----- Original Message -----
From: Sam Trenholme
[mailto:sam+djbdns@chaosring.org]
To: dns@list.cr.yp.to
Sent: Wed, 14 Mar
2007 16:18:18 -0800
Subject: My criticisms of DjbDNS
> Hello, I am Sam Trenholme, the author of MaraDNS. In my MaraDNS advocacy
> page, I point out some problems with djbdns. I think my criticism is fair
> and balanced, since the issues I bring up are issues that have been
> discussed on this list several times--the akadns problem; the fact that
> djbdns hasn't changed one iota in five years; the fact that djbdns is
> not open source.
>
> Here is the text on my webpage. If anyone can find any factual errors in
> this
> text, let me know.
>
> ---
>
> It is very difficult for me to be critical of djbdns. Djbdns came out
> at a time when the only other viable name server was the very insecure
> BIND8. It allowed people who needed a DNS server to have a secure solution
> at a time when BIND had security patches released almost monthly. I myself
> have used it to keep installations I administered at the time secure.
>
> In addition, Dr. Bernstein, djbdns' author, has written a number of
> documents about keeping DNS secure which were very valuable during
> the design phase of MaraDNS, and have undoubtably improved MaraDNS'
> security. I have a good deal of respect for Dr. Bernstein's coding
> abilities.
>
> That said, djbdns has a number of issues which make it not practical to
> deploy on new installations.
>
> Djbdns has not changed one iota for over five years. In addition, it is
> not legal to distribute a changed version of djbdns. This is the number
> one problem with djbdns: Djbdns is not open source. Its license is not
> compatible with one fundamental pillar of open source: The right to
> distribute modified versions of a program.
>
> This is a very practical problem: There are high profile internet sites
> that djbdns' recursive resolver simply can not resolve. In order to make
> djbdns' recursive resolver resolve these sites, after downloading djbdns,
> you need to find the patch that fixes the broken recursive resolver,
> apply the patch, and hope the patch doesn't break anything.
>
> This isn't the only problem with djbdns' recursive resolver. Its list of
> root servers is out of date by five years; two root servers have changed
> since then. This makes the recursive server less reliable; fixing this
> requires changing the configuration by hand, or by applying yet another
> third-party patch.
>
> Installing djbdns is non-trivial; you need to download and install no
> less than three different packages. Djbdns will not compile on a modern
> Linux system; you need to find the incantation to make it compile. Compare
> this to MaraDNS, where installing is as simple as downloading one package
> and typing in "make; make install".
>
> Once djbdns is installed, you will find some directories in the root of
> your filesystem that weren't there before. This breaks UNIX and Linux
> standards on how the filesystem can be organized.
>
> All of these issues could be fixed if Dr. Bernstein had released djbdns
> under an open-source compatible license. I understand that such modified
> versions of djbdns may introduce security problems that Dr. Bernstein's
> code does not have. The solution is simple: Distribute djbdns under a
> LaTeX license, which is open source compatible and would require modified
> versions of djbdns to be called something besides djbdns.
>
> There are a number of programs which are still being actively maintained
> long after the original author stopped contributing to the project. The
> fvwm project is still thriving even though Rob Nation stopped working on
> the project over 12 years ago. When Atheos development stopped, its users
> forked the code and started the Syllable project. Both Perl and Python
> are no longer being actively worked on by their primary developers; most,
> if not all, code changes now come from other people. It is a shame that
> Dr. Bernstein does not allow djbdns to have the same development.
>
> This wouldn't be so bad if djbdns was being actively manintained and bug
> were being fixed. Dr. Bernstein, as far as I can tell, has no intention
> to fix any issues with djbdns. He acts too arrogantly to acknowledge
> that his programs have bugs, much less fix his bugs--I have never seen
> him admit any of his programs has a bug.
>
> Djbdns's license and the author unwillingness to fix bugs limits the
> options for people supporting djbdns. For example, when somone pointed
> out yet another bug with djbdns' recursive resolver on the djbdns
> mailing list, he was told that people who have this problem that it
> was "their own fault". In more detail, if someone has a domain with an
> provider and, for whatever reason, wants to change providers without
> their current provider's help, djbdns' cache will incorrectly point to
> the old provider until the cache program is restarted.
>
> This goes back to the djbdns license; the person who blamed the user for
> a djbdns problem really had no other choice. He could not patch djbdns
> and distribute a modified djbdns to fix the issue. While he could made
> a patch available, the number of djbdns users who would actually apply
> the patch is next-to-zero. Since Dr. Bernstein has abandoned djbdns,
> there is no system in place to allow people to fix issues with djbdns.
>
> djbdns has a good security record; however, it is not the only dns server
> with good security. MaraDNS has never had a priviledge escalation
> security hole.
>
> Djbdns was the best DNS option available when it came out. That was
> over five years ago. Since then, the internet has changed and djbdns has
> not kept up. Now that BIND9 and MaraDNS have a proven security record,
> and are both under an open-source license and being actively maintained,
> there is no longer any reason to use djbdns.
We use tinydns happily, can easily make it do things we need and have no need
for your criticisms. Thanks DJB for your work.
-Dee
>
|