LWN: Comments on "A couple of alternative DNS servers"

A listing of DNS servers

rickmoen — Sun, 16 Mar 2003 10:59:26 +0000

anr asked: Please explain what makes you list djbdns under the "proprietary" category.

Gladly. Prof. Bernstein's terms of usage, while very generous and commendable, do not include the right to fork (Open Source Definition provision #3 -- which is the central concept of open source). Thus, nobody else has the legal right to develop, maintain, and release modified versions. Also, when/if Prof. Bernstein ceases to issue new versions, the project will probably pretty much die for lack of legal right to maintain the code (except in private or as patch files).

Please note that the term "proprietary" is not pejorative: It's a descriptive category, and includes a broad spectrum of licensing types, including Prof. Bernstein's benevolent source-available one on the liberal end.

Prof. Bernstein feels that his abilitiy to control the package's quality justifies this limitation (and he may be right). But, as a result, djbdns/dnscache is most plainly not open source.

As Sam says, Prof. Bernstein's DNS notes are a crucial resource for anyone wanting to truly understand DNS at a technical level, and I join Sam in recommending them to people.

Rick Moen
rick@linuxmafia.com

Re: Writing a DNS server is easy

ahu — Mon, 03 Feb 2003 18:46:07 +0000

two words: use c++ :-) Saves heaps of typical C problems if done right, like memory leaks and the need to write btrees and whatnot

What is free software

sam — Thu, 30 Jan 2003 00:33:58 +0000

A lot of DJB advocates seem to be confused about what the general free software community considers free software. The software is not software libre, according to the FSF. The open source web site mentions nothing about DJB's license, since it is not free software as per their definition (look at section three, "derived works").

Let me make this clear: Dan is one of the best programmers out there.

He has an excellent security history. He has many years experience with UNIX and a driving obsession which makes him a very good coder. His DNS notes were very helpful in making my DNS server a better program; while very opinionated, his opinions have merit. I respect him greatly as a coder.

He has understandable reasons to make is software not be libre. Unfortunatly, his code will have a limited appeal until when and if he releases it under a more open license.

- Sam

A listing of DNS servers

anr — Tue, 28 Jan 2003 12:49:07 +0000

Please explain what makes you list djbdns under the "proprietary" category. Some points:

* The source code is available to all who want it.
* You can distribute patches (and apply) at will.

It seems to me that a label like "Restricted Open Source" would be closer to the truth.

A listing of DNS servers

rickmoen — Mon, 27 Jan 2003 16:03:32 +0000

Recursive DNS servers are indeed still relatively rare, but I'm now keeping a record of nameserver packages of all types available (or believed available) for *ix, here:

http://linuxmafia.com/~rick/linux-info/dns-servers

Open source:

MaraDNS
pdnsd
Dnsmasq
DNRD
MyDNS
ldapdns
GnuDIP
NSD
PowerDNS
CustomDNS
lbnamed
Posadis
dents (probably dead, as Sam says)
Pliant DNS Server
Yaku-NS
Twisted Names
Oak DNS Server

Proprietary:

UltraDNS (UltraDNS Corporation)
djbdns/tinydns
ATLAS (Verisign)
BINDPlus (Information Network Eng. Group, Inc.)
Global Name Service (Nominum, Inc.)
NeDNS (Neteka, Inc.)

P.S.: It might be true, for all I know, that (as Sam says in one of his comments) that "writing a working recursive DNS server is like watching Highlander II", except that I'm sure you're not similarly driven to say "There should have been only one." *grin*

Rick Moen
rick@linuxmafia.com

Re: Writing a DNS server is easy

sam — Sat, 25 Jan 2003 10:41:49 +0000

Well, depends on what sort of infastructure you already have in place. My recursive server is over 4000 lines long (!!!), but that includes the entire caching infastructure.

Does your caching infastructure have a method of removing elements from the cache so they no longer take up memory?

It took us months to get rid of all of the memory leaks in MaraDNS' cache.

BTW, Bert, I would like to applaud you for making Power DNS open source. It is good to see being realistic enough to realize that you are better off GPLing this package. You will still earn money by putting it on your résumé to impress people when the tech economy picks up again.

It is good to have competition among different open source DNS products; I am glad the "call to arms" for a non-BIND DNS server which has resulted in a number of implementations. Just two weeks ago, there were all of three non-BIND freely downloadable recursive DNS servers (my MaraDNS, pdnsd, and DjbDNS). All of a sudden, there are two more--five in total.

- Sam

Writing a DNS server is easy

sam — Sat, 25 Jan 2003 10:14:17 +0000

Hmmm, well get back to us after you get compression working and after you have a working recursive DNS server. These are the two things which cause most would-be DNS implementers to give up on writing a DNS server. For example, moodns died when the author looked at what it took to get compression going. Dents died before the recursive part was finished. And so on.

I think it is apporoporate to quote a Slashdot posting I did recently:

Let me put it this way. Writing a DNS client (or a non-recursive DNS server) is sort of like Highlander I. Entertaining, really. You think to youself "Hey! That was easy! A recursive server can't be too bad!"
Well, writing a working recursive DNS server is like watching Highlander II. Suddenly, just as Highlander II changes your outlook on the entire Highlander franchise, writing a recursive DNS server changes your outlook on the entire DNS protocol.

