Paul Vixie to Leave BIND

strabo writes "Paul Vixie made it known at LISA '99 in Seattle on Wednesday that he'll be stepping down as the maintainer and head architect of BIND, which he has been doing for the past 10 years. Many thanks to Paul for his hard work and dedication! "

Re:Other Vixie projects?

[radparker]

Satic IPs are regularly removed from the DUL at the request of users like yourself. The intent of the DUL is to list dynamic addresses, not static IPs like dedicated dialups and DSL connections and so forth. Have you contacted the MAPS DUL team for help with this issue? Al Iverson MAPS LLC RSS Team

Re:Other Vixie projects?

[bob]

Well, that's encouraging. I did not do so because after reading through all of the information at http://maps.vix.com/dul/, I could find no indication that such a request would be honored. On the page of information for end users, http://maps.vix.com/dul/enduser.htm, the exclusive remedy is to use your ISP's relay. On the page on removing your network, http://maps.vix.com/dul/removing.htm, the acceptable reasons listed speak only to the needs of ISPs, not individuals. The closest thing I could find was the clause on "Removal due to operational requirements and a strong AUP", which still had lots of stuff about dial-up users and such that didn't apply to me. And is "I find it extremely useful, from a diagnostic standpoint, to be able to review my SMTP delivery logs" a sufficient "operational requirement?" Like, when my wife's mail doesn't get delivered, I like to be able to tell her why?

The tone of the DUL pages, taken in total, is quite hostile -- or at a minimum paternalistic and condescending -- especially to individuals. Taken as a whole, it presents the attitude that individuals really don't need to have that kind of control over their Internet presence, that individuals should just trust in their ISPs and not worry thier little heads over it.

But, taking you at your word, I'll go ahead and make a request.

Re:why slam AlterNIC?

[Frater 219]

Vixie is of the well-considered opinion that the DNS tree can only have one root. DNS is designed around the idea that each zone, including the top-level zone, can only have a single authority record. This means that delegation can emanate only from one place, namely the top-level SOA (Start Of Authority) record.

Whoever controls the top-level SOA controls the delegation for the top-level domains (com, edu, de, jp, etc.) and hence the rest of the system. This was true when InterNIC was run not-for-profit, and remains true now that InterNIC is run for profit: it is not an artifact of the management of the DNS directory, but rather of its design.

It would be possible to create a new name-service system which permitted multiple roots, search engines or Hotline-style "trackers", a directed-graph model instead of a tree model, &c. However, this would not be DNS, and these features should not be slapped onto the side of DNS. They would require a new architecture.

If you want it, please feel free to design it. Distribute your resolver libraries far and wide. However, don't commit the errors of AlterNIC, such as committing computer crimes (forgery of DNS entries) in order to popularize your system.

ok, I've got a silly question

[vyesue]

wasn't BIND brought from 4.9.something to 8 so that it would be consistent with Sendmail? how are we at BIND9 without being at sendmail9?

(hates gratuitous version increment gaps)

Re:Other Vixie projects?

[vixie]

no, i'm not dropping any projects. bind is still an ISC project, but bind9 is the up and coming thing and i'm choosing the bind8/bind9 transition as my moment to step back from the technical lime light. i am still chairman of ISC, and ISC is still very much doing bind.

Paul is Paul

[burrows]

Many thanks to Paul for the hard work, dedication, and numerous security holes he has contributed to this project over the past 10 years (relax, it's a joke).

Re:Thanks Paul...

[vixie]

re: "you the man" i was the man, but DNS is now much larger than any man (no matter how much coffee he drinks) can implement. that's why ISC exists. BIND9 is the future, and it's very bright.

Re:BIND, Vixie, et al

[StenD]

> Grrr! I -hate- closed-door development. It's not much better than closed-source.

Read the Cathedral and the Bazaar. ESR notes "It's fairly clear that one cannot code from the ground up in bazaar style.". The developers certainly want as many eyes as possible looking at the code, and finding and repairing bugs, as possible, but they have to provide something that works at some level first.

Re:ok, I've got a silly question

[Anonymous Coward]

When BSD4.4 was released, all the SCCS (remember that?) version numbers were reset to 8. Why, I don't know. But that's why BIND and sendmail are both v8. I think this little gem is somewhere in the sendmail docs... -Dom2

Re:Give This Man a Medal

[JackAssPenguin]

At the ISP where I used to work we had a Microsoft Small Business Server. This project was pushed big time by MS. It is a complete MS project - the clients run MS stuff, the ISP runs Microsoft stuff.

