Root-server switches from BIND to NSD 264
A Sorry End writes "It appears that one of the 13 root-servers, the core of DNS name resolution, have moved away from BIND to NSD since wednesday, Feb 19th, 2003, which is a Good Thing. Since the 26th of october 1990, all root-servers have been running BIND. According to this message, this change was designed to increase the diversity of software in the root name server system, the lack of which is widely considered to be a potential vulnerability. The nsd software has been designed from scratch specifically as an authoritative name server. It has no design commonalities with bind, the currently prevalent DNS implementation.
In addition to that nsd provides a significant increase in the performance reserve of k.root-servers.net.
NSD was developed at NLnet Labs in coorperation with RIPE."
Hehe (Score:2, Funny)
...god, that was the worst joke ever. Someone shoot me.
Re:Hehe (Score:3, Funny)
I would shoot you, but I can't find you because your name isn't resolving for some reason.
Their loss (Score:3, Interesting)
Why are alphas not freely redistributable when the releases are redistributable under one of the most permissive licenses? Are they worried about security? If so, wouldn't a more open audit of the code before release actually help? Are they worried about subsidizing their competition? Then Why use the BSD licence? And as far as competition goes, who is the competition? BIND? DJBDNS? I doubt that DJB will copy their code-- that isn't his style, and as far as BIND, they already have the majority market share, so even if they can only get the code in the final release, they can still add the features they want and maintain market share.
The problem I see here is that this seems inconsistant with the release licenses.I don't think this is good for open source projects.
Re:Hehe (Score:3, Funny)
I may have taken that bullet for you...
Diversity? (Score:3, Funny)
So how secure is it? (Score:5, Interesting)
Re:So how secure is it? (Score:4, Funny)
Re:So how secure is it? (Score:5, Insightful)
I've never had any security problems with it. Chrooted, and running as a non root user helps. Funny how once something gets a reputation, it never seems to be able to shake it off.
Exactly! (Score:5, Funny)
Re:So how secure is it? (Score:5, Insightful)
Sodftware diversity not always a Good Thing (Score:3, Interesting)
If the attack purpose is a DOS, software diversity helps in preventing that your whole system is killed by a single exploit. But if the attack purpose is to crack a machine on your network to run some trojan and/or spyware, software diversity only means that the attacker has more chances to find an hole.
Now, it would be different if they diversify the CPU, since most of the exploit code around is platform-dependent: keeping alive some Alphas to run some of the root DNS whould be wise from a security POV (although maybe not from other POVs).
Thinking of it, it would be nice if compilers could generate (randomly) different - but working - binary code from the same sources. You would have a single source to scrutinize for security holes, but generating different binaries on different critical machine would limit the risk of monoculture.
Re:Sodftware diversity not always a Good Thing (Score:2)
Actually, you can through compiler switches.
However, this doesn't help any. It may mean that someone may need to write multiple versions of the same exploit, but the exploit will be there in all versions.
Even in the case you mention - cracking a machine - you still have only 1 machine cracked versus the whole bunch. At least afterwords you would have at least 1 known-good copy of the data.
Re:So how secure is it? (Score:2)
Re:So how secure is it? (Score:2)
Now you are assuming that for the system as a whole to be secure, each part has to be secure. However that is not how secure systems are designed. Though DNS is really not designed with much security in mind, so it may all fail due to weaknesses in design. Had the design been secure multiple implementations would be an advantage. The best you can do right now to protect yourself from false results from a cracked root DNS server is to ask more than one, but that of course does not help against DoS attacks. And of course always use secure protocols like ssh and https on top of IP+UDP+TCP+DNS.
Re:So how secure is it? (Score:4, Insightful)
You misunderstand the problem of "security through obscurity". The phrase "security through obscurity" does not mean to say that obscurity is useless - in fact, it is a very important part of computer defence. What it means is that obscurity should not be confused with security. They are orthogonal. If I have an obscure system on the other side of the firewall, it will take a hacker longer to figure his way around, thus giving me extra time to detect him. This shouldn't be done to _replace_ security, but is a definite complement to security.
