The Decline and Fall of BIND 10 [pdf]

Wow I feel that pain. I designed a replacement for Sun&#x27;s yellow pages service called NIS+ and with a couple of awesome engineers got it built and into production. It changed <i>everything</i> about the old YP. And if there is one thing system administrators really hate, its change that isn&#x27;t compatible with simple mods to their shell scripts. That lead to an interesting effort to make a NIS+ light which was more like YP.<p>The evolution of BIND had very similar sorts of challenges it seems. Earlier version worked new version was all different. So different that their customers (the system administrators) seem to have revolted. Ouch.<p>When you are building a part of the infrastructure that lots of people have to manage to keep the infrastructure running, its a special kind of challenge. Both in deployment, change management, and service evolution. Even after going through the process with NIS+ I&#x27;m not sure if I could even chart a path for a replacement BIND.

Interesting view into the human elements of a software project.<p>BIND is one of those programs that scares the living crap out of me, both from a security perspective and from a complexity perspective. (Gee, could those be related?)<p>Just take a look at the list of BIND vulnerabilities. We&#x27;re still finding em, and I&#x27;m sure we&#x27;ll continue to for years to come.<p><a href="http://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/ISC-Bind.html" rel="nofollow">http:&#x2F;&#x2F;www.cvedetails.com&#x2F;vulnerability-list&#x2F;vendor_id-64&#x2F;pr...</a><p>For a refreshingly simple and secure DNS serving experience, I highly recommend djbdns &#x2F; tinydns &#x2F; dnscache:<p><a href="http://cr.yp.to/djbdns/blurb/security.html" rel="nofollow">http:&#x2F;&#x2F;cr.yp.to&#x2F;djbdns&#x2F;blurb&#x2F;security.html</a>

<p><pre><code> People Fear &amp; Hate Change BIND 10 is quite different for administrators – Lots of dependencies, slow build – Lots of processes – Tool to configure, not configuration files People hate change. </code></pre> Do they? Or do they hate things being worse?<p>Having lots of dependencies can actually be a huge pain. Yes, reusing existing software is wise. And most of the time, these days, on a modern unix, you&#x27;re covered by the package manager. But not always. Someone is going to be building or installing on some freaky system, or some old version of something, and every additional dependency is going to be like a red-hot poker up the fundament. More dependencies is wrose.<p>Having lots of processes generally does make things harder to manage. Yes, there are advantages in terms of fault isolation and privilege separation. But it means that you can&#x27;t just throw off a quick pgrep to see if the service is up, you have to worry about <i>some parts of it being up</i>. More processes is worse.<p>Using a tool to configure something instead of using a file ... nah, i&#x27;ve got nothing. There&#x27;s nothing good about configuration tools. I have never come across a situation where i used a specific tool to configure something and didn&#x27;t wish i was just editing a file. Tools for configuration is worse.<p>I&#x27;m sure there are lots of really awesome things about BIND 10. It clearly had a huge amount of care and attention given to it. But it does sound a bit like its developers were blind to the need of the system administrators who they hoped would ultimately install it.

I&#x27;m curious about this quote on page 21: &quot;Administrators really hate Python. Really. HATE.&quot;<p>I hadn&#x27;t heard anything like this before, what is the reasoning here?

djb is to be commended for his foresight. I always found it depressing that people would slate him for doing things his own way. I&#x27;m reminded of this quote:<p><pre><code> &quot;Don&#x27;t worry about people stealing your ideas. If your ideas are any good, you&#x27;ll have to ram them down people&#x27;s throats.&quot; -- Howard Aiken</code></pre>

I still can&#x27;t get in my head that writing DNS server is so hard.<p>Looks so easy on surface. Made me want to write a toy server just to prove myself.

Please note that RIPE archives <i>everything</i> and, as a result, the video is available: <a href="https://ripe68.ripe.net/archives/video/153/" rel="nofollow">https:&#x2F;&#x2F;ripe68.ripe.net&#x2F;archives&#x2F;video&#x2F;153&#x2F;</a>