Remote registration,
Dear Friends, Thank you about a software that supports reseller, I think due to special laws in my country,a software have to be developed by the team and I, besides the technology to do the payment by credit card or the same is not available in my country, the only available way to pay is bank transfer. Do we have any program for editing and appending Bind Zone files ?,in the other word a CGI program that gives the name sever, ip address and the domain name as input ,then it modifies or add this entry ? would you also please give me a suggestion about the DNS server program to be use instead of bind ? it should be Secure, Reliable and fast, I always use Bind , but I heard it has many bugs eventhough I haven't seen any. Thank you in advance, Kind regards Alireza Saleh.
On Fri, Jul 25, 2003 at 03:05:22AM +0430, alireza saleh <saleh@mailhost.nic.ir> wrote a message of 18 lines which said:
Thank you about a software that supports reseller, I think due to special laws in my country,a software have to be developed by the team
It is quite difficult to write a software that will work for every NIC in the world (even with a lot of options in the configuration file). Unless everybody chooses Verisign's model of a registry, of course. But if you want to follow your own way, you'll have to do some coding.
Do we have any program for editing and appending Bind Zone files ?,in the other word a CGI program that gives the name sever, ip address and the domain name as input ,then it modifies or add this entry ?
I would suggest another way: put the information (domain names, contacts, name servers - not always with the IP address, only when it's necessary, reseller, etc) in some sort of database (a RDBMS, for instance) and have the zone file be generated from the database. 1) Your CGI will then edit the database (easier than parsing BIND zone file), every "database-backed Web site" works that way. See <URL:http://www.oreilly.com/catalog/webdbapps/> for a PHP example (but you can do it in Perl, Python, whatever). 2) To extract info from the database, use something like Perl DBI <URL:http://www.perl.com/pub/a/1999/10/DBI.html> (a ten-line script is sufficient) or a shell command as simple as (for PostgreSQL): #!/bin/sh psql -q --no-align --tuples-only registry \ -c "SELECT address, hosts.name as host, domains.name as domain\ FROM Hosts,Domains,Nameservers\ WHERE nameservers.domain = domains.id AND \ nameservers.nameserver = hosts.id" |\ awk -F \| '{ print $3". IN NS "$2"."; if ($1) {print $2". IN A "$1"" } }' 3) You will have all the power of the database at your disposal. For instance, you'll be able to develop new applications with SQL quite easily. A whois server becomes very simple to create, for instance. This is more work than just managing the BIND zone file but it's worth it, IMHO.
On Fri, Jul 25, 2003 at 03:05:22AM +0430, alireza saleh <saleh@mailhost.nic.ir> wrote a message of 18 lines which said:
would you also please give me a suggestion about the DNS server program to be use instead of bind ? it should be Secure, Reliable and fast, I always use Bind , but I heard it has many bugs eventhough I haven't seen any.
BIND is the Apache of DNS servers: it does a lot of things and it is heavily configurable. If you do not need all its features, the best choice (I only consider free software) is, IMHO, nsd <URL:http://www.nlnetlabs.nl/nsd/index.html>, which is much smaller (and therefore probably more secure) and much faster (although you may not see it on a lightly loaded name server). You may consider PowerDNS also: <URL:http://www.powerdns.com/>. It has an interesting feature, you can use various backends (and even write your own) to manage the actual data store.
At 10:14 AM +0200 2003/07/25, Stephane Bortzmeyer wrote:
BIND is the Apache of DNS servers: it does a lot of things and it is heavily configurable. If you do not need all its features, the best choice (I only consider free software) is, IMHO, nsd <URL:http://www.nlnetlabs.nl/nsd/index.html>, which is much smaller (and therefore probably more secure) and much faster (although you may not see it on a lightly loaded name server).
Keep in mind that nsd was written for the exclusive task of serving DNS for TLD nameservers, and leaves out a lot of features that are present in BIND. It's also not as user/admin-friendly as BIND -- the authors assume that you know what you're doing and can work with minimal documentation. This may or may not be an issue in this case, but you should at least be aware of these limitations. Also note that nsd pre-calculates all possible supported queries and all possible answers, and then builds the results into a hash table which is only updated when you re-run the parsing/compilation routines to rebuild the hash table. This means that the answers it provides may be formatted somewhat differently than others might expect from a nameserver. Note that nsd is very, very fast, but it's a lot like a top fuel nitro-burning unlimited dragster -- if you want to run it, you had probably better be the equivalent of "Big Daddy" Don Garlits, or you may well find that you have backed yourselves into a corner that you can't get out of (without blowing up everything in a quarter-mile radius). Contrariwise, BIND is a more general-purpose vehicle that is widely understood by most of the people in the business, and is by far the best-documented software in the field.
You may consider PowerDNS also: <URL:http://www.powerdns.com/>. It has an interesting feature, you can use various backends (and even write your own) to manage the actual data store.