Re:So how secure is it? (Score:3, Insightful)
Open Source (Score:5, Informative)
Re:Open Source (Score:5, Informative)
Re:Open Source (Score:2, Interesting)
Re:Open Source (Score:4, Insightful)
You brought up a very good point. "Open source" which you're not allowed to disclose.
Which is why RMS asks us to distinguish between Free as in freedom and open source as in buzzword compatible.
IMHO, what the license restriction probably shows is that deep down, they really believe that less eyes on the source == better. They probably want to achieve some kind of "middle ground" (shared source anyone?) with bug fixers getting to look at the code but not "hackers".
Not to be too harsh, just bitter that they follow the letter but not the spirit of open source.
Re:Open Source (Score:2)
Re:Open Source (Score:5, Informative)
http://www.nlnetlabs.nl/nsd/index.html
Re:Open Source (Score:5, Informative)
Daniel Karrenberg
daniel.karrenberg@ripe.net
Re:Open Source (Score:5, Insightful)
Man this is such a false meme, where did it get started? Obscurity by itself is questionable security, but as a component of a multi-layered security strategy it's perfectly reasonable.
Security by obscurity is your world-readable /etc/passwd file, with the password data either hashed (obscured) or moved to the shadow file (also obscured). (And if your shadow password file isn't world readable, that's just more obscurity.)
Security by obscurity is the fact that most people don't have the names & addresses of the personnel running the US military's nuclear weapons systems so that these people can't be blackmailed. Maybe these people can be trusted not to betray their country under torture and such, but keeping their identities non-public -- an obscurity measure -- is important too.
Security by obscurity is Dick Cheney's "undisclosed location" (*cough* [boston.com] Greenbrier [krusch.com] Resort [gettingit.com], White [atomictourist.com] Sulphur [wunderground.com] Springs [unitedcountry.com], West [google.com] Virginia [google.com])
Security by obscurity is restricting access to your company's co-location facility, so that untrusted people can't get physical access to your equipment.
In short, in a broad sense, "security by obscurity" is a lot of good ideas, when you think about it. Any of these ideas can be an Achilles heel, but the solution there is not to cut off the heel altogether, but to wear sensible shoes when going out in the wilderness :)
To get back to the original topic, obscurity is a perfectly good tactic for the people running these DNS servers as part of their overall strategy for protecting the system. It's perfectly reasonable for certain aspects of their systems, processes, etc to be kept on a need to know basis. Sure, there is a benefit to keeping software source open as a security measure, though the benefit of doing that is debatable (and no, I'm not going to be the one to debate it -- I agree that it's generally a good idea but can understand some of the objections). But in this case, where the software is a black box to the outside world, and it's explicitly *not* meant for general DNS use (it's meant for authoritative servers only!) I don't see any particular harm in keeping their doors locked down pretty well.
Not that they're doing that in the first place. As another reply noted, you yourself write that both the betas & release will be available under a BSD style license :-)
But moreover, your objections are I think misplaced -- as are most of the people that blindly parrot the "obscurity is bad" meme. Think about what you're saying -- it really doesn't hold up to scrutiny.
Re:Open Source (Score:2)
Note that I happen to agree than in some cases obscurity can be a reasonable additional layer of security, but the the essence of your point is, dare I say it, obscured by your changes in definition.
Re:Open Source (Score:2)
My real point, which I think you're well aware of, is that pat, convenient slogans like this are often too simplistic, and there's a danger that by taking them to heart you're taking away the wrong lesson.
By broadening the definition, my hope is that people will think a little more about parroting things like this and consider that, in this case, security by obscurity *isn't* per se a bad thing. It has a place, a role, and proper ways to apply it. Having it as the first & only line of defence usually isn't one of the proper ways, but as part of a balanced security plan it can fit in very effectively.