And (typically) it didn't work.

With a lot of MS pressure, a lot of MS help and a lot of MCSEs trying to help it finally got off the ground.

The difference now is that it uses BIND and not MS's DNS.

This to me is as much a medal as "This Man" could ever earn.

Good luck for the future.

email: 3->e

Re:BIND, Vixie, et al

[vixie]

> where's this BIND 9 that keeps getting talked about? the companies who funded it wanted early access. since the budget was $1.5M we gave on this point. when it's ready for public testing it will be up on some ftp server with a regular BSD/ISC license. > Second, who's going to take over BIND now? nobody. ISC took it over in 1994. i'm chairman of ISC but as bind8 is approaching end-of-life in favour of bind9, my involvement as an architect is sort of ending. i'm just a manager now. > Third, what's the -real- reason for the resignation? 10 years is a long time. DNS is very big now. i'm going to stay involved with ISC but not be "the" or even "a" BIND technologist in the future. once we (ISC) get bind9 out the door i may decide to contribute code fragments to it, but as an individual contributor rather than as any sort of author, coauthor, or architect.

Does Paul Vixie smoke crack?

[Nicolas MONNET]

when i saw the linux chroot("../../../../../../../..") hole i about fell out of my chair. truly no place is safe any more.

This "bug" pops up every other month on linux-kernel, and has been for several years. This is not a bug. This is the way chroot is supposed to work. If you make a chroot and run process as root inside, you deserve to what happens to you.

I don't really understand why he wrote the above.

thank you for your dedication...

[fratar]

what else to say?
except thank you for you and all of your dedicated team.

just curious, is there any picture of you and the team?

after all these years, many only knew the name and email.

:)

Re:ok, I've got a silly question

[StenD]

Both BIND and sendmail were brought to version 8 to synchronize with the 4.4BSD source revision numbers. BIND underwent a full source rewrite, and is appropriately incrementing the major release number. Hopefully Sendmail will do the same thing one of these days.

DUL Follow-up

[bob]

A follow-up here for the record. I put in a request, and it was granted almost immediately; the DUL guys poked around a bit and when it checked out they went ahead and took my IP out of the DUL jail. I take back what I said. Well, most of it anyway, except for the part about the tone of their Web page, which I still think sounds pretty hostile. Nice to know, though, that they're more reasonable than they sound. --Bob

Re:ok, I've got a silly question

[vyesue]

_remember_ sccs? I had the displeasure of using it quite intensively for a while when I worked at Sun. guh.

anyway, 8's as good a number as anything else, I was just curious. :D

Other Vixie projects?

[AtariDatacenter]

What other projects is Vixie running, and will he be stepping down on any others?

...

[Signal 11]

My only question is why? Will he be stepping down from other projects (the MAPS RBL?) as well? More details! More details!

--

Who will take over BIND?

[Gurlia]

Just curious, who will take over the BIND project? Or will it just be a group of people as opposed to one person overseeing the whole thing?

As a sideline, I wonder who will take over the Linux kernel when (if) Linus steps down? Just a random thought... :-)

Re:Other Vixie projects?

[seebs]

The RBL, of course! Although, to be fair, he's mostly handed that off already; it's run by the employees these days.

Nice service. http://www.mail-abuse.org/rbl/

Give This Man a Medal

[mochaone]

Ten years of working on what is arguably the most successful Open Source project ever deserves something. Someone nominate this guy for the FSF 1999 award.

BIND, Vixie, et al

[jd]

First off, where's this BIND 9 that keeps getting talked about? The most recent version I can see a link to is BIND 8. (Grrr! I -hate- closed-door development. It's not much better than closed-source.)

Second, who's going to take over BIND now? For all it's problems and limitations, BIND is an excellent piece of code, and I'd hate to see it vanish.

Third, what's the -real- reason for the resignation? Open Source is less about egos, precicely because it's open, so I've my doubts about this "it's time". It sounds too much like a line from those cheesy B-Movie sci-fi movies, only without the benefit of cheese.

