ISC releases BIND 10 1.2, renames it, and turns it over to community
From: | Carsten Strotmann <carsten-AT-strotmann.de> | |
To: | lwn-AT-lwn.net | |
Subject: | News: ISC Concludes BIND 10 Development With Release 1.2, Project Renamed 'Bundy' | |
Date: | Thu, 17 Apr 2014 20:26:49 +0200 | |
Message-ID: | <53501CE9.2090401@strotmann.de> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 <http://www.marketwired.com/press-release/isc-concludes-bi...> REDWOOD CITY, CA--(Marketwired - Apr 17, 2014) - Internet Systems Consortium (ISC) today announced the release of version 1.2 of its BIND 10 software, and with that release announced that ISC has concluded its development work on BIND 10 and will no longer be updating the source pool. BIND 10 release 1.2 consists of an authoritative server, a control framework, an application interface, a statistics server, a logging framework, a remote control daemon, a configuration client tool, and numerous other tools for its development and operation. "BIND 10 is an excellent software system," said Scott Mann, ISC's Vice President of Engineering, "and a huge step forward in open-source infrastructure software. Unfortunately, we do not have the resources to continue development on both projects, and BIND 9 is much more widely used." "The BIND 10 software is open-source," Scott added, "so we are making it available for anyone who wants to continue its development. The source will be available from GitHub under the name Bundy, to mitigate the confusion between it and ISC's BIND 9 (a completely separate system). The name 'BIND' is associated with ISC; we have changed its name as a reminder that ISC is no longer involved with the project." BIND 10 release 1.2 is available from ISC at http://isc.org/downloads/platform BIND 10 was a multi-year development project with numerous sponsors around the world. ISC is grateful for support received from Afilias, AFNIC, Association DNS.PT, Brazilian Network Information Center (NIC.BR), Canadian Internet Registry Authority (CIRA), China Internet Network Information Center (CNNIC), Comcast, CZ NIC z.s.p.o, DENIC eG, Google Inc., IIS, Japan Registry Services Co, Ltd. (JPRS), Nominet UK, New Zealand Registry Services (NZRS), Réseaux IP Européens Network Coordination Centre (RIPE NCC), Stichting Internet Domainregistratie Nederland (SIDN), Technical Center of Internet, and Uniforum SA. We expect the continuing development of Bundy to involve an equally diverse collection of developers and supporters. For further information about the BIND 10 project, see http://bind10.isc.org. To follow Bundy going forward, see http://bundy-dns.de. About ISC Internet Systems Consortium (ISC) is a 501(c)3 public benefit corporation widely known for world?class Internet software engineering and network operations. Founded in 1994 under an initial grant from UUNET, ISC is governed today by a 5-member Board of Directors. ISC software, of which BIND and ISC DHCP are the two best?known examples, is open source. Our passion is Internet core technology. Our widely?imitated Managed Open Source process ensures the quality of our software while keeping it completely open and available. ISC operates high?reliability global networks of DNS root servers (F?root) and authoritative DNS servers both for non?profit and commercial enterprises. ISC is actively involved in Internet protocol and standards development, particularly in the areas of DNSSEC and IPv6. ISC is supported by donations from generous sponsors, by program membership fees, and by revenues from our support and training business. For further information, please visit http://www.isc.org. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlNQHOkACgkQiDbv+TR5q6J39wCfQRwD1DR+G8cqMw9mDfaLafdE Y6gAoJteYkAMGcgpZ0je8b26F4AaN28I =+4Kf -----END PGP SIGNATURE-----
(Log in to post comments)
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 17, 2014 22:06 UTC (Thu) by branden (guest, #7029) [Link]
Sounds like they pulled an Oracle and don't actually want the community to pick up maintenance of "Bundy", or they would not have named it after a serial killer or a white supremacist celebrity who has featured prominently in ongoing U.S. news coverage of the past two weeks.
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 17, 2014 22:18 UTC (Thu) by dfarnsworth (guest, #44267) [Link]
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 18, 2014 6:51 UTC (Fri) by drag (guest, #31333) [Link]
That is enough to condemn a person as a default racist for a lot of people.
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 25, 2014 3:27 UTC (Fri) by proski (subscriber, #104) [Link]
And then Bundy opens his big mouth and confirms that notion. Ouch!I just hope there would be no grazing fees in the ip6.arpa domain :)
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 17, 2014 22:35 UTC (Thu) by krice (guest, #1749) [Link]
I mean, it's Friday, I'm enjoying a Double IPA myself, but geez...
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 18, 2014 0:04 UTC (Fri) by gdt (subscriber, #6284) [Link]
Bundaberg Rum's "Bundy Bear" was likely the connotation at the top of their head.
