Please create an account to participate in the Slashdot moderation system


Forgot your password?
The Internet

Bind 9.0.0 Final Released 111

Eric Sun writes "After numerous release candidates and betas, the final stable release version of Bind 9 has been released. Looks like the homepage hasn't updated yet, but you can get a list of download servers from its page at Freshmeat."
This discussion has been archived. No new comments can be posted.

Bind 9.0.0 Final Released

Comments Filter:
  • Is there a LIND (Linux Internet Name Domain)? Or is DNS Linux's version of LIND?
  • by MrHanky ( 141717 ) on Saturday September 16, 2000 @08:38AM (#774355) Homepage Journal
    Any new rootholes for us to exploit, or will it be just the same, old, boring stuff?
  • Are they ever going to merge some of the features between BIND 4 and 8 (does this?)? I mean, doing DNS from a MySQL database is very cool, I had just always hoped that they would put that feature in 8 eventually..
  • by linuxci ( 3530 ) on Saturday September 16, 2000 @08:39AM (#774357)
    There's a DNS Tutorial [] by Jim Reid of Nominum the copany responsible for the offical support of BIND. I assume he'll be mentioning the changes in BIND 9 at this event.
  • by Shoeboy ( 16224 ) on Saturday September 16, 2000 @08:41AM (#774358) Homepage
    This is not "news for nerds" nor "stuff that matters."
    Can't we please only get updates on important software.
    It's not bind holds the entire net together or anything.
  • by Anonymous Coward on Saturday September 16, 2000 @08:43AM (#774359)
    I gave up on bind a while ago. Certainly some folks need its features, but for most of us, DJB's dns package [] should be powerful enough, plus its faster and more secure.
  • I think you're horribly confused.
    • DNS is a protocol
    • BIND is a program (daemon actually) that fullfills the DNS protocol.
    • BIND is the dominate name serving daemon in the *nix environment.
    There isn't (and shouldn't be) any Linux specific name serving daemon. Hope that clears a bit of it up.
  • So there is a BIND daemon in Linux?

    You'll have to excuse me. I run my Linux box as a client. Never had a need to run it as a DNS server...

  • BIND runs on Linux, it runs on Solaris, it runs on damn near every OS I've ever run across.
  • by MattW ( 97290 ) <> on Saturday September 16, 2000 @08:47AM (#774363) Homepage
    I'm sure glad we have a nice fresh version. It's been so long since I've had to patch my BIND, this sure will be exciting.
  • Put me down for 1.5 weeks.
  • I was able to find ISC's plans for BIND 9 [], but not any realease notes - anyone made them available online yet?

  • Well, that was a fairly rambling and pointless post. Thank you.

    In answer to your question: I care. I find it interesting that the program that runs most of the DNS for the Internet has hit a new major version number after being in 8.x since 1997. This is stuff that matters.
  • Acually,it does.
  • Sigh. Whoever moderated this post as a troll either lacks a fundamental sense of humor, or (more than likely) just doesn't understand what BIND is...

    For the record: Yes, it is news for nerds, it is important software, and BIND quite literally does hold the net together.

    Shoeboy's post wasn't a troll, it was a fairly good parody of the "Why was this article posted?" trolls.

  • umm... actually, the daemon is "named". BIND is a package that includes named as well as a resolving library and some other tools (like nslookup).

    You probably knew that; I'm just posting to clarify for those who don't.

  • and more reliable. bind 8 on linux sucked rocks, dumped core all of the time. djbdns/tinydns is great.
  • I know it's expensive these things normally are due to the following reasons:
    1) The cost of a venue - London venues are expensive
    2) The cost of the speaker
    3) The cost of promotion / expenses

    These events are the sort of thing that you get your company to pay for if you're working, the whole choice of venue is chosen to keep the bosses happy. If we had a cheap venue the average narrow minded boss would think this isn't going to be any good and is not going to shell out for it. These events are only designed to cater for small amounts of delegates so the chance to ask individual questions is there.

    If this event was run by a commercial organisation rather than a non profit org (the UKUUG) then the prices would be even higher, we just aim to cover costs and believe me they're expensive.

    Prices in London for a decent venue are a rip off compared to other places in the UK.
  • I believe that Digital Forecast [] posted them; check the "New Software Releases" category.
  • As a matter of fact, it does, and I am thankful that bind was around ever since the net was made.

