[svlug] BIND9 on EC2

[Rick Moen]

Mark - Syminet wrote:

> [BIND9's] security history is... nearly less than acceptable... but I
> think this also might have something to do with the fact that it's what
> people believe the root servers run (and thus attack).  
> 
> (And I suspect they *do* run BIND9 - but a very tightly secured, locally
> compiled derivatives.) 

Of the thirteen, three run NSD, and ten run some BIND derivative.
http://en.wikipedia.org/wiki/Root_name_server#Root_server_addresses

For whatever it's worth, NSD was written from scratch in, I think, the
late 1990s by the NLnet Labs people in order to run the .nl TLD nameservers
on something better than BIND.  

SVLUG runs its master nameserver, ns1.svlug.org, on NSD, and I've been very
satified with the software.

> Or even better - and more on topic - is it possible that ISP's are
> starting to block "outside" recursive public nameservers 
> entirely now? 

Nah, doubt that.  No real incentive.  

I should mention that NLnet Labs's second DNS daemon project was/is Unbound,
a small, fast, modern recursive-only nameserver.  They leveraged the
experience they had writing NSD in making it, which works out well because
writing a recursive-only implementaiton correctly is much more difficult than
with authoritative-only.

(Put simply, a recursive nameserver is a smart cache for DNS data.
Accordingly, there is nothing requiring administartion.  Personally, I think
OS bundles should include Unbound - which is cross-platform and BSD-licensed
- and default to locking resolv.conf to 127.0.0.1.  It's that good.)