Re:security through obscurity (Score:2, Informative)
New vulnerabilities (Score:2)
Re:New vulnerabilities (Score:5, Informative)
An online Starcraft RPG? Only at [netnexus.com]
Re:New vulnerabilities (Score:2)
I'm not sure that is exactly the attack everyone is concerned about. More likely they'd point the firehose at, you know, someone else's site... I'll leave it to the trolls to suggest which sites.
Re:New vulnerabilities (Score:2)
How is going to a different dns server make this easier now? Are you saying that NSD somehow makes this easier? Is this a known vulnerability in NSD?
Re:New vulnerabilities (Score:5, Insightful)
Running a wider array of software on the root nameservers is still almost certainly a Good Thing , and decreases the probability than all of the servers will be prone to any given vulnerability -- but also increases the probability that a vulnerability will be found such that some subset of the servers is prone.
Re:New vulnerabilities (Score:2, Interesting)
Unless you can argue that there is a finite number of potential vulnerabilities, and that the number is sufficiently small that they are well within the capacity of attackers to exhaustively exploit, I'm not sure how well your logic bears out. This multiplicative math only works with known/finite probabilities.
It could well be argued that there is a near-infinite supply of potential vulnerabilities, and that X cracking effort yields N holes. In this scenario it the overall chance of any single compromise doesn't increase with the diversity of products. But the susceptibility of the entire system to any given attack does decrease. That makes this change a win.
Re:New vulnerabilities (Score:2)
Simply put: The set of possible inputs to a block of code (excluding cases where input lengths are unbounded -- something DNS software should never allow) is finite; hence, there is a finite set of correctly-handled cases, a finite set of error cases which are gracefully handled, and a finite set of error cases which are incorrectly handled. That last set can indeed be located, and if the expense is warranted can even be eliminated and proven to be so.
As for the argument that the supply of potential vulnerabilities is near-infinite, I am disinclined to believe this so long as certain reasonable assumptions regarding the operating environment can be made. If you care to put forth an argument, however, by all means feel free to do so.
Just like biological ecosystems (Score:5, Insightful)
Having no diversity means you are ripe for an epidemic.
Re:Just like biological ecosystems (Score:2)
Yes, this is OT, and I like it!
Verisign using ATLAS, not BIND (Score:5, Informative)
As of last year, Verisign has been running ATLAS, instead of BIND, for DNS. See the story here [nwfusion.com].
Re:Verisign using ATLAS, not BIND (Score:5, Informative)
Re:Verisign using ATLAS, not BIND (Score:5, Informative)
Verisign does not run this server, but they do have their own DNS servers which handle DNS for TLD's such as "com" and "net" -- and is totally seperate from the root servers. I am sure all of those systems are still running ATLAS.
(Of course, if I recall correctly, VeriSign does manage one of the 13 root servers. I think it is a.root-servers.net, but I may be wrong.)
Re:Verisign using ATLAS, not BIND (Score:2)
Yes, and J changed its IP a few months ago when it moved across town - they were both at the same facility, which was dumb.
Re:Verisign using ATLAS, not BIND (Score:3, Informative)
I assume that you assume incorrectly.
There are also 13 gTLD servers, in addition to the 13 root servers: [a-m].gtld-servers.net are authoritative for the
Verisign apparently also has [a-g,l-m].nstld.com, which are authoritative for
Re:Verisign using ATLAS, not BIND (Score:2, Informative)
Diying? (Score:5, Insightful)
There will be years for BIND to loose it's marketshare.
Specs on BIND Vs NSD (Score:5, Insightful)
I wonder what anomalies, if any, we may see from switching over. Also, as the article mentions that NSD has no design commonalities with BIND, I wonder how many of the tech personnel are knowledgable on the new system...not that a nameserver, even a root one, should be overtly complicated (except for evading DOS attacks)
Re:Specs on BIND Vs NSD (Score:5, Informative)
BIND is a general purpose name server for use anywhere in the hierarchical dns scheme. That is, in simplest terms, it accepts requests from below, and either serves them or passes the query up (hierarchy = tree).