    In my opinion, is easier to remember than its IP address, and that is thanks to bind.
    But of course, maybe would you rather see [] News for Nerds. Stuff that matters. Or write your email address as drhelpful@ [mailto]?

    Come on. Be thankful that bind is around, and respect your elders.

  • So, basically, YHBT, YHL, HAND.

    Shoeboy (currently?) is a troll. Apparently, as a protest to the 50 karma barrier, he is attempting to lose karma by posting trolls. (Actually, I guess his karma is currently ~125, so he's trying to get it down to "normal.") Taking a peek at his User Info [] I'd say he's failing right now. But I wish him luck - I'd like to be able to get karma above 50 like Signal 11 and FascDot Killed My Pr. The curse of the newbies.... never to get 3 digit karma...

    Maybe I'll have to bid on FascDot Killed My Pr's account over at e-bay...

  • by aozilla ( 133143 ) on Saturday September 16, 2000 @09:16AM (#774375) Homepage
    According to the ISC Bind plans [] "Support for alternative back end database" is part of Bind 9. I hope that means I can add a MySQL database backend, and cgi the whole thing.
  • by stab ( 26928 ) on Saturday September 16, 2000 @09:18AM (#774376) Homepage
    I'm hoping BIND9 is a complete, utter rewrite, with no code from BIND8 still remaining.

    If it isn't, then it's way way too late - switch to Dan Bernstein's djbdns [] instead. Read the security guarantee [] and weep in relief. Notice the exceedingly small memory footprint. The lack of core dumps. That you can get rid of AXFR completely and just use rsync+ssh [] to transfer to your secondaries.

    Check out [] which has migration tools from BIND which im playing with atm.
  • by alteridem ( 46954 ) on Saturday September 16, 2000 @09:22AM (#774377) Homepage
    This is good news for large domains as it adds some great features for servers servicing many requests. Bind 9 is now;
    • Thread safe so it can run on multi-processor machines
    • Plugs into several back end databases so it will be easier to support large domains
    • Support for IPv6. The future is nearly here!
    • Several protocol enhancements like IXFR, DDNS, Notify, EDNS(0,1) and improved standards conformance.
    • A host of other features, see this [] for more.
    This is a major rewrite and may contain a host of new security problems, but it is a step in the right direction and I will definately be looking at it to manage my larger domains.
  • Found 'em - ISC has the release notes [] up now. They also have the BIND 9 Administrator's Reference [] available as a pdf; though it looks like the same docs come with the distribution in html & man format.

  • by jlj ( 141473 ) on Saturday September 16, 2000 @09:25AM (#774379)
    I recently changed from BIND (the Buggy Internet Name Daemon) to D. J. Bernstein's DJBDNS. It's a very modular, robust and not to mention secure replacement for BIND. He's got a security guarantee as well. He offers $500 to the first person who reports a verifiable security hole.

    So instead of worrying about the next serious security hole in BIND, replace it with DJBDNS and make your server a lot more secure.

    Homepage: []

    For OpenBSD users: cd /usr/ports/net/djbdns; make; make install
  • by Anonymous Coward
    For all of those who are worried about the IP shortage with the current (IPv4), this is extremely good news. BIND 9 implements IPv6 which should solve the IP shortage for the for see able future. The 2.4 kernel will also support IPv6. So this is very good news for the growth of the internet.
  • Yeah, I know he's trolling... this particular poast, though, didn't have the same flavor as his other trolls; unless he was trolling for clueless moderators, in which case, he was aparently successful.

  • No mention on the homepage eh? Wouldn't it be great to release a fake version with a bunch of exploits and call it 9.0? ;-)

    kinda like pkzip 3.0 and Thedraw 5.0, back in the day ... they also did it with a version of NAV, and I'm sure many others

    just a thought

  • Hopefully it has better security than the other BINDs, which, from numerous comments I've overheard, is notoriously prone to exploits. Does anyone know what functionality has been added to this release, or is it mostly bug fixes and stability improvements? Also, any word on the OpenBSD ports of BIND?

    By the way, Eric Sun, who submitted this story, runs a great domain registrar called Alphapython. [] I can't even begin to express how happy I've been with their service, and their pricing is great, too. If you get a chance and need high-quality, affordable domains, check them out.