BIND can also support SQL backends, and there are plenty of commercial high-end products based on it. See <http://www.isc.org/products/BIND/vendorware.html>. Contrariwise, PowerDNS has had more than a few problems with the caching/recursor and certain other parts of the system, and is very sensitive to the back-end database being used. The documentation is somewhat lacking in this regard -- if you want to use this software, you should subscribe to the mailing list to obtain the current best wisdom regarding system setup and configuration, etc.... If you're willing to consider commercial alternatives, I can highly recommend the software from Nominum. Both ANS (Authoritative Name Service) and CNS (Caching Name Service) are ultra-high performance packages, with a broad array of supported back-ends, well documented, with good quality commercial support available from the vendor. See <http://www.nominum.com/products_technology.php?id=85> for more info. If you want to see a comparison/contrast that I did regarding the various pieces of software, check out <http://www.shub-internet.org/brad/papers/dnscomparison/>, and especially the RIPE44 version of this presentation. Note that while I could get quite respectable performance on my test system from nsd and the Nominum software, I never got anything better than single-digit performance from PowerDNS. I remain convinced that this was a configuration problem which I could not get resolved in time, despite the help that I was soliciting from the mailing list. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
On Fri, 25 Jul 2003, Brad Knowles wrote:
At 10:14 AM +0200 2003/07/25, Stephane Bortzmeyer wrote:
BIND is the Apache of DNS servers: it does a lot of things and it is heavily configurable. If you do not need all its features, the best choice (I only consider free software) is, IMHO, nsd <URL:http://www.nlnetlabs.nl/nsd/index.html>, which is much smaller (and therefore probably more secure) and much faster (although you may not see it on a lightly loaded name server).
Note that nsd is very, very fast, but it's a lot like a top fuel nitro-burning unlimited dragster -- if you want to run it, you had probably better be the equivalent of "Big Daddy" Don Garlits, or you may well find that you have backed yourselves into a corner that you can't get out of (without blowing up everything in a quarter-mile radius).
Contrariwise, BIND is a more general-purpose vehicle that is widely understood by most of the people in the business, and is by far the best-documented software in the field.
But complexity for software, tend to generate various issue... nsd is good but as you said, it concentrates on one task. Regarding nsd, the major lack is the logging... I was wondering of a 'dnstop' like that can handle a large volume of nameserver query/reply logging. Is there any user on this list of a "pcap" like capture logging method for a high volume nameserver ?
If you're willing to consider commercial alternatives, I can highly recommend the software from Nominum. Both ANS (Authoritative Name Service) and CNS (Caching Name Service) are ultra-high performance packages, with a broad array of supported back-ends, well documented, with good quality commercial support available from the vendor.
s/commercial/proprietary/g ;-) adulau -- -- Alexandre Dulaunoy (adulau) -- http://www.foo.be/ -- http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD -- "Knowledge can create problems, it is not through ignorance -- that we can solve them" Isaac Asimov
At 11:23 PM +0200 2003/07/25, Alexandre Dulaunoy wrote:
But complexity for software, tend to generate various issue...
If you want a fully compliant nameserver, there's not much choice.
nsd is good but as you said, it concentrates on one task. Regarding nsd, the major lack is the logging...
Not true. It doesn't support UPDATE. IIRC, it doesn't support any of the DNSSEC stuff. It doesn't even support round-robin. It throws almost all of the protocol out the window. There are cases where the very limited feature set it provides are sufficient, but they are few and far between.
I was wondering of a 'dnstop' like that can handle a large volume of nameserver query/reply logging. Is there any user on this list of a "pcap" like capture logging method for a high volume nameserver ?
I've heard of some tools to do this sort of thing, yes. However, they are not well known, and certainly have not been publicly released. There might be one or two other people on the list I can think of who might have also heard of them.
... broad array of supported back-ends, well documented, with good quality commercial support available from the vendor.
s/commercial/proprietary/g ;-)
Proprietary implementation, yes. However, it does fully implement all of the protocols and features (as well as or better than BIND), and as far as people who are outside are concerned, the interfaces and the protocol support are all that matter. Of course, it's all based on good quality code, much of which is open source. For example, one of the primary database formats supported is Berkeley db. The folks at Nominum have made a point of not re-inventing any wheels that don't need to be re-invented. It's good quality code, supports a good variety of hardware and OS platforms, better than any of the commercial stuff based on BIND (and I believe quite a bit cheaper as well). The support staff are excellent, and the company is willing to work closely with folks to find a solution that works best for them. The thing that surprised me the most is not the individual products they have (each of which is best in its field, IMO), but the integration. When you tie all that together the way they have, you get an unstoppable combination. Of course, the person on this list who could argue for it the best is hamstrung by his position within this group. I'm sure he wouldn't want to be seen as abusing the trust placed in him. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
On Sat, Jul 26, 2003 at 12:14:46AM +0200, Brad Knowles <brad.knowles@skynet.be> wrote a message of 68 lines which said:
IIRC, it doesn't support any of the DNSSEC stuff.
Expected "soon". The current version, 1.2.1, already contains many internal things useful for DNSsec.
