> 1. a bunch of netsec/security geeks have looked at it (calling @tptacek, @cpercival)
Agreed - but it seems that this is an authoritative-only name server, which means it shouldn't be susceptible to cache poisoning, which is where the most awful DNS server security vulnerabilities have been.
It is nice to see that we are moving from huge and clumsy DNS servers (BIND) to smaller servers with a specific focus: unbound as resolver, NSD/Yadifa for authoritative servers.
Now that we have them, couldn't some core code be shared between all these projects and receive more scrutiny than it receives now? For example the code that parses incoming packets or generates replies could easily be shared (in theory).
I'm no fan of BIND though operationally having separate servers can be problematic: if you want to run both a recursive and an authoritative DNS server on the same host (pretty common for DNS servers on internal networks) you need two IP addresses. PowerDNS works around this by having their authoritative server forward recursive queries to a host/port that you specify.
Agreed that code sharing would be nice, and more important than ever since the rise of small servers with specific focus.
> couldn't some core code be shared between all these projects
There are also advantages to having independent implementations for such crucial software. A fatal flaw that no one caught in one implementation may not take out the whole system.
While this is true for bigger design issues, I fear it is not true for smaller problems like off-by-one accesses and all the common parsing issues.
Smaller problems require a lot of time, attention and testing to be found. To have a single code base can do wonder for this kind of smaller, but often fatal, problems.
I think djb is a brilliant programmer, and he has written some absolutely fantastic code, but I also think that he is becoming less and less relevant as time goes on. Various DNS servers have massively improved, security is being taken more seriously (due in part to him, no doubt) but his software doesn't seem to be moving forward...
dnscache for example doesn't (at least in my testing) connect over IPv6 to a remote name server to resolve a domain, nor does it do DNSSEC validation (and I understand DJB doesn't like DNSSEC, unfortunately it is here and I think that more and more having a validating resolver is a good idea).
unbound is a resolver, which I think is a bit different from this. unbound's NLnet Labs also make NSD, which is their authoritative server, and that is one of the servers mentioned and compared to on YADIFA's site.
1. a bunch of netsec/security geeks have looked at it (calling @tptacek, @cpercival)
2. @djb et al have ranted about it a bit. :)
till then it's going to be hard to imagine that they can get any traction with such crucial infrastructure.