  • Entirely true. This is one of the biggest thing that was missing so far..
    What's the use of a IPv6 address when most of your apps, let alone the DNS, cannot handle them ?! =)
  • Of course, we can all see that sarcasm tag surrounding that whole post, right? ;)
  • the 50 karma barrier

    When did that start? Why? Did I miss a meeting?

  • There is also good news for those with a smaller number of domains.


    this allows one daemon on one server to present different data to different groups depending on where the request comes from.

    if request is from internal reply with www=
    if request is from external reply with www=

    the config file would look something like this

    view "internal" {
    match-clients { localhost; localnets;; };
    recursion yes;
    zone "." { type hint; file "root.cache"; };
    zone "" { type master; file "named.local"; };
    zone "" { type master; file ""; };

    view "external" {
    match-clients { any; };
    zone "" { type master; file ""; };

    This is _very_ cool! If you run two name servers(master and slave), before you would actually have to run four servers. two for 'internal users' and two for 'the world'.

    Christopher McCrory
    "The guy that keeps the servers running" - The Smart Place to Start Your Shopping

    "Linux: Because rebooting is for adding new hardware"

  • Shoeboy (currently?) is a troll.
    Actually I'm just a jackass. I participate in the troll forums because they have intelligent discusions there. I'm certainly not in the same league as em, 80md, er or jsm.
    I'm more of a prankster.
    Apparently, as a protest to the 50 karma barrier, he is attempting to lose karma by posting trolls.
    I am protesting nothing, I'm just treating /. as a toy rather than as a community. Most long time readers have this attitude. Taco certainly does.
    (Actually, I guess his karma is currently ~125, so he's trying to get it down to "normal.") Taking a peek at his User Info I'd say he's failing right now. But I wish him luck -
    Oddly enough karma has frozen again - so I'll be stuck at 62 until taco unfreezes it. I don't care what my karma is, I just like to post "Moderate this down - I need to lose 15 karma points by midnight" stuff to mess with people's heads and entertain them. Judging by the moderations I get, it seems to be working.
  • by jd ( 1658 ) <> on Saturday September 16, 2000 @09:41AM (#774389) Homepage Journal
    • DNSSEC is a reality! (Well, it would be, if anyone else used it...!)
    • No resolv.h file! (This means ALL network code that's out there will need to be re-written to use the new resolver, which is NOT backwards-compatiable.)
    • LOTS of libraries! No more simple -lresolv, or -lbind. Instead, you're faced with -ldns, -lisc, -llwres and -lowrapi. NONE of which are shared. They're ALL static.
    • Headers are split up into 3 or 4 directories, now. Time to get out the road map.

    The Internet needs a powerful name server and name resolver, but USEFUL tools don't use structure to obscure the content.

  • Well, as far as I can tell the two biggies are IPv6 support and Dynamic DNS, although they do have something called IXFR listed - anyone got any idea what that might be?

  • Nah, it's not frozen (at least not tonight) - I lost another two points to karma "half-life" decay today (down to 65 now... almost there!)

  • by ChuckRoast ( 30568 ) on Saturday September 16, 2000 @09:52AM (#774392) Homepage
    The official Bind 9 page [] is written, just not linked, yet.
  • by Dionysus ( 12737 ) on Saturday September 16, 2000 @10:03AM (#774393) Homepage
    Plus, most homeusers don't need a fullfledged dns server. They just need a dns cache, which dnscache does well.

    If you want dns server, go for tinydns.
  • If by OpenBSD "ports" of BIND you mean code auditing, then no.

    Apparently BIND is just "speghetti" code, and the last audited BIND was 4.9.7. As you can probably imagine auditing such a mess would be awfully time consuming.