NSD, according to what is being said is for *authoritative servers only*. That is, it only serves requests, it never passes them up (because it only runs at the nood nodes). It may be true that they intend to make it a general purpose name daemon in the future, but at least for right now, it just simply does not do all of the different things that bind does. One might guess that, because it does fewer things, it does them better, but I sure as hell don't know that to be the case.
Re:Specs on BIND Vs NSD (Score:3, Insightful)
Re:Specs on BIND Vs NSD (Score:2)
Re:Specs on BIND Vs NSD (Score:5, Informative)
I'm scanning through it right now, and it looks like the main differences are:
NSD is Authoritative only. It doesn't pass requests to other servers.
NSD is quieter in the sense that if you send it a request which it refuses (like an update), it simply returns a Refused message and not the content of the update request. BIND does. This is considered a weakness in BIND that could make it susceptible to DoS attacks.
There are a number of different interpretations of the RFCs between BIND and NSD which I don't understand.
Re:Specs on BIND Vs NSD (Score:5, Interesting)
to millions of both real world and artificial
queries. None of the differences observed are
material enough to be noticed by common resolvers
and much less any applications or even users.
Daniel Karrenberg
daniel.karrenberg@ripe.net
Same interface, different implementation (Score:4, Insightful)
This is great, but I wanted to point out that the new software does have design commonalities with bind. The way I see it, they both support the same external interface, but they have different implementations.
--sex [slashdot.org]
Re:Same interface, different implementation (Score:2)
By your definition, Apache and IIS share design commonalities.
Re:Same interface, different implementation (Score:2)
they should use djbdns (Score:5, Funny)
* free software, under the BSD license (makes it easy to redistribute binaries)
* easy package-based installer (easy to find everything, or to install djbdns in different locations)
* easy to configure with a single config file
* great support from the author, who's a really friendly guy.
Oh wait. NONE OF THAT IS TRUE. Never mind.
Re:they should use djbdns (Score:5, Insightful)
Oh wait. NONE OF THAT IS TRUE. Never mind.
You're absolutely right. djbdns doesn't have anything going for it except exceptional security and performance, and why would a root name server need that?
Re:they should use djbdns (Score:2)
See Name Server C
http://www.icann.org/tlds/org/applications/swit
The access capacity for that is 5000 queries/sec, which seems reasonable when compared to other reports on similar spec hardware.
If you are testing dnscache, are the requests already cached?
Anyway if djbdns isn't much slower than BIND I'd stick to djbdns as it has a better security track record.
Re:they should use djbdns (Score:2)
Re:they should use djbdns (Score:2, Interesting)
- authoritative only makes for simpler software, higher performance, increased security, more robust software
- load/reload entire db, with very fast load times, and no incremental changes at runtime
- axfr offband (it is not clear how they do this, but it sounds as though nsd is not doing this, and neither does tinydns, it can be done better with other programs (such as rsync)) IIRC, many flames have ignited over tinydns's AXFR support (or supposed lack thereof), and it seems as though the nsd developers chose a design.
One can reasonably ask, if it is so similar, why reinvent tinydns? If it's good that one root server is running nsd, why not implement tinydns on another root server? Or how does nsd differ from tinydns?Re:they should use djbdns (Score:3, Informative)
Re:they should use djbdns (Score:5, Informative)
I recently installed DNS on my local net for the first time (had been making do with hosts files until then). It seemed I saw a new BIND problem every week, so I thought I'd give djbdns a go, it looked pretty straight forward and I like works like "secure". It did take a full evening to install (longer that I would have hoped) and yes, that service manager thing is a ROYAL piece of annoying crap, but once it was up and running I've had exactly zero problems with it.
