A love letter to ISC bind

Posted on 2021-02-22 by Nico Schottelius

Dear ISC bind,

this is a love letter to you. You probably don't know me, but I have been a long term user of yours.

I started my time with you in the late 90's. It was when you were called "bind 4". I was very happy with our relationship. You'd not only take care of all authoritative requests, but also take care of caching client requests. Me, still being young at the time, I did not know nor care about security concerns in the beginning.

But then over time I got more experienced and I read and tried DNS cache poisoning and I was shocked. How could you? How could you accept incorrect entries? I had so much trust in you and then that!

Years passed and after my shock, I had a fling with djbdns (together with qmail and daemontools). Which right away took security more serious. So serious that even managing djbdns with its own suite was almost like a crypto analysis adventure (no offense, Dan!). Many years this was my software solution of choice, compiled by source, patched by hand. Oh, the old 2000's!

Over time the effort for managing software by source code and /usr/local installations did not turn out to be very efficient. So I looked around and found powerdns, nsd and unbound.

I settled for the nsd/unbound combination for many years. Solid, easy to use and nice separation of concerns. Thanks nlnetlabs! Then I stumbled upon dnsmasq. Dnsmasq feels a bit like a younger sibling of bind: it does everything and even includes dhcp and tftp support! Crazy, isn't it? Many years to come, dnsmasq, first discovered on an embedded router, turned out to be a very stable solution for even mid sized installations. And it comes with a very simple configuration as well.

But then 2017 happened. And ungleich started the Data Center Light project. An IPv6 first hosting. And there you were, dear bind. Looking at me from the side of the software projects, saying "I think it's time we have a talk.".

And indeed, we did have a talk. A talk about implementing DNS64. About different DNS64 prefixes in one configuration. About being an authoritative name server that functions even if all upstreams are down. A name server that even allows the most funky configuration of removing native AAAA entries for DNS64 networks that should only access mapped IPv4 addresses. You can do it all, but you are still not complicated. Who can say that from oneself?

I admit, I was not always loyal to you. And I also admit that I am still sceptical about mixing caching and authoritative features in one process. But you do it so damn well. Not only have you been around for decades and collected the wisdom over the years, but also have you adapted to the time.

This is why I am writing you this love letter today, to say thanks. Thanks for making the life in a data center easier, thanks to being flexible, thanks for improving over time and thanks to still adhearing to the same configuration file format that I used in the late 90's.

Dear BIND, you are by far not perfect, but then neither is reality. And this is your strength, solving real world problems.

Thank you for doing so and thanks to all the involved developers for creating bind.

In love, yours,

Nico