Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Interview with Dave Conrad and Paul Vixie (revised)

By shevek in News
Thu Oct 05, 2000 at 11:32:04 AM EST
Tags: Internet (all tags)
Internet

TOS clued me in to an interview at Linux Security with Dave Conrad and Paul Vixie on the recent general release of BIND version 9. It's a great read, with information about the new feature set: auditability, back end database support, security (both transactional and authenticity), portability, abstract user and management interfaces, and SNMP. It also contains their answers to djbdns, Daniel J. Bernstein's DNS toolkit.


there's an interesting interview of Paul Vixie and David Conrad in Linux Security. Paul Vixie is the current "maintainer" of BIND, which is the reference implementation of a DNS server. Dave Conrad is the Executive Director of the Internet Software Consortium (ISC), which is the host of the Open Source version of BIND. There has been a recent stable release of BIND known as v9. This is big news in the internet, and there seem to be some very interesting features in BIND9. one of the most interesting to me is called views, which may allow me to have a single authoritative zone for networks i run and all of their "split horizons".

i haven't been able to get on the ftp server (you can imagine it's very popular right now) to have a look at the BOG (BIND Operator's Guide) which will describe the release in detail.

Anyway, here's the link to the article:

http://www.linuxsecurity.com/feature_stories/conrad_vixie-1.html

and here's Vixie's answer to "Can you tell us the reason for this rewrite and what new features have been added with BIND version 9?"

Because every bit of effort I ever put into BIND, from version 4 to version 8, was patchwork. The basic sleazeware produced in a drunken fury by a bunch of UC Berkeley grad students was still at the core of BIND. In 1998, Jerry Scharf, who was the Executive Director of ISC, convinced the remaining UNIX vendors and a few government agencies that the only way to support all of the new DNS protocol enhancements was to totally rewrite BIND. That work is substantially complete as of last month. The major feature isn't security as much as it is robustness. BIND9 was written by a large team of professional software developers who had enough time and enough money to "get it right." BIND9 is auditable in ways which BIND8 and BIND4 never were. It will support the next generation of DNS protocol evolution, as well as back end database support, security (both transactional and authenticity), portability, abstract user and management interfaces, SNMP, and everything else that's needed to be a robust commercial product in the Internet of Y2K and beyond.

There's a whole lot more detail in this article, so i encourage you to read this if you run a DNS server.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o interview
o Linux Security
o BIND version 9
o djbdns
o Internet Software Consortium
o v9
o http://www.linuxsecurity.com/feature_stories/conrad_vixie-1.html
o Also by shevek


Display: Sort:
Interview with Dave Conrad and Paul Vixie (revised) | 13 comments (8 topical, 5 editorial, 0 hidden)
This story has a mandatory follow-up (3.25 / 4) (#5)
by NKJensen on Thu Oct 05, 2000 at 07:16:00 AM EST

An alternative DNS - with a $500 reward for anyone to break the security - is to be found here:

http://cr.yp.to/djbdns.html

Sorry, I'm not a native English speaker/writer.
--
From Denmark. I like it, I live there. France is another great place.

Re: This story has a mandatory follow-up (4.00 / 3) (#7)
by YellowBook on Thu Oct 05, 2000 at 09:43:02 AM EST

From the headline, I would have thought that djb had already written his paranoid rantin response to the Vixie quote:

LinuxSecurity.com: Can you explain how security fit in to the new implementation? Do you have any feelings on how the two development processes differ?

Paul Vixie: Nothing really comes to mind here, except that Bernstein's software does not support either DNSSEC or TSIG, and as far as I know there are no plans to implement either one. BIND implements both. Even Microsoft implements TSIG.

I use qmail on all the servers I run, and I'm planning on looking at djbdns, but you've got to admit that djb suffers from NIH syndrome to a degree heretofore unknown to man. The thing that's keeping me away from djbdns is that I wnant to first figure out how to install it using standard tools rather than having to also learn and use djb's own idiosyncratic substitutes for sysvinit (daemontools) and inetd (tcpserver).

I'm really looking forward to seeing djb's response to this interview (and I'm sure there'll be one).