  • Yargh, that's what I thought. Ah well... I was kind of hoping that eventually there would be a BIND re-write, but evidently not. It would probably take less time than an audit, ironically.
  • IXFR is incremental zone transfers. Instead of transfering the entire zone every time it has been update, the slave will just pull the diff, so to speek. Real handy feature that.
  • by MSG ( 12810 ) on Saturday September 16, 2000 @10:12AM (#774397)
    I moderated you up, but now I have to post a correction to your statement. sorry : )

    I haven't actually compiled Bind 9 yet, but the page at says "To build shared libraries, specify "--with-libtool" on the configure command line.", so it seems you're inaccurate on one point.
  • The Question here is, will BIND 9 be secure enough to be included in OpenBSD? OpenBSD still uses BIND v4 due to the security issues with the later versions.
  • A gentle flame: I'm sure your tutorial (which is, I gather, britspeak for "seminar" or "class") is worth the cost of admission. However, an announcement for it is really not appropriate for Slashdot. Your news is only of importance to people who are able to travel to London just to attend a class. That probably doesn't describe more than a tiny fraction of the people who will see your post. I won't use the S-word, but some people would.

    A less abusive way to publicize your class is to take some of the materials and put them on the web. This web page would be universally useful (and thus linkable) and is a legitimate place to advertise your product.

    While we're on the subject, if every Slashdotter would please briefly visit [], I'll be able to retire three years early. Thanks for your support.

  • Thanks.

  • linux is just the kernel.

    however, every linux distro (RedHat, Mandrake, Slackware, etc.) that I know of uses the "named" daemon that is in the "bind" package to serve the DNS protocol.

    You say you've never had a need for it... It's pretty handy to be able to define your own names and to rename things that you want to rename. try it.

  • Hooray! Chalk another one up to the standard-makers of the day! BIND is in the ranks of some of the more reknowned software ever: sendmail, vixie cron, wuftpd, telnet, and finger. All are masterful achievements of software engineering.

    Oh, wait... That's damning, isn't it?

  • Well, actually DNS wasn't invented at the same time as "the net". The early days of the internet used a shared hosts.txt file that everybody downloaded periodically.
  • djbdns is all fine and dandy but:

    * Anyone with a security guarantee is smokin' something
    * Yes, djbdns doesn't to AXFR/IXFR transfers. Yes, that'll increase security. But goodby to interoperability with someone who doesn't use djbdns.
  • The problem with djbdns is that Dan doesn't care about standards, and ignores them when he doesn't like them. AXFR/IXFR are RFC standards, and he makes it "optional". rsync+ssh doesn't work if you want to do zone transfers between, say, djbdns and bind. djbdns turns of TCP queries by default. Standards are about interoperability. Dan just doesn't care.

    This is the topic of recurring flame wars on the dns-bind list, and I don't want to start it here. But do note that djbdns is not a drop in replacement.

  • You are wrong about AXFR. See

  • This could be extremely useful. IRC anybody? If the DNS server only resolves the real IP to the irc servers, couldn't this prevent stupid skript kiddies? Woot.
  • OpenBSD [] runs
    it as user 'named' by default...
  • The problem with djbdns is that Dan doesn't care about standards...

    Dan says the same thing about BIND. <shrug>

    AXFR/IXFR are RFC standards, and he makes it "optional".

    They are optional with BIND, too. But they are enabled by default. Most people don't need 'em.

    djbdns turns of TCP queries by default.

    No it doesn't.

    This is the topic of recurring flame wars on the dns-bind list, and I don't want to start it here.

    Yes you do, otherwise you wouldn't have posted about it.

  • DNSSEC is a reality! (Well, it would be, if anyone else used it...!)

    You mean if NSI/ICANN would deploy it, and setup a secure channel for collecting keys from domain registrants.

  • and more reliable. bind 8 on linux sucked rocks, dumped core all of the time. djbdns/tinydns is great. BIND 8 is quite stable. Sounds like you were getting stack smashed to me.
  • > > djbdns turns of TCP queries by default.

    > No it doesn't.

    What about this FAQ []: How do I answer TCP queries? Why does tinydns answer only UDP queries?

    It sure looks like it is off by default according to the author.
  • Dan also has a lengthy rant on why CNAMEs are stupid, and why his server doesn't support them.

    He's a great programmer, shame the elevator doesn't go all the way to the top.

  • Why are you moderating and posting to the same thread?
  • I remember this. It was ADMROCKS though, not AMDROCKS. I got hit by this. I had so many friggin ipchains rules on my nameserver that they couldn't do a damn thing with it. They appended telnet onto the end of inetd.conf and added a couple of user accounts. But never added an ipchains rule to allow all, so they couldn't telnet in to do anything.

    I sat and watched them play around with it for about 2 hours before I blocked their IP, upgraded bind, and chrooted it. Gotta love snort [].

