Re: djbdns: An alternative to BIND

  • From: Dean Anderson
  • Date: Mon Apr 11 03:05:26 2005

On Fri, 8 Apr 2005, Vicky Rode wrote:

> Just wondering how many have transitioned to djbdns from bind and if so
> any feedback.

DJBDNS is just about the best cache there is. The nameserver is also good.
Security is a good reason to switch to djbdns. Good performance is

But switching isn't just about the 'goodness' of the new server. You need 
to consider the 'badness' of the old server. And where both servers are 

Several previous security vulnerabilities in BIND is one strike against. 
These might be fixed. There might still be others.

Violation of trust on other projects is another. e.g. Exactis V. MAPS,
Several MAPS employees working for well-known spammer Scott Richter
described in Spam Kings by Brian McWilliams.

But what pushed me was that BIND9 is not compliant with AXFR standards.

There is more to the story than can be explained shortly. However, Vixie
and crew tried to ramrod a change to AXFR a while ago to make BIND9
compliant. And asking _every_ other implemenation to change in the
process.  That effort failed. So far as I know, ISC has not made any
effort to either tell people that BIND9 isn't compliant, nor alter BIND9
to be compliant. At present, BIND9 attempts to detect whether it is
transferring from another BIND9 server to determine with to use the
standard protocol or to use the non-standard BIND9 protocol.  Its not a
real big problem, though the BIND9 detection might be dicey.  An
implmentation that pretends to be BIND (but not using the proprietary
protocol) might have a problem. But so far as I know, there are no such
implemenations at present, so its not a big problem, at least, not right
now, anyway. It could be a problem later, if someone introduces a server 
that pretends to be BIND9, but isn't.  Its more of a proprietary "lock-in" 

