LWN: Comments on "ISC releases BIND 10 1.2, renames it, and turns it over to community"

Rise and Fall of BIND 10

shane — Fri, 25 Apr 2014 20:09:49 +0000

The problem with BIND 10 (now Bundy) is that there is a lot of missing functionality. :(

One of the reasons that BIND 10 had to be renamed is that it's not "Even More BIND 9" - it has quite a few differences. We had originally planned on taking a year to make a nice smooth set of conversion utilities, but had budget shortfalls and a lot of technical debt that made this impossible.

So, basically if you are a running a DNS secondary or a master authoritative server that doesn't rely on BIND 9 DNSSEC re-signing, then Bundy can probably fit your needs.

We'll see how far we are able to go with the volunteer model...

----

But I'll see if LWN is interested in an article based on the talk or just related to this topic, after I've given the presentation. :)

Rise and Fall of BIND 10

mathstuf — Fri, 25 Apr 2014 19:35:43 +0000

Maybe an article highlighting the changes from 9 to 10 possibly with an "why should I upgrade?" section could be made for LWN?

ISC releases BIND 10 1.2, renames it, and turns it over to community

shane — Fri, 25 Apr 2014 18:09:34 +0000

I just did a "ps ax" on my system and counted more than 80 kernel threads in my process table. Is this too many? Why?

There are 14 processes with "akonadi" in my process table. Is this too many? Why?

I see 6 "getty" processes. Is that too many? Why?

And so on...

----

Just to be clear, none of the fast-path processing requires context switching between processes. The approach does not hurt performance, and may even improve it (depending on the exact model of processes vs. threads on a given OS & system architecture).

With BIND 10 we realized that a lot of administrators would not like to see that many processes. It's "weird". So we make sure that all of the startup, shutdown, and (if necessary) re-starting of processes is handled transparently by the application itself. We also made sure that every process is named starting with "b10-" so that administrators can easily see all of the BIND 10-related processes running... I don't like seeing strange processes running on my systems that I have no idea what they are doing, and I expect many sysadmins feel the same.

Still, it is clear that people get nervous by a DNS server running multiple processes, in spite of the fact that their web browser does it, their database server does it, their mail server does it, and even very popular DNS servers (NSD) do it.

----

BIND 10 does a lot of things that are not the current way of doing things. In retrospect, this was a mistake, as we exceed most people's tolerance for change. (Especially administrators, who are mostly a very conservative and even somewhat superstitious lot...)

----

We don't have any security between components, which are protected by normal Unix-domain socket file permissions. The components are intended to be different parts of a single application, running on a single machine. A compromise of the one component would not give an attacker direct access to all other running components, but it should be easy to cause a certain amount of mischief by using the message bus to send bogus commands around to other parts of the system.

The idea was to limit the complexity of an already complex architecture as much as possible. By using separate process spaces rather than a threaded or event-driven model (like all other name servers that I know of), we might be a bit more secure, but that's explicitly NOT a goal of the approach.

ISC releases BIND 10 1.2, renames it, and turns it over to community

Cyberax — Fri, 25 Apr 2014 12:28:06 +0000

I understand that process isolation might be good. But 12 processes? That is just too much.

Also,what is the security model? Will a compromise in, say, DNSSEC module allow an attacker unlimited control over all hosted zones?

Rise and Fall of BIND 10

shane — Fri, 25 Apr 2014 12:15:22 +0000

Hey, I'm the former BIND 10 project lead.

I'm going to be giving a presentation at the RIPE meeting in a few weeks about the project, tentatively titled "The Rise and Fall of BIND 10", covering the history of the project, its goals, what went wrong, and what went right.

https://ripe68.ripe.net/programme/meeting-plan/open-sourc...

If I remember I'll post a link to the video and slides here when it's done.

ISC releases BIND 10 1.2, renames it, and turns it over to community

shane — Fri, 25 Apr 2014 12:13:06 +0000

I'm the former project lead for BIND 10.

The reason we have so many processes is fault isolation and minimal bug surface area.

For example, if you don't need Dynamic DNS (DDNS) then you don't need to run b10-ddns, which is the component which supports that functionality. So any bugs in that code won't affect you, plus you don't carry the memory footprint for it and so on.

Further, if you *do* need DDNS, then any bugs that affect that code won't corrupt other parts of the system, and the DDNS component can be restarted in the worst case without affecting query processing or zone transfer (for example).

As for dbus, we did look at this, and really, really wanted to use it, but client library support and licensing issues made it really tough for us to adopt such technologies. We documented part of the effort here:

http://bind10.isc.org/wiki/msgqReplacements

We had pretty much decided on using Apache Qpid late last year, except that by that time the project was already on life support.