  • Err, no - its completely modular, so if for some reason you want tcp queries, you run afxrdns (as it says in the FAQ you kindly linked to)
  • by stab ( 26928 ) on Saturday September 16, 2000 @12:41PM (#774417) Homepage
    djbdns does have IPv6 support, thanks to patches by Felix von Leitner - get them from []

    IFXR is an incremental method of zone transfering, which is completely useless if you use something like rsync and ssh. djbdns stores all of its zone data in a highly efficient CDB file. All you have to do to update your secondaries is to push the CDB file out. If you use rsync, then only the differences get pushed, the file gets updated atomically, and you're laughing.

    If you use djbdns consistently, you have absolutely no need whatsoever for AFXR or IFXR. If you do secondary with other BIND servers then you'll need to run an AFXR process, unfortunately.

  • BIND9 was committed today into OpenBSD's port tree. Note that the port tree is _not_ audited, but provided as a convenient method of installing third party software.

    OpenBSD comes with BIND4, which has been audited. BIND8, djbdns, and BIND9 are available in the ports tree.
  • Too bad if you want a bind server to secondary you, you're screwed.

  • Dan also has a lengthy rant on why CNAMEs are stupid, and why his server doesn't support them.

    Try running the software instead of judging it just from the author's rants. djbdns fully supports CNAME records. DJB simply does not provide a command line utility for adding them, like it does for A, NS and MX records. Big deal. The utilities are provided as a quick-start for newcomers.

    Here is the small list of things djbdns does not support, but BIND does:

    1. HS class records. Aww, they can't use it at MIT to service Athena's DNS. Bummer.
    2. CHAOS class records. Aww, the script kiddies can't query my server to find what version I am running. Bummer.
    3. IXFR. OK, this is a real bummer for some people. But not many. Be happy with BIND then.
    4. DDNS. Bummer for mostly the same people who need IXFR. So run BIND.

    There are some other esoteric BIND features missing from djbdns, but simplicity is one of djbdns' features. It was never meant to be a replacement for BIND, so criticizing it for not being a drop-in misses the point. I simply don't care about the missing features, djbdns meets my needs, and in my environment, it does many things better than BIND, or at least allows me to more easily and securely support the things I need to do. I think it would for a lot of people, too.

  • The security guarantee is limited to $500, and is only given to the first party to find a security hole. So far, it's gone unclaimed. Is there any kind of security guarantee for BIND v9? Do the authors trust their software as much as Dan does?

    djbdns doesn't do AXFR transfers. You have to run the included axfrd to serve AXFR, or run axfr-get to retrieve records using AXFR.
  • Too bad for your objection -- djbdns actually *does* supports cname records. It just doesn't encourage them.
  • djbdns contains two programs: an authoritative server, and a caching server. The authoritative server does not answer TCP queries because it never serves up records that require TCP queries. The caching server will issue TCP queries if needed.
  • Yes, support for AXFR is optional. If you want to use it, you have to actually go to the effort of installing it. Gasp!
  • "The 2.4 kernel will also support IPv6."

    Hey, Solaris has supported IPv6 for a coupla years know. What's taking you folks so long? =P

  • Moderate this guy up . . .

    Try running the software instead of judging it just from the author's rants. djbdns fully supports CNAME records. DJB simply does not provide a command line utility for adding them, like it does for A, NS and MX records. Big deal. The utilities are provided as a quick-start for newcomers. There are some other esoteric BIND features missing from djbdns, but simplicity is one of djbdns' features. It was never meant to be a replacement for BIND, so criticizing it for not being a drop-in misses the point.

    Alright, my bad. I sure thought i had read somewhere that it simply couldn't serve them up.

    That's OK tho. There are plenty of other things wrong with djb software. like the licensing, and the attitude.

