NS record question

Bob Vance bobvance at alumni.caltech.edu
Wed Mar 28 14:13:30 UTC 2001

I feel a little bad that I help start this (along with Doug) this after
misinterpreting what Roy originally said.
After a quick read I got the impression (and I believe that Doug did,
too) that Roy was saying that everyone should start upgrading to BIND9
now.  After re-reading it was evident that he said "BIND8 development is
dead" and "if you want the new features" and then you should go to
BIND9 -- not so hard to understand, is it :).

I don't really know how I could have misread it so badly except being in
a hurry.

OTOH, I think the *we* were misunderstood slightly.
I'm not being a Luddite (and I don't believe that Doug was either).  I
was just pointing out that it was not such an easy decision to
*immediately* jump into BIND9 -- and again this was a reaction to the
misreading of Roy's original intent :|

Certainly the development on BIND9 is a wonderful thing and we all
appreciate it -- and we will be assimilated :)  We would make no other

But, there are two major issues facing many of us:

1) there is a learning curve on the processes and features.
I know that it seems ridiculous, but my time is very much precious
lately, and taking time to read the migration doco and figure out
changes for starting and stopping and 'rndc' and keys, yada yada, is not
something I want to do right now.  If I could just compile and go, like
with new BIND8 releases, I'd be glad to install and run it to test it.
But if I have to spend a lot of time just to figure out how to get
started, then I'm a little reluctant at this time.  For anyone whose
only responsibility is to support DNS, then time's probably not an
issue -- not so for me.

And given, the following

2) we have the impression that BIND9 is not stable given the frequency
of RC
releases.  Of course, the positive attitude is,
    "Great! Look at all the fixes were getting for BIND9.
     Poor, lil' BIND8 -- he just gets no attention any more --
     who knows what evil lurks ...

it just makes sense for me, personally, to wait until BIND9 appears more

This is from the point of view of those on the "fence", as Bill said.
Although, really, it's not a matter of *if*, which would be the mindset
of a fence sitter, but it's a matter of *when*.  It's more like we're in
the jump line and saying, "No. Please, go right ahead -- after you :)"

Tks        | <mailto:BVance at sbm.com>
BV         | <mailto:BobVance at alumni.caltech.edu>
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430           11455 Lakefield Dr.
Fax 770-623-3429           Duluth, GA 30097-1511

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
Behalf Of Brad Knowles
Sent: Tuesday, March 27, 2001 5:56 PM
To: Bill Manning; Roy Arends
Cc: Doug Barton; Roy Arends; Bob Vance; bind-users at isc.org
Subject: Re: NS record question

At 2:19 PM -0800 3/27/01, Bill Manning wrote:

>  	There is this little bit of wisdom from the security community.
>  	small, simple bits of code that have had lots of public scrutiny
>  	tend to be more secure (not to mention faster) than large
>  	chunks of new code, with new features and unknown/untested
>  	interactions.

	I understand the "many eyes" theory, but the problem is that with
two million lines of code, it's impossible to mathematically prove
the code secure, and just because you have a lot of people *looking*
at the code, doesn't mean that you have a lot of people that are
*telling* you about the security holes that they're finding.

	Moreover, sticking with the old code prevents you from making use
of the new "programming by contract" security features of BINDv9,
where now each routine and function call applies near-paranoid levels
of checking to all of its inputs, to do everything possible to ensure
that a security compromise simply cannot occur.

>                  even when they were created in "ancient labs"
>  	by undergrads (kind of like IP.. no? :) and much respect to
>  	Paul, but there were/are many professionals who made v8 work
>  	in an open, sharing environment.

	And there are many professionals making BINDv9 work in an open,
sharing environment.  All the code is there to see, and if anyone
wants to suggest any new code to add any new functionality, they're
more than welcome to submit that -- just like they always could.

	The primary difference is that any code submitted would be used
for inspiration for a redesign from the BINDv9 programming team, much
as frequently happens with many other open source projects (Eric
Allman always said that his biggest mistake in sendmail was simply
taking code contributed by others, instead of taking that as a
starting point for code he wrote himself).

>  	When we get a release of v9 that lasts more than 4 weeks,
>  	we can talk about stability.

	That's a very good point.  Myself, I'd like to see it being used
by all or many of the root nameservers.  When it can be trusted to do
that, it'll probably be good enough for me to run in production

Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>
/*       Represented as 1045 digit prime number by Phil Carmody
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'

More information about the bind-users mailing list