[NTLUG:Discuss] Bind, Apache and Webmin...

Chris Cox cjcox at acm.org
Fri Nov 9 10:04:24 CST 2001 

Aaron Goldblatt wrote:

>> Unfortunately Danial's egotism also means incompatability with many
>> things.  djbdns will interoperate with other DNS's and tools for most
>> stuff... but I believe there are some issues, especially with the
>> newer security and ddns features.  Of course Danial's implementation
> 
> 
> It kind of depends on what you want.  Personally, I'm paranoid about 
> Bind's security holes (which continue to pop up regularly enough that I 
> don't want to mess with it).  It's been a while since Sendmail had a 
> system-blowing hole, but Bind's last couple were early this year.
> 


Remember that ISC BIND 9.x (the first ISC BIND) is a total rewrite.

Actually sendmail last "big" hole was only a few weeks ago (sigh).

But nothing has more holes than Exchange IMHO.


> And I'm also paranoid about abuse of DDNS.  The LAST thing I need is 
> someone screwing with my authoritative name server mucking around with 
> my A records.  Between that and Bind's habit of chewing up all available 
> memory for the cache, I'll take a pass.


TSIG security is decent.  Doubtful that someone would be able to
make entries.


> 
> Yes. Dr. Bernstein is a dick.  Yes, you sometimes have to jump oddball 
> hoops to get his stuff working, and the people on his mailing lists are 
> remarkably intolorant of repetative questions and poorly written emails 
> that don't contain enough information.  Even so, I've found qmail, 
> djbdns, ucspi and daemontools to be rock solid in terms of reliability, 
> and there hasn't been an exploit on one of them in years.
> 
> That's more important to me than DDNS.  (Why would somebody need to 
> resolve a client managed with DHCP anyway?  Servers should be assigned 
> statically to begin with!)


The problem we (UNIX) face is that M$ supports ddns and it's a big part
of active directory and if UNIX wants to maintain control over DNS in a
mixed environment, it needs to figure out how to do it fast.  Trying to
tell a company not to use active directory is like telling them they
can't use Windows anymore... not likely to succeed.  Of course to fully
support active directory we need better LDAP integration as well... so
there's actually quite a bit of work to do.

Like it or not, if UNIX wants to continue to own name services, we really

need to support this... otherwise M$ will take it away.... and I don't
know of any way to stop that from happening except to support what
M$ needs.  Trying to be the "rebel with a cause" here will only end up
giving the entire name services market to M$.

More information about the Discuss mailing list