IMHO djb seems to write some pretty decent code, the apps themselves seem well designed, but he REALLY needs to get with the programme re: installers, and not re-inventing the wheel just because he reckons he can do it 0.001% better than everyone else (svcmgr).
Re:they should use djbdns (Score:5, Informative)
Exactly what is svcmgr replacing that it only does things 0.0001% better than?
Phrased more simply, what exactly is there to check that service daemons are running, and starts them if they are not?
Whereas daemontools replaces init scripts, it also does the job of checking that services are still running, and starts them if they are not. It is a very useful daemon - a supervising master daemon to watch all the other daemons, because time has shown that daemons aren't very good at watching themselves.
Re:they should use djbdns (Score:2)
to see a summary of the things that daemontools does compared to other init strategies. You have to run something in inittab to ensure that process restarting is clean and reliable. The daemontools package also makes it easy for one daemon to check all the others, re-start the dead ones, add and/or remove services at will, signal them cleanly, and is available under all flavors of Unix.
You MAY think that is only an incremental improvement over init. I don't.
Re:they should use djbdns (Score:2)
It took me some time to understand djbdns, but that's not surprising - learning something new always takes time.
BIND really isn't easier to me - look at the config files.
Re:they should use djbdns (Score:3, Funny)
Re:they should use djbdns (Score:3)
affirmative action (Score:5, Funny)
Affirmative action: More than just for humans.
root servers never even tried BIND 9 (Score:5, Informative)
That said, their software change sounds like a good idea, but isn't for everyone. There's nothing wrong with BIND 9 and I plan on sticking with it for years to come.
I don't think I can say the same thing about sendmail...
Re:root servers never even tried BIND 9 (Score:5, Informative)
Re:root servers never even tried BIND 9 (Score:3, Informative)
Here's what they return:
a: "VGRS1"
b: "8.2.5-REL"
c: "8.3.3-REL"
d: "8.3.1-REL"
e: "8.3.3-REL"
f: "8.3.3-REL"
g: no answer
h: "8.3.4-REL"
i: "8.3.2-REL"
j: "VGRS1"
l: "BIND-8.3.1-MA-PATCH-JMB-01"
k: no answer
m: "8.3.4-REL"
Of course, you can set this string to anything, but the root servers don't.
-sig
Re:root servers never even tried BIND 9 (Score:3, Informative)
-sig
Re:root servers never even tried BIND 9 (Score:2)
Re:root servers never even tried BIND 9 (Score:2)
One of the root servers was moved over to BIND 9 before the final release. Made me kinda nervous, cuz the final release of BIND 9 was somewhat buggy and had several features missing. Pretty effective way to beta test, I suppose, and it seems to have worked out OK.
Re:root servers never even tried BIND 9 (Score:2)
Only because you stopped running it at 8.6.something, which was about as current as BIND 4.9. If you'd keep up with sendmail like you kept up with BIND, you'd have a different opinion.
If the last exposure to BIND you had was BIND 4.9 you'd be dissing the current BIND instead of the current sendmail.
It's all about what you use and what you are comfortable with and knowledgeable about.
Except for wu-ftpd of course. There's no hope for that pile!
Back to switchboards (Score:5, Funny)
While being resistant to any port based DDOS attacks, they would be DOSable by having some hunky dude drink a pepsi outside their window.
Re:Back to switchboards (Score:2)
Mmmmm.. Your dialogue is sounding like one of my fantasies.. You forgot about the part where after work, she takes off her glasses, and lets her hair down, and the clothes come flying off
Diversity is good (Score:5, Insightful)
For very high reliability software, competition is also used. For example, the space shuttle uses four sets of identical software on four sets of hardware that vote on results, with a fifth set running completely different software waiting to take over if the other fail (see Fastcompany [fastcompany.com] for more details).
Also, one of the benefits of breaking up Ma Bell was that one company, with one set of software, was no longer running the telephone system in the United States.