  • by icqqm ( 132707 ) on Saturday September 16, 2000 @01:30PM (#774427) Homepage Journal
    Having an updated BIND is one thing, but we'll still have to wait for them to update GAG to 9.0 - hopefully both will have Gore and Bush support.
  • See subject.
  • Hmmm that's odd - my 2.2.17 kernel has this option:
    < > The IPv6 protocol (EXPERIMENTAL)

  • Can I expect that my relatively-simple chrooted named setup will be a simple upgrade? I can't really afford to screw around with my name server (who can?), but it's the kind of thing that I'd definitely screw up, given the opportunity. :)
  • I mod'd because it was interesting. I posted when I later found out that it wasn't entirely accurate.
  • If you can't say Berkeley or BSD for some reason, call it the BIND Internet Name Daemon.
    ( \
    XGNOME vs. KDE: the game! []
  • Should that address be drhelpful@[], or would that only be correct while bind exists?
  • Of course it's "stuff that matters"! Without BIND how will I ever be able to log into my box as root? I'd have to do something silly like install SU or use /etc/securetty
  • You can find the BIND9 Official Page at
  • Considering that Vixie is running the most heavly loaded root name server with it, I would guess he does trust it.
  • I've been running three name servers to get around this problem.

    All my interal hosts use 192.168.*.* and I use ciscso NAT to get the right exteranal address mapped to the correct internal addresses and cisco nat will automagicly fixup dns packets on the fly but only if they are udp. The result is that I have one exteranl address for exteranl zone transfers, one for external name service and one for internal use.
  • Unless the hole was found by someone who figured knowing how to exploit djbdns was worth more than $500.
  • I didn't see WINS resolution in the new feature list for the resolver. Does anyone know of patches to do this?
  • I'm running djbdns. Would you like to secondary my domain? I had a tough time getting djbdns to allow it, but I finally did it: I had to run "axfrd-conf". You know how hard it is to run a single command....
    p.s. Sheesh!
  • Everytime I forget, my posting history is there to remind me.
  • In the dark days prior to his inventing the Internet, mish-mash of connected networks were just chaos. Very early on Senator Gore established the Committe on Name Service Resolution compromised of Mark Painter, David Riggle, Douglas Terry, and Songnian Zhou. It is through the hard work of these men and a generous government grant from a bill authored by non other than Senator Al gore that established BIND (Beaurocratic Internet Name Daemon) as the leading DNS server. Thank you Mr. Gore. And God bless the United States of America.
  • So much is being made of DJB's dislike for AXFR that I think it's important to note the fact that djbdns DOES SUPPORT AXFR, directly.

    You do not need to use AXFR for zone transfers with other BIND servers. The only time you will ever need to support AXFR is if you have customers or providers that refuse to support sane protocols, like secure rsync. Synchronizing BIND servers with rsync is no more challenging than synchronizing tinydns servers.

    Additionally, if you are making the mistake of using or relying on BIND anywhere in your infrastructure, reloading the zone files will give you an opportunity to free up all the memory that the infinitely-expanding BIND "cache" consumes.

    You should very carefully read and consider DJB's analysis of whether you want offsite secondary DNS support before you rely on anyone else's nameservers. Most people DON'T want offsite secondaries, even if they think they do.

    If you do need offsite secondaries, you should very carefully consider whether you want to rely on providers that rely on insecure, unreliable, antiquated software.

  • I would guess that Vixie has had, until recently, no realistic alternative. Vixie also has a very
    definite financial interest in pushing BIND and
    BIND-features-masked-as-DNS-standards. Vixie is
    an officer of Nominum, "the BIND company", a commercial enterprise devoted to BIND in the same
    manner as Sendmail, Inc. is devoted to Sendmail.

    Some of the largest sites in the world still depend on Sendmail, too. But would you run Sendmail in your infrastructure? Most people wouldn't, opting instead for Postfix or qmail,
    both of which have proven themselves in large
    sites as well.

  • The problem with djbdns is that Dan doesn't care about standards

    Learn what "standardization" means, and how to read and interpret an RFC. You're talking out of your ass.

    AXFR has been "optional" in BIND for years --- BIND's configuration allows them to be restricted by IP address, and competant admins have been restricting them with filters long before that feature was available. djbdns does exactly the same thing, but takes it a step further by running AXFR service from a seperate server context, for added security, speed, and reliability. This violates no aspect of the standard.

    IXFR is not a "DNS Standard". All RFCs are not standards. Many RFCs are proposed extensions to the standards, which is exactly what IXFR is. djbdns doesn't support IXFR because IXFR isn't required by the standards and, thankfully, isn't in widespread use.

