[CentOS] tinydns/djbdns opinion poll

Tue Feb 10 20:29:43 UTC 2009
Florin Andrei <florin at andrei.myip.org>

Jake wrote:
> 
> We're about to start moving our public DNS to in-house managed
> servers. My first thought was "Linux + BIND" and we're done. Someone
> in another business unit's IT dept. has suggested tinydns be used.

Here's the straight dope:

There was a time (circa 2000) when tinydns had a reason to exist. Back 
then, years ago, Bind was so horribly buggy, you couldn't afford to put 
it online, unless you were willing to deal with all the trouble. So many 
people, myself included, used tinydns extensively. It was tiny, fast, 
easy and solid. Also weird and unlike anything else (except DJB's own 
software). But we were an ISP and we just couldn't afford to babysit 
Bind all day long - DNS just had to continue working flawlessly.

But things have changed. Nowadays Bind is solid enough. If you're still 
worried about security issues (you shouldn't, but I'm assuming the 
paranoid scenario) then CentOS has a good SELinux policy around it, so 
just install the latest CentOS, keep SELinux enabled, do a "yum update" 
every once in a while, and be at peace. By the way, this is also the 
most sweat-free solution from a sysadmining perspective.

If you're serving a fairly large number of domains, or for some reason a 
SQL backend seems useful in your case, the alternative you're looking 
for is PowerDNS, not tinydns.

The way tinydns became obsolete is nothing new. I remember using qmail 
back in the day - yes, I was a DJB fanboy. It was great, especially at a 
time when Sendmail had more holes in it than a metric ton of Swiss 
cheese. But then Postfix came along, and I had no reason to stick with 
qmail anymore.

Such is the computer industry - licentious and forgetful. :-)

-- 
Florin Andrei

http://florin.myip.org/