In the long run I think this is a very good thing. In the short run, however, there might be problems.
Re:Diversity is good (Score:2)
Uhh, except that now we have four, and they still haven't gotten rid of the original software. I used to know what it was called, I'm trying to remember - anyone know?
Acronyms galore (Score:5, Funny)
Security through _______ (Score:5, Funny)
I mean if you're going to be superstitious to the point of worrying about code diversity or eyeballs-per-source-file, I think this is an issue that needs to be addressed.
Only... (Score:5, Funny)
...if the 14th is named bilbo.root-servers.net, and is added specifically for the purpose of breaking the bad luck.
Sorry, heavy geek moment there.
Re:Security through _______ (Score:2)
Re:Security through _______ (Score:3, Funny)
No, but it's bad luck to be superstitious.
Re:Security through ? (Score:2)
voyeurweb.com. itself has 14 A records, but we've had up to 22. We did overrun the packet size when we had more A records (25) in there, but only some clients were failing because of it. They could easily add another root server, without breaking things. Well, assuming everyone would update their hints. I don't think most people optimize their hints file for their location.
> dig voyeurweb.com A
;; QUESTION SECTION:
;voyeurweb.com. IN A
;; ANSWER SECTION:
voyeurweb.com. 3600 IN A 63.208.2.97
voyeurweb.com. 3600 IN A 209.247.59.14
voyeurweb.com. 3600 IN A 209.247.59.15
voyeurweb.com. 3600 IN A 209.247.59.16
voyeurweb.com. 3600 IN A 209.247.59.17
voyeurweb.com. 3600 IN A 209.247.59.84
voyeurweb.com. 3600 IN A 209.247.59.85
voyeurweb.com. 3600 IN A 209.247.59.86
voyeurweb.com. 3600 IN A 209.247.59.87
voyeurweb.com. 3600 IN A 63.208.2.23
voyeurweb.com. 3600 IN A 63.208.2.25
voyeurweb.com. 3600 IN A 63.208.2.62
voyeurweb.com. 3600 IN A 63.208.2.64
voyeurweb.com. 3600 IN A 63.208.2.84
{sigh} I think I'm hitting every posting violation today..
"Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted."
"Reason: Please use fewer 'junk' characters."
Perhaps a silly question. (Score:3, Insightful)
The article states: "K will answer either using bind8 or nsd".
How does one go about identifying which software is in use at a DNS server? Is there a piece of data transmited with the response - like with webbrowsers to indicate which version/browser was used to make the request?
Perhaps the article is talking in an abstract manner about how the server will respond, and not in a litteral way - and such a feature of DNS does not exist.
(I cant see how it would NEED to exist frankly. People want to know the IP address of the name they are looking up - not what piece of software is being used to retrieve it)
Nevertheless, I am curious.
Re:Perhaps a silly question. (Score:3, Informative)
dig @server.example.com. authors.bind chaos txt
Compare results. If you get a response for both queries (including REFUSED and SERVFAIL), then it's probably BIND 9. If you get a response for the first query (including REFUSED and SERVFAIL) and not the second, then it's probably BIND-8. If you don't get a response for either query, it's probably an old version of BIND-4.9.2 (or below), or Microsoft DNS (which is based on BIND-4.9.2 or below).
Re:Perhaps a silly question. (Score:2)
Re:Perhaps a silly question. (Score:3, Insightful)
Actually, the full quote is:
: During the cut-over period, K will answer either using bind8 or nsd
( There is a load balancer in front of a number of machines performing the K-root function )
To answer your other question, being:
> How does one go about identifying which software is in use at a DNS server?
There are three methods. One is the defacto which was introduced with BIND4.mumble, by which you could send a TXT query of 'version.bind' to the nameserver, and it may answer with the actual version (depending on how the local administrators set it up - ref BIND documentation for further details).
