ungleich-staticcms/content/u/blog/love-letter-to-isc-bind/contents.lr

90 lines
3.6 KiB
Text
Raw Normal View History

2021-02-22 12:14:48 +00:00
title: A love letter to ISC bind
---
pub_date: 2021-02-22
---
author: Nico Schottelius
---
twitter_handle: NicoSchottelius
---
_hidden: no
---
_discoverable: yes
---
abstract:
Everyone does some mistakes in their life, but sometimes it's time to
move on.
---
body:
Dear ISC bind,
this is a love letter to you. You probably don't know me, but I have
been a long term user of yours. I started using you - oh, that sounds
so wrong for a love letter, doesn't it?
I started my time with you in the late 90's, it was when you were
called "bind 4". I was very happy with our relationship. You'd not
only take care of all authoritative requests, but also take care of
caching client requests. Me, still being young at the time, I did not
know nor care about security concerns in the beginning.
But then over time I got more experienced and I read and tried DNS
cache poisoning and I was shocked. How could you? How could you accept
incorrect entries? I had so much trust in you and then that!
So many years passed and after my shock, I had a fling with
[djbdns](https://cr.yp.to/djbdns.html) (together with qmail and
daemontools). Which right away took security more serious. So
serious that even managing djbdns with its own suite was almost like a
crypto analysis adventure. Many years this was my software solution of
choice, compiled by source, patched by hand. Oh, the old 2000's!
Over time the effort for managing software by source code and
/usr/local installations did not turn out to be very efficient. So I
looked around and found [powerdns](https://www.powerdns.com/),
[nsd](https://www.nlnetlabs.nl/projects/nsd/about/) and
[unbound](https://www.nlnetlabs.nl/projects/unbound/about/).
I settled for the nsd/unbound combination for many years. Then I
stumbled upon
[dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html). Dnsmasq
feels a bit like a younger sibling of bind: it does everything and
even includes dhcp and tftp support! Crazy, isn't it? Many years to
come, dnsmasq, first discovered on an embedded router, turned out to
be a very stable solution for even mid sized installations. And it
comes with a very simple configuration as well.
But then 2017 happened. And ungleich started the [Data Center
Light](/u/projects/data-center-light/) project. An IPv6 first
hosting. And there you were, dear bind. Looking at me from the side of
the software projects, saying "I think it's time we have a talk.".
And indeed, we did have a talk. A talk about implementing DNS64. About
different nat64 prefixes in one configuration. About being
an authoritative name server that functions even if all upstreams are
down. A name server that even allows the most funky configuration of
*removing native AAAA entries* for DNS64 networks that should only
access mapped IPv4 addresses. You can do it all, but you are still not
complicated. Who can say that from oneself?
I admit, I was not always loyal to you. And I also admit that I am
still sceptical about mixing caching and authoritative features in one
process. But you do it so damn well. Not only have you been around for
decades and collected the wisdom over the years, but also have you
adapted to the time.
This is why I am writing you this love letter today, to say
thanks. Thanks for making the life in a data center easier, thanks to
being flexible, thanks for improving over time and thanks to still
adhearing to the same configuration file format that I used in the
late 90's.
Dear BIND, you are by far not perfect, but then again neither is
reality. And this is your strength, solving real world problems.
Thank you for doing so and thanks to all the involved developers!
In love, yours,
Nico