Last, but not least, for all my cynisism, doubt and concerns, I reckon Paul Vixie has done an excellent job with BIND, keeping it's title as one of the most widely-used nameservers on the Internet, despite fierce competition from commercial alternatives.

mail from vixie, alternative to BIND

[Ken Williams]

--------------------------------------------------

Date: Sat, 13 Nov 1999 21:11:54 -0800
From: Paul A Vixie
Subject: Re: BIND bugs of the month (fwd)

please forward since i'm not on bugtraq

> Date: Sat, 13 Nov 1999 01:14:24 -0000
> From: D. J. Bernstein
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Re: BIND bugs of the month
>
> ...
> But all this cryptographic work accomplishes _nothing_ if the servers
> are subject to buffer overflows! An attacker doesn't have to bother
> guessing or sniffing query times and IDs, and forging DNS responses,
> if he can simply take over the DNS server.

yes. see the proceedings of the fifth usenix security symposium for
further evidence of this, and evidence that i agreed with this view even
several years ago, well before the current events.

> This NXT buffer overflow isn't part of some old code that Paul Vixie
> inherited from careless graduate students. It's new code. It's part of
> BIND's DNSSEC implementation. I don't find the irony amusing. Obviously
> ISC's auditing is inadequate.

at times, yes it is.

> Does anyone seriously believe that the current BIND code is secure? If
> it isn't, adding DNSSEC to it doesn't help anybody. Is ISC going to
> rewrite the client and server in a way that gives us confidence in
> their security?

yes, this has been done over the past 18 months. the result is BIND 9.
and yes, it's all new code, and yes, it's been audited, and yes, it's
designed to be audited, and yes, things like the NXT bug are the reason.

> David R. Conrad writes:
> > In addition, we recommend running your nameserver as non-root and
> > chrooted (I know setting this up is non-trivial -- it'll be much, much
> > easier in BINDv9).
>
> ``I wouldn't consider installing named any other way,'' I told Vixie in
> September 1996. He didn't respond. Of course, DNSSEC is equally useless
> either way; the only question is whether an attacker can also take over
> the rest of the machine.

when i saw the linux chroot("../../../../../../../..") hole i about fell
out of my chair. truly no place is safe any more.

------------------------------------------------ --

Alternative to BIND: http://www.dents.org/

------------------------------------------------ --

all info courtesy of BUGTRAQ@securityfocus.com
--

The MAPS RBL, for one....

[strabo]

The MAPS (Mail Abuse Prevention System) Realtime Blackhole List is one of his projects. As far as I know, he's still going to be working on that...

As for other stuff, check out Vixie Enterprises [vix.com]. He does work with IETF, I think he runs an ISP, and he's got a bunch of other projects, though I'm not sure what they all are off the top of my head...

- strabo

Re:Other Vixie projects?

[bob]

I'd be ecstatic if the DUL would go away. At a minimum, someone paying for a static IP address should be able to do direct SMTPs. And yes, I know the arguments, and no, I don't agree with them. Fix the protocol, don't dump on individuals.

--Bob

Thanks Paul...

[EnForce]

For all the years of hard work in developing what could without a doubt be one of the core pushes in the advancement of the Internet as we know it today. (Oh, and hey... your DNS tutorials and guidelines saved my ass years ago. You the man!)

why slam AlterNIC?

[klund]

From the article:: Vixie described this last feature as "the split-horizon DNS people have wanted for a long time," noting dryly (and to considerable applause) that as for "people like AlterNIC who want us to believe it's possible to have more than one set of root name servers, this will not facilitate their political agenda at all."

What is this feature, and why does Vixie hate AlterNIC? Is the (erstwhile) maintainer of BIND in bed with the money-grubbing, freedom-denying, satan-worshipping domain-name-controlling oligarchy?

Blech.

Re:Who will take over BIND?

[El Volio]

I'm not involved in kernel development, but it would seem to me that Alan Cox would take over, if Linus were to step down or otherwise no longer be able to lead Linux (hit by a bus, assassinated by the Illuminati, etc).

Which would inevitably lead to more foolish cries of "RedHat is becoming Microsoft!", since Cox is in fact a RH employee.

An alternate nameservice

[Frater 219]

(Following up on my own post to elaborate on an idea...)