Another method is currently going through the IETF [ietf.org] process as draft-dnsop-serverid [ietf.org], and consists of sending a similar query for 'version.server'. (ref the draft for further specifics). NSD replies to this method since it is not BIND.
The third method is analysis of how the nameserver replies to queries. Even between BIND versions there are a variety of subtle differences in the packet that you get back.
But, we haven't answered the 'why'. One reason is if you are tracking obscure protocol bugs from servers not under your control. Another is purely for local administration and tracking which nameserver is doing what.
Security? (Score:2, Interesting)
-- kryps
Re:Security? (Score:2)
Waste of effort (Score:5, Insightful)
I would rather see them pick some alternative general purpose DNS implementation and optimize it for their needs.
Re:Waste of effort (Score:3, Insightful)
Ooh, is that flamebait I smell?
It's long since been agreed upon that combining authoritative and recursive name services is a terrible idea. With that in mind, is there any reason for your authoritative DNS server to contain recursive code? Do recursive servers (for most of us?) benefit at all from the authoritative code?
Most of us in the scope that you use it may never realize incredible benefits from software targeted at most of us network operators. Just because the effort spent developing this software will not directly benefit you doesn't mean it was wasted.
Oh, I see. It was flamebait, after all.
Mark
Mod parent up, good rebuttal (Score:2)
Won't stop DDoS attacks (Score:2, Informative)
I think the internet is going to have to move to a tiered approach of trusted and untrusted networks. Unfettered access was okay when there were only a few systems connected but with millions of users, trust is something you must earn. If a network or ISP allows a user to spoof the packets they send than that network or ISP should be labeled untrustworthy and their QOS should reflect that. Legitimate users will eventually migrate to trusted nets and ISPs.
The internet should be a priveledge ala driving. If you can't be trusted with that priveledge than your access should be revoked or at least severely limited.
Re: (Score:3, Funny)
Re:Similar (Score:2)
Which came first, BIND or the RFCs?
Re:Similar (Score:5, Informative)
Re:THIS PROVES OPEN SOURCE ISNT READY FOR PRIME TI (Score:2, Insightful)
(Just under 0%)
Re:It's about time. (Score:3, Insightful)
Actually, that isn't really true. We just do it like that NOW.
All that the root servers do it tell us where to start.
How do we find the root servers? By using a "well known list" that doesn't change very often (order of many years between *major* changes - as long as one of the servers listed is reachable and valid we get an up-to-date list of root servers first time we talk to it after booting).
Suppose that we used a different "well known list" that, instead of listing root servers, listed the authoritative servers for each TLD (.arpa,.net,.biz,....,plus country TLDs). Then you don't actually NEED a "." domain at all.
Sounds crazy? Surely this bigger list would get out of date quicker? Yet we accept new "global" CA's without blinking (or even knowing about it) each time we install a new version of Mozilla (or other browser). This is part of the critical trust infrastructure too. So offer a new "well known list" Free With Every Browser Download
Of course, if this made you nervous, you could still include a "fallback" set of servers for "." to contact in the event that you had a query for a TLD which either was not in the existing list held (new
Just a thought.....
Re:djbdns (Score:3, Insightful)
Seriously, djbdns, as supplied, is not usable on a root server due to security constraints involved in retrieving the root zones.
Re:I wish we could start replacing the DNS system (Score:2)
Just set the TTL to a lower value and you're in. It all happens automatic.
Re:Why is BIND insecure? (Score:2)
You dis-believer! Don't you know that BIND sucks and that DJB rules?
Anyway, what people don't understand is that one of the goals of BIND is to be a reference-model for DNS related RFC. So if there is an RFC saying that name-servers should do "blaat", BIND has to support that function. The other nameservers (maradns, firedns, djbdns, nsd) don't have to adopt all these features. And if you add more features, more things can get broken.
Regarding the choice to use NSD over BIND, I too would choose software which is doing exactly what I like it to do (authoritative answers only) above something which is generic. For other machines, I would still run BIND.