[nSLUG] Looking for a DNS secondary partner

Ian Campbell ian at slu.ms
Fri May 1 14:57:12 ADT 2009


On Fri, May 01, 2009 at 11:39:26AM -0300, D G Teed wrote:
> On Fri, May 1, 2009 at 9:06 AM, Eri Ramos Bastos <bastos.eri at gmail.com>wrote:
> 
> A few years back everyone seemed to be ready to hop
> on the reiserfs file system.  I was ready to consider it as well,
> until the day I saw the help message for repairing the
> file system.  It reminded me of the "send a cheque for $20
> to this address" type of software I used to see on tucows
> shareware in the 90's.  Reiserfs struck me as amateurish for
> something corporations are about to adopt as best of breed.
> That alert message was a hint that this application
> depended on one developer.
> 
> A few months later, the maker of Reiser FS was charged with
> murder, and today there doesn't appear to be a future
> for reiserfs.

There probably isn't a future for reiserfs4. Reiserfs3 is in
maintenance mode though, and while there are plenty of reasons not to
use it for ... anything really, "OH NOES REISER KILLED HIS WIFE" isn't
one of them.

> The lesson here is that performance isn't the only
> consideration in putting up services.  You need to consider
> how many developers there are, whether the user base
> is large enough to shake out the bugs and security
> flaws, etc.

Performance for DNS is rarely a consideration. Even at the
small-to-medium sized ISP level the level of DNS traffic is
insignificant for even the worst software.

I disagree that developer/user count is all that matters though. For
both DNS and mail servers, ISC will win hands down with Sendmail and
BIND. Does that mean they're the best options? Probably not: they've
cleaned up their act but for years BIND and Sendmail had
flavour-of-the-week remote root holes and DoS bugs, as mentioned they
don't perform particularly well which may matter to some, and they're
not particularly flexible.

Don't even get me started on m4 for configuration. Shudder.

> Remember what Linus said : "given enough eyeballs, all bugs
> are shallow".  This is why open source can be secure,
> despite revealing its inner workings.  I prefer larger
> based projects for that reason.

Uh huh. Remember the Linux vmsplice() bug? Someone forgot to check
whether a pointer was in user or kernel space in a syscall. It was
trivially exploitable and turned any vulnerability that gave you a
shell into a potential root compromise regardless of other most other
security measures.

There aren't many OSS projects that get more eyeballs than the kernel,
and it was there for 8 releases, or ~2 years.

Personally, rather than raw developer/user count, I'd prefer groups
with sane developer practices and a relatively good track record of
security.



More information about the nSLUG mailing list