    Bernstein's take is that secure rsync IS in widespread use, is a general-purpose, modern tool, and is more available to the DNS operations community (even the BIND advocates) than IXFR is. I think it's clear that many of the supposed "standards" being tossed about in this debate are nothing more than features of BIND being wrangled into standards documents. Welcome to OSI, circa 2000AD.

    Having addressed your straw-man argument over AXFR/IXFR, why don't we move on to ACTUAL standards compliance? BIND up to and including 8.1.2 applied DNS compression to SRV records, blatantly violating the most basic aspect of the DNS standards (the on-the-wire encoding of actual DNS records).

    You're also completely wrong about the ability to do zone transfers with secure rsync and BIND. People already do this. Where'd you get your information from?

    djbdns uses TCP queries when necessary, automatically. Can you come up with an actual interoperability problem djbdns has caused? What you're saying sounds *exactly* like what the Sendmail drones said when qmail was released.

    I don't expect everyone on Slashdot to understand how the IETF works and what the forces are that bear on it, but I do expect that everyone here is familiar with the term "loose consensus and working code". djbdns works. BIND has been a disaster for years. If you're going to deify the IETF in your arguments, try to understand its spirit first.

  • Is this a troll or did someone hijack the domain? I was redirected to Gross!
  • Well, yes I would run sendmail.
    I used to run one of the only sites for DISA that never got hacked. Even the tiger teams failed to hack it and it was runing sendmail properly configured. Out of the several thousand sites they hacked in DISA, there were only about 6 that they couldn't crack and all of thouse were running sendmail.

    All programs have flaws and some times thouse flaws open it up to abuse. A secure server must keep on top of thouse flaws. At this point I think that sendmail is much more secure than postfix and qumail. I managed to get postfix to dump core a few times on the mandrake 7.1 that I'm runnng at home. Users should not be able to cause programs started as root to core dump.

  • While you won't get much argument on attitude, back when I was searching for a resolver library to hack into a project, I looked at tinydns and downloaded it and started poking around for a license (since this was for work)- I didn't find one at all- and after the qmail license debacle, I thought it'd be a good thing[tm] to ask DJB what terms the stuff was licensed under. I got back a "There is no license, I don't believe in software licensing." reply.

    So, if you're out of technical arguments and are down to social ones, considering BIND is the Sendmail of the 90's and Weitse hasn't attacked DNS as a project I think you're out of wind.

    Look at the code, don't rush to judgement. Look at BIND's code. Compare and contrast.

    I actually *like* BIND, but running it is always scary, even chrooted.

  • > I managed to get postfix to dump core a few
    > times on the mandrake 7.1 that I'm runnng at
    > home. Users should not be able to cause
    > programs started as root to core dump.

    a) How did you get it to dump core exactly.
    b) Where's your bug report? Wieste's always been extremely good at fixing actual bugs.
    c) Postfix drops root _very_ quickly for the parts of the system that need it. It's not monolithic and all the parts don't run as root.

    I don't know *anyone* in the security community that I respect who'd run Sendmail under any circumstance that wasn't "We need a specific feature that nothing else supports" and even then it'd be on a gateway downstream of something else.

  • Buddy:

    $ rpm -qf /usr/include/resolv.h

    It is up to glibc to decide what the interace will be. If and when glibc uses bind 9's resolver, we shall see what their stragegy is with the API.
    It's just like /usr/include/linux. It comes from the kernel but glibc controls it (this has been a much confused point over time).

    What I'm waiting for personally is dhcp 3.0 final, so I can connect my dhcp with dyndns and head off w2k...
  • Yes, it would have, but I don't think they figured out I had ipchains rules. Looks like the ADMROCKS exploit lets you execute commands remotely as the user named is running as, but doesn't explicitly give you a root shell. I guess they could've just done a "rm -rf /" and hosed the machine, but I didn't really care, I had backups of all the important stuff.

    Moral of the story, never run named as root under any circumstances, and always run it chrooted. In fact, never run anything as root if possible, and chroot what you can. An attacker can break out of a chroot jail, but it'll stop most script kiddies from doing much damage.

    I was thinking of switching to djbdns for my nameserver on my DSL, but now that bind 9 is out, I wouldn't mind experimenting with the 6-bone a little bit, and djbdns doesn't do IPV6 as far as I know.
  • Please identify the security holes in qmail.

    There are none.

The rich get rich, and the poor get poorer. The haves get more, the have-nots die.