Verisign Dumps BIND

uuallan · Jun 11, 2002

http://www.nwfusion.com/news/2002/133242_06-10-2002.html

Given Verisign's track record for DNS security, I wonder how long it will be until someone hacks ATLAS

Jun 11, 2002

Maybe that Padilla guy was targeting Verisign

devolution · Jun 13, 2002

I bet it's already hacked - some peed off workers at Verisign have probably nicked the software and are waiting to post it to Usenet!

Imagine what fun will happen if they put this software on the Root Servers.
Anyone care to hazard a guess?

Whitehouse.gov ending up at SheMaleHeaven.com ?
RacialEquality.gov ending up at KluKluxKlan.com?

Originally posted by uuallan
http://www.nwfusion.com/news/2002/133242_06-10-2002.html

Given Verisign's track record for DNS security, I wonder how long it will be until someone hacks ATLAS

Jun 13, 2002

I won't miss BIND, however they could have easily just switched to djbdns instead of writting their own software. Such arrogance.

-t

uuallan · Jun 13, 2002

Originally posted by thewitt
I won't miss BIND, however they could have easily just switched to djbdns instead of writting their own software. Such arrogance.

I don't know about that...I haven't seen any evidence that tiny/djbdns can handle a large installation like we are talking about here. It certainly is a nice program, but it seems primarily used for small to mid-sized DNS installations.

Jun 13, 2002

You are incorrect in your assumption that djbdns is limited to small installations.

It's primary user community is the university environment, however there are a number of major commercial implementations as well - citysearch.com, lycos.com, pobox.com to name just a few.

If you spend some time looking at performance statistics, it outperforms BIND in all configurations (remember that Verisign has been using BIND for years) and can easily handle 4500 requests per second on a 500mhz FreeBSD machine with 2G of ram (the stats that led to this were 1.9B requests over 5 days and a 3.1M entry database).

NIH is likely the reason that Verisign are writing their own - with a fair amount of hubris worked in for good measure.

I should also add that they plan on supporting "emerging" standards as well in their DNS servers, and I suspect this means they will be offering more paid services through both the registry and their registrar divisions that only work with these emerging standards...

-t

uuallan · Jun 13, 2002

Originally posted by thewitt
You are incorrect in your assumption that djbdns is limited to small installations.

It's primary user community is the university environment, however there are a number of major commercial implementations as well - citysearch.com, lycos.com, pobox.com to name just a few.

If you spend some time looking at performance statistics, it outperforms BIND in all configurations (remember that Verisign has been using BIND for years) and can easily handle 4500 requests per second on a 500mhz FreeBSD machine with 2G of ram (the stats that led to this were 1.9B requests over 5 days and a 3.1M entry database).

I'm sorry, I shouldn't have said djbdns was limited to small installations -- I know that is not true. But even the examples you give are nothing compared to the number of queries that are received by the root name servers.

Also, I saw on the blurbs page the mention of Lycos, but all of the Lycos name servers look like they are still running BIND:

Code:

[allan@ns1 allan]$ dig @NS4.HOTWIRED.COM version.bind chaos txt

; <<>> DiG 9.1.3 <<>> @NS4.HOTWIRED.COM version.bind chaos txt
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43591
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;version.bind.                  CH      TXT

;; ANSWER SECTION:
VERSION.BIND.           0       CH      TXT     "surely you must be joking"

;; Query time: 88 msec
;; SERVER: 209.202.221.55#53(NS4.HOTWIRED.COM)
;; WHEN: Thu Jun 13 09:40:47 2002
;; MSG SIZE  rcvd: 80

AFAIK, djbdns does not respond to the version.bind query.

I don't want to sound like I am bashing djbdns, because I think it is a great program.

Jun 13, 2002

Originally posted by uuallan
AFAIK, djbdns does not respond to the version.bind query.

I don't want to sound like I am bashing djbdns, because I think it is a great program.

Unless they have patched djbdns to mimick BIND for some reason, you are correct. I have a couple of private emails from the Lycos guys here somewhere, I'll see if I can find anything interesting.

I was also not trying to compare the volume of hits on these large sites with what the root servers take, but to simply point out that in all the benchmarks I've seen, djbdns outperforms BIND significantly - and runs very well on very little hardware, unlike BIND, which is very unstable at high volumes and requires mamoth hardware to support it.

Since BIND has obviously been working in it's role at Verisign, why would you start over from scratch if what you were really looking for was a more secure implementation of DNS for your root services.

I think that this quote is the more telling from their announcement

Next year it will support not only DNS lookups but also emerging protocols such as Session Initiation Protocol and Signaling Series 7 for Internet telephone calls

It appears to me that Verisign are more concerned about offering future services for $$ than they are trying to ...fix a DNS environment that is too homogeneous.

Don't get me wrong, I'm not against capitalisim - I just think that the root servers are at much higher risk if they are running proprietary software from Verisign in support of emerging technologies, than if they are running anything that's open source and has a large installed base - even buggy old BIND...

-t

uuallan · Jun 13, 2002

Originally posted by thewitt

I think that this quote is the more telling from their announcement It appears to me that Verisign are more concerned about offering future services for $$ than they are trying to ...fix a DNS environment that is too homogeneous.

Don't get me wrong, I'm not against capitalisim - I just think that the root servers are at much higher risk if they are running proprietary software from Verisign in support of emerging technologies, than if they are running anything that's open source and has a large installed base - even buggy old BIND...