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 18, 2014 5:31 UTC (Fri) by ncm (guest, #165) [Link]
Somebody around here thinks amateur serial killers deserve more attention than they get already. But if you're impressed with that stuff, you should be paying attention to the pros commanding drone fleets, coal-fired power plants, and tobacco mills.
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 18, 2014 21:32 UTC (Fri) by jmclnx (guest, #72456) [Link]
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 18, 2014 9:20 UTC (Fri) by niner (subscriber, #26151) [Link]
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 19, 2014 4:36 UTC (Sat) by dlang (guest, #313) [Link]
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 25, 2014 12:05 UTC (Fri) by shane (subscriber, #3335) [Link]
I live in Holland and have almost no exposure to US celebrity news. I assure you it had nothing to do with the name. ;)
I'm involved with the Bundy fork, since I hate to see good - although unfinished - software just get lost forever.
ISC asked me and some other people interested in keeping the project to help think of a new name. None of us had any strong preferences, so when the suggestion was made to name the new fork after the old BIND 10 mascot, it seemed like a good idea.
More information on the mascot here:
http://bind10.isc.org/wiki/Mascot
The name Bundy was given to the mascot by the original creator.
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 17, 2014 22:44 UTC (Thu) by Lukehasnoname (guest, #65152) [Link]
"Gacy is a better, newer language than Python 2, and everyone should begin migrating their tools as soon as possible. Having said that, more people use Python 2, and we as an internationally known standards body do not have the resources to maintain both code trees. Feel free to hack away with Gacy." - president, PSF
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 17, 2014 23:10 UTC (Thu) by fuhchee (guest, #40059) [Link]
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 17, 2014 23:33 UTC (Thu) by gerdesj (subscriber, #5446) [Link]
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 17, 2014 23:38 UTC (Thu) by maney (subscriber, #12630) [Link]
It seemed pretty clear to me that that was what they were doing. Let me see, the AI's semantic analysis went something like this...
Bind 10 was such an overblown example of second-system effect that no one uses it even though we've pushed it all the way to the 1.2 release, so we're tossing it under the wheels and rolling forwards with Bind 9, the version that's actually used as infrastructure.
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 18, 2014 0:03 UTC (Fri) by gerdesj (subscriber, #5446) [Link]
As far as I can tell looking at it they wanted to create a massively scalable beast of a thing that will be at home serving millions of zones with 10s of millions of records. There are something like 10 daemons which seems sensible for security with an overall controller.
The intention seems to be that this is able to deal with other infrastructure as well, perhaps an LDAP DB. I can't really tell exactly what they are getting at with this. OpenLDAP already has that covered very nicely and if you are that way inclined: AD. For my money Novell/Attachmate/whatever eDirectory is your man for a fast scalable hierarchical DB with knobs on. Unfortunately I haven't seen one in some time after spending a good 15 years looking after them in the past. Now if that got released as open source ...
So, after a wine induced ramble - who is likely to use this thing. It ain't going to fit on a DDWRT and I suspect it's also a bit overkill for anyone who is not an ISP or hosting outfit.
Some of us will have a play, I'm sure. I just don't see it will get wide, or any, adoption unless it gets a killer front end that just works whilst supporting a wide variety of back ends to appease the opinionated sysadmin (and aren't we all just a bit opinionated)
I wish them the best - its's a huge lump of work with all the right buzz words in its development but a scrum is something I used to do at school and then university (actually a polytechnic but that is probably a foreign word to most readers including under 35 year old Britons) as a tight head prop - Grrr
Cheers
Jon
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 18, 2014 4:16 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]
It created 6 daemons in the minimal configuration. In the complete configuration it'll have something like 12 daemons running, including its very own message bus (DBUS is too plebe). And anyway, I was not able to setup DNSSEC and it doesn't even support DNSSEC for DynDNS.
This all smells like DJB-envy. But djbdns was a small and nimble daemon, very easy to manage. It used regular tools like rsync for zone management and a very unixy zone files.
I think I'll stick to BIND9 or maybe switch to PowerDNS someday.
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 18, 2014 12:08 UTC (Fri) by TimSmall (guest, #96681) [Link]
I've always wondered why NSD isn't more popular for authoritative-only sites. Uses BIND-compatible zone files too (and has DNSSEC support)...
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 25, 2014 12:13 UTC (Fri) by shane (subscriber, #3335) [Link]
The reason we have so many processes is fault isolation and minimal bug surface area.
For example, if you don't need Dynamic DNS (DDNS) then you don't need to run b10-ddns, which is the component which supports that functionality. So any bugs in that code won't affect you, plus you don't carry the memory footprint for it and so on.
Further, if you *do* need DDNS, then any bugs that affect that code won't corrupt other parts of the system, and the DDNS component can be restarted in the worst case without affecting query processing or zone transfer (for example).
