back to article Experts argue over whether shallow DNS gene pool hurts web infrastructure

Experts are split over whether a lack of 'genetic diversity' in the (Domain Name System) DNS infrastructure is leaving the internet at greater risk of attacks. Four in five (80 per cent) of the world's internet-facing DNS servers are essentially genetically identical, according to Domain Name System vendor Secure64. In the …


This topic is closed for new posts.
  1. Wilhelm Lindt
    Paris Hilton


    Berkeley Internet Name What? El Reg botches another DNS story.

    1. Athan

      Re: Acronyms

      I was going to comment similarly, but on checking, it seems ElReg has it correct.

      From the bind9-doc/arm/Bv9ARM.ch01.html in my Debian squeeze system:

      "The Berkeley Internet Name Domain (BIND) implements a domain name server for a number of operating systems."

  2. Flocke Kroes Silver badge

    djbdns works fine - and it is free

    The license is open source, but inconvenient for most distributions. Compiling, installing and configuring worked without complications for me.

    1. Tom 38 Silver badge

      Re: djbdns works fine - and it is free

      And for me also. I found it much easier to do things like telling djbdns to query my employers DNS server for various domain names than in BIND. Well, that's an understatement.

      However, if your a DNS administrator, your day is spent in BIND zone files, so the differences are marked. Also djb has a bit of a reputation...

      Four in five (80 per cent) of the world's internet-facing DNS servers are essentially genetically identical, according to Domain Name System vendor Secure64

      "80% of the world won't even consider buying our DNS server, so here's some FUD."

    2. PyLETS

      Re: djbdns works fine - and it is free

      DJBDNS was released by its author into the public domain in 2007. Before that I compiled it myself. Since then distributions have been able to package it.

  3. Real Ale is Best

    So basically...

    "Please buy our domain name server, rather than using the free one, because that will make things 'better'."


    1. Ru

      Re: So basically...

      NSD is free and liberally licensed. I know OpenBSD has shipped with it for a little while, not looked to see who else does.

  4. SteveK

    "Secure64 markets DNS servers based on NSD (Name Server Daemon) and not BIND. Beckett denied suggestions that its warning about genetic diversity was either a disguised sales pitch or an example of mud-slinging against BIND."

    Absolutely not, it was merely a happy coincidence.

  5. vgrig_us

    Overstating the risks to drum up biz?

    "Secure64 DNS products are security-hardened commercial DNS appliances" - yep, talking up their own book.

    All this "bind is insecure" is BS. Useless company with useless product - "The SourceT Micro OS executes on standard Itanium server hardware, and provides the foundation for Secure64 software applications." Itanium? Really? Not even ported to anything else? What are they gonna do when Intel kills it?

    1. Anonymous Coward

      Re: Overstating the risks to drum up biz?

      Is "Who cares?" too harsh?

  6. Anonymous Coward
    Anonymous Coward


    80% of the DNS uses BIND - thats because its the best product...and free. Yes, there have been vulnerabilities - but they get patched and dealt with very waiting for some patch tuesday.

    theres a similar story across the internet for other services - Apache rules WWW, ISC also rule DHCP, SQUID rules the proxy world.

    the fact that Secure64 market a DNS server makes this story not only biased, but Secure64 repugnant

  7. Anonymous Coward
    Anonymous Coward

    I just remember all the IP addresses...... I'll not be losing sleep. I'm also v6 ready.

  8. Stan 2


  9. Herby

    We could wait for...

    A NEW Microsoft implementation. But the problem with that is that given "Computer Darwinism" it would have been breed out to the system by now.

    Blue screens, and bad answers. Oh wait, that is why people use BIND (I thought it was Berkeley Internet Name Daemon, but it turns out I was wrong).

  10. Fazal Majid

    BIND is a bug-infested maze of spaghetti code with a history of security holes nearly as bad as sendmail. The comparison to Apache is apt - there is a reason why nginx is gaining so rapidly for web servers, or Postfix in the email space.

    djbdns is another option, unfortunately without IPv6 or DNSSEC support, and not actively maintained. PowerDNS is another (disclaimer: I used to work with Bert Hubert).

    That said, I don't see why anyone with a pulse would pay for a proprietary repackaging of an excellent open-source DNS server produced by NLNet,. one of the organizations that maintain top-level DNS servers (in Europe). NSD and Unbound are some of the best DNS servers around, designed for massive scale, and a pleasure to administer compared to BIND or even DJBDNS. If they are suitable for you, you are best off building them yourself from the original open-source release.

  11. vwnatalie

    "Best Practice" Not a True Selling Point

    Any reputable DNS company that cares about their network and users, will have more than just BIND implemented on the network. runs multiple brands of DNS server software and we also run multiple operating systems for our DNS servers. We believe that this is simply a "best practice," not a true selling point of a DNS provider.

This topic is closed for new posts.

Other stories you might like