1 Lis
2013
1 Lis
'13
9:38
On 23 Oct 2013, at 11:50, Johan Ihrén <johani(a)johani.org> wrote:
Hi Jan,
On Oct 23, 2013, at 10:50 , Jan Včelák wrote:
Thank you.
Let me just add an integrator and implementor perspective here, and agree that a more
modular approach to BIND9 would be preferable. To illustrate, one of the reasons FreeBSD
decised to move away from BIND9 as the system resolver library is exactly the inclusion of
everything and the kitchen sink. That meant, for example, that FreeBSD had to release
Security Advisories for FreeBSD for bugs in the authoritative part of BIND9, while all
that the system needs is the resolver part.
That is not to say that there should not be any overlap, clearly building all the tools
and daemons on a common set of libraries makes a lot of sense. From a distribution and
installation point, I'd like to see something that makes it easy to package and run a
few common use cases independent from each other; this could be an authoritative server, a
recursive server, cli tools, and a stand-alone signer/key handler. How to implement that
in an easy way is less obvious, e.g. making sure that each package does not overwrite
other package's common libraries when installed on the same machine, etc; the devil is
in the details as always.
Erwin
So, while
I'm well aware that this is not what is currently being planned
for Knot-DNS, this is my view on the topic:
I quite understand your motivation and your arguments are very reasonable. Hovever some people just want all-in-one solution
for DNS and DNSSEC, which
will work out of the box - that's our current goul.
Which is fine. I'm fully aware that many people want that. And some people want their
own pony. And lower taxes. ;-)
I'm also aware that many people would like to continue to just use BIND9 forever,
because BIND9 is the ultimate all-in-one-solution... only the world has come to understand
after BIND9 was designed that "all-in-one" has serious drawbacks.
To some extent the primary reason that we're here, the reason why we have NSD3/4,
Unbound, Yadifa, Knot-DNS, etc, is because of the drawbacks of the BIND9 all-in-one
alternative, which are increasingly obvious. But ISC really cannot "fix" BIND9,
in spite of being aware of the drawbacks of all-in-one, because of the installed base.
I'd hate to see Knot-DNS go down the same path (and get stuck there, which happens
quickly when there's adoption) when you're starting out late enough to both be
aware of the arthitectural drawbacks and not be captive to a gigantic installed base.