* Michael Marria <mrmarria@gmail.com> [2015-01-29 14:01]:
> After many years running qmail on FreeBSD 6, it's time to upgrade
> I have a new FreeBSD 10.1 ZFS platform set up and see that djbdns may be a
> bit dated for install along side the qmail
> re-install.
> A general best practices response about djbdns and unbind or
> alternatives I haven't thought of?
Well, there's certainly more than one take on it.
I have long given up on dnscache. Too much of a hassle on my feet. I
vaguely remember some issues with some of its stranger behaviours, but
it's too long ago for anything less vague. No DNSSEC.
I switched to unbound, which does the job without annoying me at all.
Just Works. I spent some time with the author auditing the privsep
parts, couldn't find any real mistakes, basically just had stylistic
remarks. Solid DNNSEC.
tinydns is another story. I'm still a big fan of the mmaped cdb
approach. However, a lot of time has passed and what we run today
still looks & feels like tinydns, but is substantially modified.
Thanks to the flexible data format there aren't too many changes, most
of the magic is in the data file generation process instead. The
changes to tinydns itself are few:
-grok & log NOTIFYs
-rotateip
-DNSSEC support, 95% the tinydnssec.org patch
-axfrdns modified to skip the pseudo records the above needs
I don't use tinydns-sign from tinydnssec.org, it is quite horrible and
very incomplete. Unsuitable for big data files, will eat memory for
breakfast. Unusable when you use locations. Bugs in the NSEC3
generation, including one where it'll become a malloc-bomb until
rlimits are reached or the machine swaps itself to death.
Instead, I have written the dnssec processing (generating RRSIGs,
the NSEC3 processing, location handling and the pseudo records) from
scratch, integrated into our data file generation process. There are
several mean pitfalls there, last not least because tinydns doesn't
have a clear concept of a zone, which makes an approach working on
existing data files really hard.
(reminds me that I still haven't poked the tinydnssec author about
these issues, ugh, shame on me)
I'm still very worried about the aplification issues that DNSSEC makes
much worse - I consider that battle lost, and given the choice between
DNSSEC and plain old insecure DNS, I know what I pick. Ymmv.
--
Henning Brauer, hb@bsws.de, henning@openbsd.org
BS Web Services GmbH, AG Hamburg HRB 128289,
http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, VMs/PVS, Application Hosting