As I understand it, the Hotline system depends largely on "trackers", which are systems which serve lists of Hotline servers. A server owner registers his/her server with one or more trackers; trackers are more widely-advertised (in the non-commercial sense of the word) than servers are; hence, users who discover a tracker discover all servers listed on it. Trackers, unlike the DNS root, are not global, and some of them may be quite difficult to locate; indeed, there are now meta-trackers (tracker-trackers) and (I'm told) even meta^2-trackers. Trackers serve to publicize servers, but they are not global nor are they as reliable as nameservice. Furthermore, they do not serve the authentication function which DNS does (through the IN-ADDR system, aka Reverse DNS).

A similar system could be constructed for names. Each client system (resolver) would need to know about some set of nameservers and meta-nameservers, through which it could search to find a machine or domain with a particular name. When an application gives the resolver a name to resolve, the name is passed to any or all of the nameservers, which return addresses -- just as DNS nameservers do.

The difference is that the resolver would have to query multiple nameservers, because of the lack of central organization to the system. Some servers would know about a particular name; others would not. Some servers might know that certain other servers knew an address for a name -- just as DNS has the forwarding system and routers have their route-advertisement protocols. However, since no one server could be guaranteed to find a name, the resolver would be best off querying every server it knows about.

Furthermore, because of the lack of a central authority, servers could disagree on the proper address for a given name. A resolver could look up "Slashdot" on a set of nameservers and get back two different answers -- or ten different answers. At that point, a decision of trust must be made: which servers do you trust to have the "real" Slashdot's address? All the problems of a PGP-style web of trust enter into the system here: a nameserver is acting as an introducer, just as a signer of a PGP key does.

Such a system would be by nature nondeterministic. It would be prone to all manner of reliability problems. However, it would be largely free of policy problems: since there would be no central authority, there could be no centralized injustice, such as some accuse NSI of exhibiting.

The decision between DNS and such a system is the decision between a centralized regime and a radically distributed regime: a cathedral and a bazaar -- or, more to the point, a hierarchy ("hieroi-archoi" -- holy leaders) and an anarchy ("an-archoi" -- no leaders). I make no claim as to which would be better for users, for the market, or for the Net as a system.

CONGRATS

[mangino]

I just wanted to say thanks (since you seem to be actively reading and responding here) I've enjoyed using MAPS, BIND and crond for quite some time. I'm appreciate the time you've taken to make the internet what it is today, both from working on BIND to chairing the ISC. You've provided a great service to the internet community. Mike
--
Mike Mangino Consultant, Analysts International

Re:Give This Man a Medal

[vectro]

Too late, he already won the Free Software award in a previous year.

Incidentally, he is also on the judging panel for the 1999 award.

oh no :(

[micr0s]

I feel like I am going to cry :( We are losing an incredible coder of a software that is probably one of the most important things on the internet. Who's taking over? I hope its someone good...

Re: Who will take over BIND?

[strabo]

Actually, just because Paul is stepping down as head maintainer and the lead architect, doesn't mean that ISC [isc.org] is stepping down. The Internet Software Consortium was founded by Vixie, but is much bigger than just him.

Also, there are no more expected releases of BIND 8.x, with the exception (obviously) fixes. The development of BIND 9 has not included a single line of Vixie's code - and it is written COMPLETELY from SCRATCH - no legacy BIND 8.x code in it. He has spent his time recently finishing up with BIND 8.2.2, and is leaving BIND 9 to a new team.

Paul was quoted as saying: "It's a thing of beauty. I have not got a single line of code in BIND 9 - and I hope that's not the reason that it's a thing of beauty." :) He went on to explain that it was because he was able to maintain the 8.x code by himself, since he knew it so well. It would have taken a couple of people to do it otherwise, and it was a matter of priority - so he did that, and let the others focus on BIND 9.

- strabo

What else can I say....

[wolf-]

...but thank you, Paul.

Paul is a really great guy. I remember not so many years ago, email conversations with him in which he hand walked me through setting up some DNS (back in my younger years). I just hope, that the team left behind on BIND doesn't start slacking off..

Re:Who will take over BIND?

[rde]

I'm not doing anything this weekend; I'm sure I could fit it in.

Re:Give This Man a Medal

[devphil]

Indeed. BIND is arguably the glue that holds all this crap together. We owe him a /lot/, and he doesn't get recognized for it nearly enough.