BIND 10 is in no way djb-envy. The goal was to replace BIND 9, which is a full-featured, scalable DNS server, not djbdns, which is neither.

ISC releases BIND 10 1.2, renames it, and turns it over to community

shane — Fri, 25 Apr 2014 12:05:35 +0000

I'm the former project lead on BIND 10. ISC fired me a couple months ago as part of cost-cutting which included shutting down the project.

I live in Holland and have almost no exposure to US celebrity news. I assure you it had nothing to do with the name. ;)

I'm involved with the Bundy fork, since I hate to see good - although unfinished - software just get lost forever.

ISC asked me and some other people interested in keeping the project to help think of a new name. None of us had any strong preferences, so when the suggestion was made to name the new fork after the old BIND 10 mascot, it seemed like a good idea.

More information on the mascot here:

http://bind10.isc.org/wiki/Mascot

The name Bundy was given to the mascot by the original creator.

ISC releases BIND 10 1.2, renames it, and turns it over to community

proski — Fri, 25 Apr 2014 03:27:22 +0000

And then Bundy opens his big mouth and confirms that notion. Ouch!
I just hope there would be no grazing fees in the ip6.arpa domain :)

ISC releases BIND 10 1.2, renames it, and turns it over to community

dlang — Sat, 19 Apr 2014 04:36:13 +0000

besides, try to find any name that can't be associated with some significant crime, I dare you :-)

ISC releases BIND 10 1.2, renames it, and turns it over to community

jmclnx — Fri, 18 Apr 2014 21:32:01 +0000

Al Bundy was my first thought also. And was thinking it is a good name considering the respect bind seems to get

ISC releases Bind 10.2, DMS to manage Bind9.8+ DNS zones

grantma — Fri, 18 Apr 2014 21:28:13 +0000

Yes, I wrote it for a previous employer, and they have allowed me to open source it.

It is probably more relevant than Bind10, as it uses BIND9, one tick right from the start. It supports auto PTR creation - a great help with V6, running DNSSEC zones, zone versioning, and all the important cryptographic records.

Basically it allows you to leverage distributed power of your DNSSEC zone to augment SSL signed certs through TLSA, and oppurtunistic IPSEC.

In IPSEC all the key material is in a separate process from the data, and it is more effecient if the relationship is a lasting over a period of time.

ISC releases BIND 10 1.2, renames it, and turns it over to community

TimSmall — Fri, 18 Apr 2014 12:08:49 +0000

I've always wondered why NSD isn't more popular for authoritative-only sites. Uses BIND-compatible zone files too (and has DNSSEC support)...

ISC releases BIND 10 1.2, renames it, and turns it over to community

bradh — Fri, 18 Apr 2014 09:26:21 +0000

You might like to state any personal interest in this project. Fair disclosure, informed readers and all that.

ISC releases BIND 10 1.2, renames it, and turns it over to community

niner — Fri, 18 Apr 2014 09:20:17 +0000

You know the US is only a very small part of the world. The remaining 95.6 % of the world's population does not care that much about your local criminals or politics.

ISC releases BIND 10 1.2, renames it, and turns it over to community

grantma — Fri, 18 Apr 2014 08:18:19 +0000

URL should be:

http://mattgrant.net.nz/software/dms

ISC releases BIND 10 1.2, renames it, and turns it over to community

grantma — Fri, 18 Apr 2014 08:11:50 +0000

In other News, DMS (management system for Bind9 DNS)

http://mattgrant.net.nz/softwree/dms

is being uploaded to Debian Sid aka unstable.

Written in Python3, it achieves a lot of what BIND 10 does, but wraps BIND 9 with IPSEC, rsync, and a pile of shell scripts for DR....

ISC releases BIND 10 1.2, renames it, and turns it over to community

drag — Fri, 18 Apr 2014 06:51:11 +0000

He is not from a east coast state or California.

That is enough to condemn a person as a default racist for a lot of people.

ISC releases BIND 10 1.2, renames it, and turns it over to community

ncm — Fri, 18 Apr 2014 05:31:16 +0000

My first thought was Al Bundy, of Married with Children, loved by nobody.

Somebody around here thinks amateur serial killers deserve more attention than they get already. But if you're impressed with that stuff, you should be paying attention to the pros commanding drone fleets, coal-fired power plants, and tobacco mills.

ISC releases BIND 10 1.2, renames it, and turns it over to community

Cyberax — Fri, 18 Apr 2014 04:16:52 +0000

Ok, I tried to install and test it. Ugh.

