djbdns home page

Sie suchen eine deutschsprachige Seite zu djbdns? Or a Japanese one?

Introduction

djbdns is a replacement for BIND. It is secure, reliable, small, fast, etc etc etc. Just like all of Dan Bernstein's tools. Dan has his own page for djbdns. We've got this one so we can distribute our enhancements to djbdns.

Switching to djbdns because of BIND's bugs, or simple misfeatures like the format of the zone files? Dan has a web page for people switching from bind.

Dan has a mailing list for djbdns. Fred Lindberg has a web-accessible archive. There's also a searchable archive. Please read the FAQTs page on djbdns before asking for help.

Felix von Leitner has a FAQ. Luis Toro Teijeiro has translated the djbdns documentation into Spanish.

The Open Root Server Confederation has a page on configuring djbdns to work with their list of top-level domains.

Dnscache is a recursive resolver, intended to be listed in /etc/resolv.conf's "nameserver" entry. It makes DNS queries via UDP and TCP as needed. It imposes restrictions on what it will return; that's why it was written. It will only provide data obtained from authoritative servers. These servers are found via a chain of delegations from authoritative servers starting from the configured-in roots. That's part of its security model. If it were to do anything less, it would be subject to the same cache-poisoning style attacks that work on the current insecure DNS servers.

Tinydns does authoritative nameserving via UDP only; it does not do recursive nameserving, nor does it answer TCP queries (axfrdns does that). The only hosts that should ask tinydns for a host are recursive nameservers, such as those found in /etc/resolv.conf, like djbdns or bind. Tinydns should never be listed in /etc/resolv.conf. Tinydns interoperates properly with every authoritative and recursive nameserver I know of, and supporting all the standards needed to do so.

Zone transfers are only supported over TCP. The zone transfer server is named axfrdns, and the client is named axfr-get. Both of these use Dan Bernstein's ucspi-tcp helpers. Why separate programs? To limit security incursions, and because many sites do not need zone transfers. As BIND has shown, excessive functionality is a root to security disasters.

Articles

LWN

BSDToday

SecurityFocus

Kuroshin

Commercial support

Commercial support for djbdns is available:

LIGHTWERK provides support for djbdns, qmail and most other Bernstein software. Support is mainly provided for Germany and nearby countries.
Virtual Estate Internet supports djbdns.
Quist Consulting provides support for djbdns.
MNIS does support for djbdns in France.
AiDA Systems provides djbdns support, by phone, online (remote via ssh), and on-site. Also, preconfigured/custom built djbdns and/or qmail servers. Load balancing, Replication, virtual hosting and mysql support at affordable prices. It's time to give up buggy/insecure bind. Call Now: (888)466-8171
Flavio Curti provides commercial support for djbdns in Switzerland.

Contributions

A few people have contributed enhancements:

Bennett Todd has a set of programs to work with BIND zone files. tinydns-data-pull copies over a set of BIND files using ssh. tinydns-data-compactor consolidates forward and reverse records. tinydns-data-beautify sorts and combines like-records together.
Uwe Ohse has a patch to allow any client to access DNScache. He also has a patch to get dnsfilter replace the IP address by the hostname. He also has a patch to cause tinydns to bind to multiple IP addresses.
Felix von Leitner has three packages
- An ipv6 patch for djbdns.
- An ipv6 patch for ucspi-tcp (for axfr).
- His libdjb packages up Dan's libraries.
Faried Nawaz has a DNScache logfile formatter, and Kenji Rikitake modified it to be a TinyDNS logfile formatter. DNScache logs are not formatted to be human-readable.
Jos Backus wrote a dnsnotify program to send out BIND notify messages. James Raftery modified it to notify all servers, and set the AA bit. It takes a zone and a list of slave addresses, builds a NOTIFY request and sends it to each of the slaves, printing the result. This in turn will cause each slave to do a SOA lookup and serial number comparison, followed by a zone transfer if the serial number has changed. Further, Andrew Pam modified it to create tinydns-notify, in order to be able to send "NOTIFY" messages only to his slaves that are running BIND, and only when their zones have changed.
Henning Brauer has published his method for exporting DNS records from a mysql database into tinydns's data file.
Matthias Andree has instructions on how to force dnscache to timeout if you have a transient (aka dialup) Internet connection.
Matt Armstrong wrote autoaxfr. It wraps axfr-get to read a control file.
Russ Nelson wrote axfr. Axfr builds tinydns's data file from a combination of single-zone files beginning with primary, and subdirectories of secondaried files beginning with axfr. The name of the subdirectory is the IP address of the primary. Chris K. Young wrote a man page.
Michael Handler wrote a SRV patch, which lets tinydns-data and axfr-get work natively with SRV records. This patch also has a work-around for BIND's improper compression of PTR records.
Dan Peterson needed to set a SOA contact address other than what tinydns-data sets, so he wrote a new command, 'D'. It defines the contact address to be used for all subsequent records. An empty contact address means that tinydns-data should resume manufacturing a contact address. Note: should you happen to care about such things, note that this record creates a context that prevents you from re-ordering the 'data' file.
Interested in DNS-LOC (inserting your location into your DNS)? djbdns supports DNS-LOC.
ldap2dns is designed to write binary data.cdb files used by tinydns from data retrieved from an LDAP database.
Bruce Guenter has sqldjbdns, a SQL DNS server based on djbdns.
Gerrit Pape has created man pages from Dan's documentation.
Balázs Nagy has a modification to tinydns-data which causes it to accept multiple filenames on the command line. Each file's timestamp is the default for all zones defined in that file.
Dan Peterson has a patch for dnscache so it can bind to multiple IP addresses and serve queries on those IP addresses from the same cache.
Mate Wierdl has an RPM of djbdns. So does Andy Dustman
Gerrit Pape has Debian packages. Add the following line to /etc/apt/sources.list:

deb ftp://ftp.innominate.org/gpa/Debian potato unofficial

Don't forget to run "update" so these packages will be added to the list.
Florent Guillaume has a patch to dnscache which lets you save and load the cache.
Thomas Mangin has a round-robin patch for dnscache. Note that this is for dnscache, not tinydns.

Other DNS-related sites

Russell Nelson

Last modified: Fri Jun 15 00:21:03 EDT 2001