As for dbus, we did look at this, and really, really wanted to use it, but client library support and licensing issues made it really tough for us to adopt such technologies. We documented part of the effort here:
http://bind10.isc.org/wiki/msgqReplacements
We had pretty much decided on using Apache Qpid late last year, except that by that time the project was already on life support.
BIND 10 is in no way djb-envy. The goal was to replace BIND 9, which is a full-featured, scalable DNS server, not djbdns, which is neither.
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 25, 2014 12:28 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]
Also,what is the security model? Will a compromise in, say, DNSSEC module allow an attacker unlimited control over all hosted zones?
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 25, 2014 18:09 UTC (Fri) by shane (subscriber, #3335) [Link]
There are 14 processes with "akonadi" in my process table. Is this too many? Why?
I see 6 "getty" processes. Is that too many? Why?
And so on...
----
Just to be clear, none of the fast-path processing requires context switching between processes. The approach does not hurt performance, and may even improve it (depending on the exact model of processes vs. threads on a given OS & system architecture).
With BIND 10 we realized that a lot of administrators would not like to see that many processes. It's "weird". So we make sure that all of the startup, shutdown, and (if necessary) re-starting of processes is handled transparently by the application itself. We also made sure that every process is named starting with "b10-" so that administrators can easily see all of the BIND 10-related processes running... I don't like seeing strange processes running on my systems that I have no idea what they are doing, and I expect many sysadmins feel the same.
Still, it is clear that people get nervous by a DNS server running multiple processes, in spite of the fact that their web browser does it, their database server does it, their mail server does it, and even very popular DNS servers (NSD) do it.
----
BIND 10 does a lot of things that are not the current way of doing things. In retrospect, this was a mistake, as we exceed most people's tolerance for change. (Especially administrators, who are mostly a very conservative and even somewhat superstitious lot...)
----
We don't have any security between components, which are protected by normal Unix-domain socket file permissions. The components are intended to be different parts of a single application, running on a single machine. A compromise of the one component would not give an attacker direct access to all other running components, but it should be easy to cause a certain amount of mischief by using the message bus to send bogus commands around to other parts of the system.
The idea was to limit the complexity of an already complex architecture as much as possible. By using separate process spaces rather than a threaded or event-driven model (like all other name servers that I know of), we might be a bit more secure, but that's explicitly NOT a goal of the approach.
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 18, 2014 8:11 UTC (Fri) by grantma (subscriber, #5225) [Link]
http://mattgrant.net.nz/softwree/dms
is being uploaded to Debian Sid aka unstable.
Written in Python3, it achieves a lot of what BIND 10 does, but wraps BIND 9 with IPSEC, rsync, and a pile of shell scripts for DR....
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 18, 2014 8:18 UTC (Fri) by grantma (subscriber, #5225) [Link]
ISC releases BIND 10 1.2, renames it, and turns it over to community
Posted Apr 18, 2014 9:26 UTC (Fri) by bradh (guest, #2274) [Link]
ISC releases Bind 10.2, DMS to manage Bind9.8+ DNS zones
Posted Apr 18, 2014 21:28 UTC (Fri) by grantma (subscriber, #5225) [Link]
It is probably more relevant than Bind10, as it uses BIND9, one tick right from the start. It supports auto PTR creation - a great help with V6, running DNSSEC zones, zone versioning, and all the important cryptographic records.
Basically it allows you to leverage distributed power of your DNSSEC zone to augment SSL signed certs through TLSA, and oppurtunistic IPSEC.
In IPSEC all the key material is in a separate process from the data, and it is more effecient if the relationship is a lasting over a period of time.
Rise and Fall of BIND 10
Posted Apr 25, 2014 12:15 UTC (Fri) by shane (subscriber, #3335) [Link]
I'm going to be giving a presentation at the RIPE meeting in a few weeks about the project, tentatively titled "The Rise and Fall of BIND 10", covering the history of the project, its goals, what went wrong, and what went right.
https://ripe68.ripe.net/programme/meeting-plan/open-sourc...
If I remember I'll post a link to the video and slides here when it's done.
Rise and Fall of BIND 10
Posted Apr 25, 2014 19:35 UTC (Fri) by mathstuf (subscriber, #69389) [Link]
Rise and Fall of BIND 10
Posted Apr 25, 2014 20:09 UTC (Fri) by shane (subscriber, #3335) [Link]
One of the reasons that BIND 10 had to be renamed is that it's not "Even More BIND 9" - it has quite a few differences. We had originally planned on taking a year to make a nice smooth set of conversion utilities, but had budget shortfalls and a lot of technical debt that made this impossible.
So, basically if you are a running a DNS secondary or a master authoritative server that doesn't rely on BIND 9 DNSSEC re-signing, then Bundy can probably fit your needs.
We'll see how far we are able to go with the volunteer model...
----
But I'll see if LWN is interested in an article based on the talk or just related to this topic, after I've given the presentation. :)