[Techtalk] Re: Server was hacked into; all DNS servers reek!

Raven Alder raven at oneeyedcrow.net
Mon Feb 24 15:06:27 EST 2003

Heya --

Quoth Carla Schroder (Mon, Feb 24, 2003 at 10:18:30AM -0800):
> > However, djbdns has amazingly poor and unhelpful documentation,
> > serious interoperability problems, and only implements those parts
> > of the RFCs that djb likes.
> Not true, visit the site. It's full of good docs:
> http://cr.yp.to/djbdns.html

	Heh.  Perhaps I should rephrase.  The sorts of docs that djb
writes are not the sort that I personally find helpful.  They're too
terse.  I want more in depth explanations, I want plenty of examples,
and I want to understand why something works as opposed to "do this,
then do that, then do that, and it will work".

	Also, djb assumes scripting and sysadmin competency as a
prerequisite to running his software, as opposed to showing you how.
For example, this weekend I was making my nameserver (running djbdns) a
secondary for a friend's new domain.  I used tcpclient to invoke
axfr-get to pull down the zone file.  I had to write a script to
regularly get the zone file, and compile the little database -- there's
nothing in djb's docs that tells you how to do that.  And in my opinion,
getting the secondary to regularly poll the primary nameserver and
update its config is the sort of thing that should at least be covered
in the documentation, if sample scripts are not provided for you.

	djb's docs usually only tell you one way to set something up,
and that's the Canonical Way To Do It and that's it.  If you want to run
qmail without running tcpserver, you're in for a fun search.  If you are
looking for something about BIND-djbdns interoperability, good luck.
Djb's answer is "don't use BIND at all, it's inferior".  But sometimes
you don't control both ends, and telling the other sysadmin what
software they have to run is a bit rude.  

	All that said, my husband loves djbdns and hates BIND and the
docs make perfect sense to him, whereas I hate them.  So it may just be
different strokes for different brains.
> It's the not the RFCs per se that djb thinks are foolish, but the horrid BIND 
> hacks that end up in them. Standard should be program-agnostic, somehow BIND 
> has become the standard. The whole DNS-BIND world is very political. 

	That much I will agree with.  (I have a friend in the IETF DNS
working group who has stories you wouldn't believe.  Ew.)  But I still
find it somewhat ironic that he trumpets his conformance to various
parts of the standards so loudly while completely ignoring other parts
and saying nothing about that.  If you feel that standards compliance is
a virtue, you should address the whole issue.

> Do not fear djbdns, it is lightweight, extremely fast, modular, and a heck of 
> a lot easier to master than BIND. Anyone interested in some basic howtos, 
> visit www.crossnodes.com, I wrote several articles on DNS and djbdns.

	I hadn't come across your articles yet; thanks for the pointer.
They were in my opinion more helpful than djb's stuff.  I'm pretty
familiar with djbdns at this point, but it was a painful road for me to
get there.  I can run it, it works, but it doesn't do everything I want
(DNSSEC) and its quirks still kinda irritate me.  Nevertheless, thanks
for the pointers.

"You think I'll cry?  I won't cry.  My heart will break before I cry.
 I will go mad first."
  -- Poe

More information about the Techtalk mailing list