- Sam

Mod parent up! :)

Seriously, people here love to talk about how the "new economy" makes it possible to remove "artificial scarcity" and make it so everything is free.

What these people ignore is that, even if it costs no money to copy something, it still costs money to create something. There is still, in this "new economy", the very real economics that the majority of content people use (Computer programs, movies, music, television programs, written articles, etc.) is content that would not exist if someone wasn't being paid to make it.

I enjoy reading all of the articles on the New York Times' front page every morning, and understand I soon may need to pay for the privilege of reading the quality journalism and writing the the NYT offers.

Now, I'm sure someone will point to open source software and say "Mr. MaraDNS, you don't know about open source software and how this proves that we can have all the compelling content we want for free in the 'new economy'". I will point out to people who think like this that I am, in fact, a developer of open-source software.

People who think open-source software (OSS) makes it possible for all content to be free don't understand how OSS changes the relationship between the developer and the user. A lot of people think an OSS program is like a commercial program, but free, and that they can ask for features or get support for free, and it gets pretty tiring to have people email me asking for free support, even though I make it clear that I don't provide free email support for my program.

The thinking behind OSS is that I donate some of my coding time and effort to the greater community. In return, people are free to contribute bug fixes or improvements to the program, or supply support on the mailing list. For example, someone wanted better IPv6 support, supplied patches, and now MaraDNS has good IPv6 support. Another person wanted better Windows service support, and supplied patches to make MaraDNS' new recursive core be a full Windows service. Other people answer user's questions on the mailing list or translate documentation. Webconquest very generously provides me a free Linux shell account and hosting for the web site.

Likewise, I found an OSS Doom random generator I liked and provided bug fixes and improvements to it; when I lost interest in it, another person became the maintainer and improvements continue to be made even though I no longer work on that code. And, there is a Free Windows Civilization clone for Windows which I have provided a bug fix and extended the documentation with.

OSS doesn't mean we have the right to demand all content be free or are justified in pirating media and software. OSS means that we can, together, make free content which complements the for-pay content out there.

Putting closure on a software product is important.

Professional software usually has an EOL schedule. For example, RedHat Enterprise Linux and Windows XP both have EOLs for early 2014. This allows people using the software to plan upgrades and know when they need to be making a transition.

This is equally as important for open-source software. It looks really bad when this is not done. For example, Dan Bernstein's DjbDNS software package has three unpatched security holes. People using this software have to know about these holes and apply third-party patches.

In addition, when the maker of an open-source program says "OK, I'm done with this program.", it allows maintainers to step forward and take over the project. For example, when I announced I would no longer work on a Doom random map generator I had been hacking on for a while, someone expressed interest in maintaining the software, and subsequent updates have since been done.

I think the Apache foundation should either say "OK, we'll still fix security bugs on this program" or "We're no longer maintaining this release". This way, the users of these programs know whether to upgrade, form their own group applying security patches, or just know they're OK from a security prospective if they're current.

I have blogged about putting closure on open-source projects and have well defined EOL dates for older releases of my own MaraDNS.

A lot of open-source projects just languish when the developers lose interest; I feel this is irresponsible and feel EOL dates and putting closure is important.

Opera/Firefox (whichever has a newer version that still supports 98)

That would be Opera. Firefox, as of Firefox 3, no longer supports Windows 98 (this caused a lot of grumbling on Firefox's support forums), but the latest Opera happily runs on Windows 98.

I can also write my own apps for it in Delphi7 (Delphi does not work on Linux)

If you're an old-school Delphi programmer, you might look in to Lazarus. It's 95% Delphi, but FOSS software.

While I'm mainly a C programmer these days, I've quite impressed with Delphi: There is an excellent tiny little Civilization clone, C-evo, out there written in Delphi (that fits on a single floppy if you remove the sounds and 7-zip compress it), as well as a free (beer) office suite called SSuiteSoft.

I like the way you prioritize, but I'm not sure your girlfriend would agree :P

Looking for a girlfriend means meeting girls on dating sites and flirting with them on MSN while I'm bored at work. Having a girlfriend means working on geek projects while I'm bored at work and my girlfriend isn't online. I don't think she would appreciate me flirting with other girls. :)

For single Slashdot geeks: I found her at Tagged playing a flirting game called "Meet me", getting MSN emails from girls who expressed interest, then getting to know girls on MSN until I got their phone number, and finally meeting them in real life and dating them until I got one who I had real good chemistry with. It was about eight months of work.