How good is BIND?

Simon Waters Simon at wretched.demon.co.uk
Sun Jun 10 09:29:52 UTC 2001


"David F. Newman" wrote:
> 
> Until recently I didn't even know there
> was another DNS server for UNIX.  djbdns claims that bind
> is just too buggy to use.  I know that there have been
> some major bugs found in bind in the past, but what do
> people think of the current version of bind?  If given the
> oportunity, would people use bind in a root server?

As discussed already BIND 8 is used in "the" root servers,
so clearly some people would use BIND 8 as a root name
server.

DJBDNS is not the only alternative DNS server for Unix.
DJB's web site lists plenty.

DJB focuses on security, and to an extent simplicity, in
that he has avoided implementing parts of the DNS standards
that he considers insecure, or likely to lead administrators
into error.

This lack of features makes DJBDNS mainly suitable for
deployment in the Internet (or similarly risky environments)
as many organisations are likely to want (for better or
worse, probably worse) more featured DNS servers internally.

Perhaps the most interesting thing DJB has done is split the
caching of DNS responses from hosting a zone. The same
approach can be done with BIND 9 (or 8) but of course you
still have the code running to do the other thing, even if
you have "disabled" it with the options.

As regards recommending BIND 9 - well I have done, I've used
it extensively both in release and pre-release versions and
never seen a bug in the basic functionality required to
provide Internet name resolution. I haven't really tested
the advanced DNSSEC and other features to a point where I
could say I had any confidence in them.

My main concerns with BIND 9;

Lack of exposure - BIND 8 still dominates the Internet, and
no doubt some proportion of the security holes uncovered are
down to the fact that if you crack BIND 8 you could
conceivably control the whole Internet (100% remember the
root name servers), where as BIND 9 or DJBDNS will give you
a few percent at best AFAICT.

Changing code;

As a reference implementation BIND 9 attempts to implement
pretty much everything in the standards (and some extra
bits), this doesn't make for a small, clean implementation,
and programmers make mistakes.

I would recommend BIND 9 as a root server, and if you chose
to deploy your internal DNS with the full range of security
features that the DNS standards now offer I suspect you
don't have much choice. As to whether these advanced
security features realistically buy you much (or anything)
in security terms is an interesting question.


More information about the bind-users mailing list