BIND 9.1.2 and TinyDNS???
D. J. Bernstein
75628121832146-bind at sublist.cr.yp.to
Tue Jun 12 18:33:22 UTC 2001
See http://cr.yp.to/djbdns/ad.html for further information on djbdns.
The third-largest and fourth-largest domain hosting companies on the
Internet now use tinydns to publish addresses for more than half a
million .com's and .net's and .org's. Keep this in mind when you see
Brad making uninformed claims about speed, support, deployment, etc.
I'm amused by Brad's hypocritical comments about waiting for tinydns to
be ``put into permanent use on one or more root nameservers.'' The roots
are using BIND 8.2.3, not BIND 9.
Brad Knowles writes:
> you end up having to set up separate external and internal TinyDNS servers
False. djbdns supports separate servers in a much nicer way than BIND,
but it also supports client differentiation, with per-line granularity.
See http://cr.yp.to/djbdns/faq/tinydns.html#differentiation.
In contrast, BIND 9's ``views'' have per-zone granularity: BIND 9 forces
you to maintain two separate zones.
> it does not hand out referrals to questions that are asked of zones it
> does not control.
False. It _optionally_ hands out referrals in this bogus situation. Brad
is making a fool of himself when he suggests that this has anything to
do with DNS interoperability: DNS clients and caches, including BIND,
throw away referrals of this type.
> there is no support in TinyDNS or dnscache for the DNSSEC extensions,
Correct. The reason for this is that installing DNSSEC does nothing to
protect us against attacks, and it will continue to do nothing for the
foreseeable future. See http://cr.yp.to/djbdns/forgery.html.
> there are plenty of other aspects of the DNS RFCs which I believe that
> TinyDNS does not implement at all, or does not implement correctly.
djbdns implements all the required DNS standards. BIND doesn't; see, for
example, http://cr.yp.to/djbdns/newtypes.html.
> TinyDNS is an authoritative-only nameserver.
Correct. As stated in the ``DNS and BIND'' book, third edition,
``Securing Your Name Server,'' page 255: ``You should make sure that
these servers don't receive any recursive queries.''
---Dan
More information about the bind-users
mailing list