Dan's "Ease of Use" Table, Redux (was Re: bind 8.2.4: limiting used memory?)
D. J. Bernstein
75628121832146-bind at sublist.cr.yp.to
Mon Aug 13 20:44:23 UTC 2001
Brad Knowles writes:
> I still have yet to see something that can begin to approach BIND in
> terms of the functionality needed to provide either authoritative-only
> or caching-only nameservice,
Back in the real world, djbdns is widely used for both of those tasks.
It never crashes, and it's backed by a $500 security guarantee. See
http://cr.yp.to/djbdns/blurb.html for more advantages.
> and with recent versions of BIND, to be
> able to securely mix those two operations on the same machine.
With djbdns, these services are protected from each other even when
they're running on the same machine. They run under separate uids in
separate chroot jails. There's no risk of BIND-style pollution.
> djbdns is *way* too far down the "patchwork" road
daemontools and ucspi-tcp are used for dozens of other applications.
What you're calling ``patchwork'' is what other people call ``power''
and ``modularity'' and ``interchangeable parts.''
Does it bother you that a UNIX system may have hundreds, even thousands,
of executables? Are you going to claim that packages shouldn't rely on
cat and chmod and cp and ed and ln and ls and mv and pax and rm and sh?
> depends on far too many other bits and pieces to be filled in by other
> programs/packages
The daemontools+ucspi-tcp+djbdns installation is trivial. The packages
work together smoothly. As for secure file transfer, taking advantage of
a general-purpose tool like ssh makes life much easier for the sysadmin
than demanding configuration of another ad-hoc system like TSIG.
> patches to be
> provided from third parties to get important functionality, etc....
False. I do not expect users to install any patches.
---Dan
More information about the bind-users
mailing list