lack of EDNS support is a potential problem
"Potential" being the operative word. Truncated DNS packets still have enough information in them to answer DNS questions, and the only time I've really seen truncated packets is with some of the byzantine DNS packets Yahoo has.
DNSSEC support is critical
But not critical enough for someone to send me the money to make DNSSEC happen with MaraDNS: http://maradns.org/products.html It's really the same problem IPv6 has: All kinds of geeks talk about how great it would be if IPv6 were everywhere, but they don't put out the money for IPv6 to happen more quickly.
It's still possible to resolve domains and surf the web without DNSSEC. I know: MaraDNS 2.0 (Deadwood) is being used to resolve Slashdot.org (and all the other places I go) so I can make this posting. Yes, there are issues with someone with a packet sniffer forging DNS packets on the same network, and I do agree DNSSEC is needed on a larger network with infected machines, and is needed for a DNS server that calls itself secure, but it is working for me right now.
(For sites where forgery is a real problem, such as online banking, I use a special virtual machine and make sure the HTTPS certificate is kosher)
DNS resolvers should not be usable by the world.
Google, OpenDNS, and heck, Level3 disagree with you. That said, I mostly agree: That's why there are no examples in MaraDNS' documentation showing how to make a recursive nameserver globally resolvable, and why it has never been a default configuration in Mara.
Any DNS server that provides recursive DNS ought to not simultaneously provide authoritative DNS from the same service, or from the same IP.
That's the design MaraDNS 2.0 has: I removed the recursion from the "maradns" daemon and completely, from scratch, reimplemented recursion in a separate daemon, which has to run on a separate IP. Not one line of code is shared between the two.
I fully expect any government or corporate grants will go towards DNS server implementations that are more widely used
I understand your sentiment, but, software monoculture is a bad thing and software diversity is a good thing.
When DNS first showed up in the 1980s, there were a number of different implementations. By the time I started MaraDNS 12 years ago, there was only one usable open-source DNS server out there. When I finished MaraDNS, there were five or six (depending on whether Unbound/NSD counts as one or two) different actively maintained significant open-source DNS servers out there. That number has since gone down (none of the djbdns forks came out with a release that fixes CVE-2012-1191). I hope that number continues to be higher than one.
An attitude of "let's only support one DNS server" can return us to the world of a DNS monoculture. EDNS, DNSSEC, and all of these extensions to DNS do not help.
While I disagree with DJB on a lot of things, I understand why he rejected DNSSEC and proposed DNSCURVE: He wanted to keep DNS simple, to keep DNS something that a single talented developer can implement in their spare time.
For better or for worse, DNSSEC won, and now DNS is no longer can practically be implemented by a one-man show any more.
I agree PowerDNS is a good choice, especially for people who want a database back end, but I'm disappointed it took them over a year to patch CVE-2012-1193 (which only affects the recursor).
not to discount MaraDNS, but it seems like a dead-end
You know, I tend to agree with you. Software has a lifecycle, and MaraDNS is probably near the end of hers. I still will fix bugs, and I will still make sure MaraDNS is usable on the internet for the foreseeable future, and as IPv6 slowly becomes the norm, I will probably make sure Mara is still usable with all of IPv6's changes (IPv6 has been implemented but not fully tested). But, without DNSSEC, EDNS, and whatever else they throw in the DNS kitchen sink, MaraDNS will probably become more and more dated as the 2010s go on.
But, you know, I made my mark on the world and I made my contribution to open source. I'm very proud of what I did, and how I was a big part of breaking the DNS monoculture of the early 2000s.
What's your mark on the world? What can you point to and say "I made this, this is what I have contributed to this planet"?