- Sam

djbdns

anr — Fri, 24 Jan 2003 12:49:58 +0000

I don't think this is a good example, because the vast majority of users wouldn't benefit from this patch (there's a reason it isn't implemented upstream).

It's better to configure your desktop's dnscache in forward only mode.

But if you installed from source & want the patch anyway, applying it isn't rocket science ;-)

CNAMEs and djbdns

anr — Fri, 24 Jan 2003 12:37:09 +0000

What's wrong with CNAMEs:

http://cr.yp.to/djbdns/notes.html#aliases
http://www.faqts.com/knowledge_base/view.phtml/aid/8815/fid/699

What you should do instead: use A records.

Quoting the manual:
http://cr.yp.to/djbdns/tinydns-data.html

" Don't use Cfqdn if there are any other records for fqdn. Don't use Cfqdn for common aliases; use +fqdn instead. Remember the wise words of Inigo Montoya: ``You keep using CNAME records. I do not think they mean what you think they mean.'' "

Writing a DNS server is easy

ahu — Thu, 23 Jan 2003 20:18:05 +0000

I'll speak to you a year from now :-) Anyhow, the recursive part is not that hard, the PowerDNS one is just 448 lines.

Writing a DNS server is easy

paulsheer — Thu, 23 Jan 2003 12:42:20 +0000

I actually find the whole DNS concept quite laughable. Admittedly, a recursive nameserver is a largish software project, but a master server is actually very simple to write. I wrote one in a weekend and its soon going to be the primary server for the .nis.za domain. It handles all common record types, and TCP and UDP queries, and its lightning fast.

I'll release the code after I add recursive queries.

I believe it has no exploits.

CNAMEs and djbdns

ncm — Thu, 23 Jan 2003 05:34:01 +0000

The older report, on djbdns, mentioned that DJB doesn't approve of CNAME records. What is supposed to be wrong with CNAME records, and what are we expected to do instead?

DDNS and IXFR?

edstoner — Mon, 20 Jan 2003 17:21:59 +0000

Oak supports Dynamic updates. It doesn't support incremental zone transfers yet, but should in a week or two.

Oak supports AAAA records but doesn't support A6 or DNAME because the IETF has downgraded them to experimental and recommended that people don't use them (that's my understanding anyway).

Oak runs as an unpriviliged user by default and it should be fairly easy to run it in a chroot jail. These things are good at protecting the system the server is running on, but don't help at all in protecting the data in the running DNS server. Not having the cache poisoned and not having someone rewrite the zone data so that all of your server's names point to their machines can be just as important as not letting them be root on the host machine. In other words, the code in the DNS Server still needs to secure, no matter how secure the system it's running on is.

DDNS and IXFR?

hensema — Mon, 20 Jan 2003 09:11:36 +0000

Do these servers support Dynamic updates and incremental zone transfers? It's a feature of bind I can't live without because I'm using ISC DHCPD 3.0 which supports dynamic DNS updates.

I also use IPv6 and DNAME records (to simplify the administration of my reverses).

AFAIK bind is still the only DNS to support this. And since it's running safely in a chroot jail as an unpriviliged user, I don't worry about security ;-)

djbdns

iabervon — Mon, 20 Jan 2003 00:03:07 +0000

The license is somewhat inconvenient for users who want, for example, a local-only DNS server
which keeps its cache across reboots, like you might want for a desktop machine. A patch exists
to make dnscache do this, but it has to be applied by hand by the end user due to the license.

A couple of alternative DNS servers

edstoner — Sun, 19 Jan 2003 20:11:55 +0000

The latest version of Oak has distutils installation support.

Twisted Names -- another option

spiv — Sun, 19 Jan 2003 02:28:05 +0000

Another Python DNS server worth considering is Twisted Names, part of the Twisted library -- http://twistedmatrix.com/. Be sure to look at the 1.0.2 alpha, rather than 1.0.1, as Twisted Names is also being actively developed.

It's still a work in progress, but since Jp Calderone started maintaining it, it has been improving rapidly. I believe it currently has support for:
- recursive lookups
- authoritative answers
- caching
- TCP and UDP
- IPv6
- BIND9 zone files
- and probably other things I haven't noticed :)

The code should be flexible enough that you could write an SQL backend or whatever you need, if necessary. There's plenty left to be done (like optimisation), but I reckon its worth a look -- as is the rest of Twisted ;)

A couple of alternative DNS servers

stuart — Sat, 18 Jan 2003 18:05:50 +0000

What's more all of these DNS servers are available from Debian in official packages.
apt-get install <package name>
You gotta love it.

djbdns

anr — Sat, 18 Jan 2003 16:06:45 +0000

Don't let the "not-quite-free" argument put you down. The license isn't a problem for DIY end users.

Also, it's very hard to match DJB's code quality. Just take a look at the changelogs involved...

Togheter with daemontools & ucspi-tcp, the package can be very nice to use and administer.

Finally, tinydns' data format is very well thought out. The departure from using the problematic bind zone file format is refreshing.

pdnsd

dkeller — Sat, 18 Jan 2003 05:23:24 +0000

There's also pdnsd (http://home.t-online.de/home/Moestl/), may not
be a full DNS server but it works great when you have a VPN and need
services internet names and intranet names (behind the VPN).

dnsmasq

rfunk — Sat, 18 Jan 2003 01:15:40 +0000

There's also dnsmasq, which is a forwarding nonrecursive server that can serve up answers from /etc/hosts and the dhcp lease file.