[ Parent ]
Re: This story has a mandatory follow-up (4.00 / 2) (#10)
by KindBud on Thu Oct 05, 2000 at 02:43:57 PM EST

I'm really looking forward to seeing djb's response to this interview (and I'm sure there'll be one).

He's already addressed many of Vixie's comments on his website, before this interview was published. Regarding DNSSEC, it's useless without a secure channel for distributing private keys. BIND makes no effort to provide this essential service, and NSI - who would have the be the ones managing it - have yet to do so, even though it was proposed over 7 years ago.

DNSSEC is often falsely advertised as a software feature that you can install to protect your computer against DNS forgeries. In fact, installing DNSSEC does nothing to protect you, and it will continue to do nothing for the foreseeable future. I'm not going to bother implementing DNSSEC until I hear a detailed, concrete, credible plan for central DNSSEC deployment. - http://cr.yp.to/djbdns/forgery.html


--
just roll a fatty

[ Parent ]
Re: This story has a mandatory follow-up (none / 0) (#12)
by Michael Leuchtenburg on Sat Oct 07, 2000 at 09:17:21 PM EST

What's "NIH syndrome"?

[ #k5: dyfrgi ]
[ TINK5C ]
[ Parent ]
Re: This story has a mandatory follow-up (5.00 / 2) (#13)
by YellowBook on Sun Oct 08, 2000 at 10:00:57 AM EST

What's "NIH syndrome"?

"Not Invented Here."

<RANT>

DJB has an annoying tendency to disparage standard tools and write his own replacements which he expects you to use. This isn't inherently a bad thing, when there are problems with the standard tools, but he also ignores existing alternatives to those tools, and sometimes fixes things that aren't broken. That still wouldn't be so bad, except that he ties all of his useful software (like qmail and dnscache) to his highly ideosyncratic toolset so that it's almost all-or-nothing to use or not use djb software.

Case one: inetd. Inetd has problems, but most people who care about those problems are using xinetd. Xinetd is widely considered the "standard" successor to inetd. Can you use qmail with xinetd? Yes -- if you have a good understanding of both qmail and xinetd. djb wants you to use his "tcpserver" -- an odd little server program that is like a combination of inetd and tcpwrappers except that each tcpserver process only listens on one port (kind of an un-superserver). Using tcpserver means filling up your rc.local with a tcpserver for each service you'd normally run from inetd.

Case two: daemontools. Daemontools are a set of scripts for starting and stopping servers, and keeping them running if they die. Not a bad idea, but they overlap something terrible with SysV-style init scripts. They do some things that SysVinit doesn't, but if you want to use daemontools throughout your system, you'll have to rewrite your init scripts, and/or put everything in rc.local and rely on daemontools. SFAIKT, daemontools are required for djbdns -- my first project when I get around to trying out djbdns (which has a lot of good features and in particular is nicer to use with alternative roots like OpenNIC than bind is) will be to try to get djbdns working without daemontools.

</RANT>



[ Parent ]
ISC, some dubious practices... (3.00 / 3) (#8)
by Alhazred on Thu Oct 05, 2000 at 10:53:32 AM EST

I'd love to hear more about this little routing war ISC recently engaged in. BIND is BIND is BIND, but the behaviour of the entire ISC crowd seems very arrogant. Who are these yahoos that own ISC now and think they can use BGP to route other people's traffic into oblivion? And why is it that stink blew over so quickly?
That is not dead which may eternal lie And with strange aeons death itself may die.
Ummm, Do you mean MAPS? (4.00 / 2) (#9)
by shevek on Thu Oct 05, 2000 at 11:36:32 AM EST

i'm pretty sure MAPS runs the RBL, not ISC. mind you, Vixie is associated with the RBL and MAPS, but that is not the same as the ISC. AFAIK, ISC just develops and publishes software, while MAPS runs a very active feed designed to be used by nameservers and routers.
-- Philosophy:Cosmology::Signified:Signifier
[ Parent ]
Re: Ummm, Do you mean MAPS? (3.00 / 1) (#11)
by Alhazred on Thu Oct 05, 2000 at 05:17:58 PM EST

MAPS and ISC are I believe owned by the same people...
That is not dead which may eternal lie And with strange aeons death itself may die.
[ Parent ]
Interview with Dave Conrad and Paul Vixie (revised) | 13 comments (8 topical, 5 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!