The support staff are excellent, and the company is willing to work closely with folks to find a solution that works best for them.
Even in Iran, which was the original question? One of the problems with proprietary code is that you depend on the relations between your governement and the US governement. For instance, users of MS-Windows server OS in India were denied updates of their software after the nuclear tests (desktop OS were not concerned but server OS were on a black list).
"Stephane" == Stephane Bortzmeyer <bortzmeyer@nic.fr> writes:
Stephane> Even in Iran, which was the original question? One of Stephane> the problems with proprietary code is that you depend on Stephane> the relations between your governement and the US Stephane> governement. It's not even that simple unfortunately. The US International Emergency Economic Powers Act applies to *anyone anywhere* who does business with a state that the President considers to be a "rogue state". The penalties include large fines and jail. [IIUC the definition of "doing business" is very broad and could well include providing Open Source to those states. The current US regime is unlikely to interpret those rules liberally.] You might recall some people choosing not to stay at the conference hotel for the RIPE meeting in Prague because the hotel was owned by the Libyans. This subject is way off topic for this list. Any further discussion of the politics should go somewhere other than dns-wg@ripe.net.
On Sat, Jul 26, 2003 at 12:14:46AM +0200, Brad Knowles <brad.knowles@skynet.be> wrote a message of 68 lines which said:
But complexity for software, tend to generate various issue...
If you want a fully compliant nameserver, there's not much choice.
Fully compliant with every RFC ever published about the DNS? Come on, most TLDs use only a very small fraction of it (is there a TLD which authorizes UPDATE?) and they typically shut down, at compile time or configuration time, most of the features of BIND. PS: BTW, I regret that a question about "remote registration" turns into a discussion on the best nameserver software. Most of the problems of a TLD do not come from the nameserver (some even outsources it like ".info") but from the registration system, which was the original question, and a much more difficult one.
At 11:05 +0200 7/28/03, Stephane Bortzmeyer wrote:
On Sat, Jul 26, 2003 at 12:14:46AM +0200, Brad Knowles <brad.knowles@skynet.be> wrote
If you want a fully compliant nameserver, there's not much choice.
Fully compliant with every RFC ever published about the DNS? Come on,
Before even wading into that argument - the RFCs on DNS are so loosely written, being "fully compliant" is impossible. For instance, there is code in RFC 1876 which is buggy. (Yes, yes, it's an experimental RFC...but...) -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-703-227-9854 ARIN Research Engineer ...as graceful as a blindfolded bull in a china shop...
On Fri, Jul 25, 2003 at 11:23:35PM +0200, Alexandre Dulaunoy <adulau@foo.be> wrote a message of 49 lines which said:
Regarding nsd, the major lack is the logging...
nsd logs statistics (unlike BIND 9) but does not log individual queries, if this is what you want. For a typical TLD, it would be too much work but the main reason, I suspect, is the desire to keep the code small. As you said, the proper place to record DNS queries is outside of the name server.
Stephane Bortzmeyer wrote:
On Fri, Jul 25, 2003 at 11:23:35PM +0200, Alexandre Dulaunoy <adulau@foo.be> wrote a message of 49 lines which said:
Regarding nsd, the major lack is the logging...
nsd logs statistics (unlike BIND 9) but does not log individual queries, if this is what you want. For a typical TLD, it would be too much work but the main reason, I suspect, is the desire to keep the code small. As you said, the proper place to record DNS queries is outside of the name server.
One disadvantage of this is that you don't know how the server interpreted the query. -- Shane Kerr RIPE NCC
Shane Kerr wrote:
One disadvantage of this is that you don't know how the server interpreted the query.
what part of this interpretation do you expect to learn from *query* logging? -Peter
Peter Koch wrote:
Shane Kerr wrote:
One disadvantage of this is that you don't know how the server interpreted the query.
what part of this interpretation do you expect to learn from *query* logging?
For instance, if the server does not recognise a class/type, then the server log can record this information. Otherwise someone doing log analysis will have to read the query log, and then parse the query, and then know (somehow) what class/types the server supports. Even if the script/program doing this analysis knows exactly what the server is doing, it will have to be updated when the server is updated. And if you want to look at historical data, you have to know exactly how the server interpreted queries in the past. -- Shane Kerr RIPE NCC
On Fri, Jul 25, 2003 at 03:05:22AM +0430, alireza saleh <saleh@mailhost.nic.ir> wrote a message of 18 lines which said:
Do we have any program for editing and appending Bind Zone files ?,in the other word a CGI program that gives the name sever, ip address and the domain name as input ,then it modifies or add this entry ?
I maintain my opinion that a "real" database would be a better solution but I notice that the excellent Webmin program <URL:http://www.webmin.com/> has a BIND module that does exactly that.
participants (8)
-
Alexandre Dulaunoy -
alireza saleh -
Brad Knowles -
Edward Lewis -
Jim Reid -
Peter Koch -
Shane Kerr -
Stephane Bortzmeyer