hngopher.com

       [HN Gopher] A love letter to ISC bind
       ___________________________________________________________________
        
       A love letter to ISC bind
        
       Author : telmich
       Score  : 30 points
       Date   : 2021-02-22 12:44 UTC (10 hours ago)
        
 (HTM) web link (ungleich.ch)
 (TXT) w3m dump (ungleich.ch)
        
       | ur-whale wrote:
       | djb would beg to differ:
       | 
       | https://cr.yp.to/djbdns/blurb/unbind.html
       | 
       | [EDIT]:
       | https://www.google.com/search?channel=fs&client=ubuntu&q=bin...
        
         | anticristi wrote:
         | Nice one! I ran both BIND and tinydns. I loved how tinydns only
         | did authoritative DNS, whereas BIND mixed two different
         | servers, with completely different risk profiles: authoritative
         | and resolver.
        
       | otherflavors wrote:
       | I am just glad ISC gave up on 'the DNS server written in Python
       | and C++, formerly know as "BIND 10"', now spun off as Bundy (like
       | Ted), and in deep hibernation mode.
        
       | zokier wrote:
       | From outsiders point of view DNS is kinda weird and fascinating
       | (and a bit scary). Conceptually simple key-value store, but then
       | there is readily apparent so much complexity that is kinda
       | surprising. So many extensions, edge cases, legacy leftovers, and
       | all sorts of things. Also nice and interesting that there seems
       | to be many high quality foss options to choose from with
       | different flavors.
        
       | h2odragon wrote:
       | Kept my own BIND 4 patchset and kept it running on the public
       | internet until 2007. Even that version, with its well known
       | flaws, served my needs well.
       | 
       | I wonder how the ratio between "thanks" vs "your software sucks"
       | commentary on the BIND family has been, through the years.
        
         | oblio wrote:
         | For a while BIND had a reputation as a Swiss-cheese DNS server.
         | 
         | I think they fixed those issues after a major rewrite. But at
         | least from the security point of view it was considered really
         | bad. Functionally it did the job, but considering that DNS
         | servers are frequently used on the open web, they're still
         | major attack vectors.
        
           | h2odragon wrote:
           | Mine was instrumented up to report what it saw. fun times. it
           | still drew the occasional creative attempt til I shut it
           | down.
        
           | castillar76 wrote:
           | The reputation for BIND for a long time was that it was
           | immensely complex because (as the reference implementation)
           | it supported absolutely all the weird corner-case oddities
           | that you could do with DNS. All that code complexity and
           | flexibility came with a huge cost in terms of exploitable
           | bugs and extra "oops, didn't know I had to turn that off"
           | features.
           | 
           | I know coming up the recommendation was always "use something
           | else if you can, use BIND if you have to". It's nice to hear
           | they've improved things to the point that using it doesn't
           | mean tons of extra labor for the security department! On the
           | other hand, that reputation has allowed a lot of other good
           | "supports 75% of everything and 100% of anything you're
           | likely to need" implementations to flourish, which is also
           | good.
        
             | anticristi wrote:
             | Unfortunately, some of BIND's complexity is accidental.
             | BIND took the controversial decision to act both as an
             | authoritative DNS server and a resolver. Yes, they both
             | talk DNS, but their role and risk profile is so different,
             | it would have been better to have two development tracks.
        
       | cat199 wrote:
       | related question - anyone have any nice view-aware ways to deal
       | with zone data? (and ideally, have some API and manage DHCP as
       | well?) hacking together some scripts to export from a database,
       | but would be nicer to use someone elses already-maintained hacked
       | up scripts :)
        
       | Anthony-G wrote:
       | For the past 10 years, I've been happily using BIND to managing
       | my two personal domains and haven't encountered any problems. I
       | run the primary (master) name server on my VPS while Gandi
       | provide the secondary server.
       | 
       | For those who might be interested in learning more about using
       | BIND and DNS administration, the ISC are currently running a
       | series of monthly webinars on various aspects of BIND:
       | https://www.isc.org/blogs/bind-management-webinar-series-202...
        
       | kazen44 wrote:
       | i have found BIND to be troublesome for running large(r) scale
       | workloads.
       | 
       | Also, dealing with zone files just gets annoying, especially
       | compared to DNS servers that support database backends.
        
         | toast0 wrote:
         | I haven't had to run large workloads, but for smaller
         | workloads, having a zone file in version control is so much
         | nicer than fiddling with a database.
        
           | kazen44 wrote:
           | i kind of agree with you their. but managing zone files when
           | you have a couple of thousand of domains just becomes nearly
           | impossible. also, lack of an api makes it even harder.
           | 
           | personally I have been very happy with powerdns for a very
           | long time. BIND works, but IMO is more of a legacy
           | application compared to modern alternatives.
        
       ___________________________________________________________________
       (page generated 2021-02-22 23:01 UTC)