It created 6 daemons in the minimal configuration. In the complete configuration it'll have something like 12 daemons running, including its very own message bus (DBUS is too plebe). And anyway, I was not able to setup DNSSEC and it doesn't even support DNSSEC for DynDNS.

This all smells like DJB-envy. But djbdns was a small and nimble daemon, very easy to manage. It used regular tools like rsync for zone management and a very unixy zone files.

I think I'll stick to BIND9 or maybe switch to PowerDNS someday.

ISC releases BIND 10 1.2, renames it, and turns it over to community

gdt — Fri, 18 Apr 2014 00:04:46 +0000

Bundaberg Rum's "Bundy Bear" was likely the connotation at the top of their head.

ISC releases BIND 10 1.2, renames it, and turns it over to community

gerdesj — Fri, 18 Apr 2014 00:03:02 +0000

It seems to me that the teams behind "Bundy" went a bit berserk in their design brief.

As far as I can tell looking at it they wanted to create a massively scalable beast of a thing that will be at home serving millions of zones with 10s of millions of records. There are something like 10 daemons which seems sensible for security with an overall controller.

The intention seems to be that this is able to deal with other infrastructure as well, perhaps an LDAP DB. I can't really tell exactly what they are getting at with this. OpenLDAP already has that covered very nicely and if you are that way inclined: AD. For my money Novell/Attachmate/whatever eDirectory is your man for a fast scalable hierarchical DB with knobs on. Unfortunately I haven't seen one in some time after spending a good 15 years looking after them in the past. Now if that got released as open source ...

So, after a wine induced ramble - who is likely to use this thing. It ain't going to fit on a DDWRT and I suspect it's also a bit overkill for anyone who is not an ISP or hosting outfit.

Some of us will have a play, I'm sure. I just don't see it will get wide, or any, adoption unless it gets a killer front end that just works whilst supporting a wide variety of back ends to appease the opinionated sysadmin (and aren't we all just a bit opinionated)

I wish them the best - its's a huge lump of work with all the right buzz words in its development but a scrum is something I used to do at school and then university (actually a polytechnic but that is probably a foreign word to most readers including under 35 year old Britons) as a tight head prop - Grrr

Cheers
Jon

ISC releases BIND 10 1.2, renames it, and turns it over to community

maney — Thu, 17 Apr 2014 23:38:46 +0000

It seemed pretty clear to me that that was what they were doing. Let me see, the AI's semantic analysis went something like this...

Bind 10 was such an overblown example of second-system effect that no one uses it even though we've pushed it all the way to the 1.2 release, so we're tossing it under the wheels and rolling forwards with Bind 9, the version that's actually used as infrastructure.

ISC releases BIND 10 1.2, renames it, and turns it over to community

gerdesj — Thu, 17 Apr 2014 23:33:51 +0000

Looks like it mate - it's pretty popular after all, that's what the statement alludes to.

ISC releases BIND 10 1.2, renames it, and turns it over to community

fuhchee — Thu, 17 Apr 2014 23:10:25 +0000

Can one read into their announcement that they will continue maintenance of bind 9?

ISC releases BIND 10 1.2, renames it, and turns it over to community

Lukehasnoname — Thu, 17 Apr 2014 22:44:27 +0000

In other news, the Python Software Foundation is releasing Python 3 to the community under the new project name 'Gacy'.

"Gacy is a better, newer language than Python 2, and everyone should begin migrating their tools as soon as possible. Having said that, more people use Python 2, and we as an internationally known standards body do not have the resources to maintain both code trees. Feel free to hack away with Gacy." - president, PSF

ISC releases BIND 10 1.2, renames it, and turns it over to community

krice — Thu, 17 Apr 2014 22:35:54 +0000

Do you Really want to point people to the IREHR and Leonard Zeskind? That's one big can of worms there. ( the Sojourner Truth Organization connection, etc.)

I mean, it's Friday, I'm enjoying a Double IPA myself, but geez...

ISC releases BIND 10 1.2, renames it, and turns it over to community

dfarnsworth — Thu, 17 Apr 2014 22:18:22 +0000

Do you have a source for your 'white supremacist" allegation? The article you pointed to says he is a "county supremacist".

ISC releases BIND 10 1.2, renames it, and turns it over to community

branden — Thu, 17 Apr 2014 22:06:00 +0000

Sounds like they pulled an Oracle and don't actually want the community to pick up maintenance of "Bundy", or they would not have named it after a serial killer or a white supremacist celebrity who has featured prominently in ongoing U.S. news coverage of the past two weeks.