RealTime IT News

VeriSign Takes Aim at Open Source DNS

At the heart of the Internet is DNS , the system that translates domain names into IP addresses. For the last two decades, the world of open source DNS has been dominated by a single technology -- BIND (Berkeley Internet Name Domain).

Now VeriSign, the company that runs that .com and .net domains, is aiming to provide an open source alternative to BIND, called Unbound.

"Until now, if you wanted a free recursive name server, you really only had one choice, BIND," Matt Larson, director of DNS research at VeriSign, told InternetNews.com. "We wanted to create an alternative to BIND -- we think that diversity is a good thing and we wanted to give something back to the community."

In addition to VeriSign, the Unbound effort is sponsored by UK domain registry Nominet and is being actively developed by Dutch technology research group NLnet Labs.

Larson said the idea behind Unbound 1.0 was to design the perfect recursive name server from scratch. Starting with a clean slate enabled developers to create a server designed around performance, while also including support for DNSSEC (DNS security extensions) right from the beginning.

While the extensions add integrity and authentication checks to DNS data, Larson said DNSSEC deployment to date has been hindered its performance impact. (BIND has had DNSSEC since at least the BIND 9.3 release in 2004.)

"Performance is a concern since DNSSEC is adding a lot of additional processing to the resolution path," Larson said. "The advantage of Unbound being high-performance is you want everything to happen as fast as possible. That would help address people concerns about DNSSEC."

He added that VeriSign would not use Unbound to manage the .com or .net registries, which are currently managed with VeriSign's Atlas authoritative DNS software. Still, Larson did note that VeriSign is using Unbound internally as a recursive DNS tool.

Wither BIND?

The debut of Unbound 1.0 marks the culmination of four years of development aimed at offering a new choice for DNS. While BIND now plays a critical role in the Internet's operation, supporters of the new Unbound server believe it, too, may come to serve its own critical function.

Though Unbound may represent a potential challenge, BIND author Paul Vixie isn't worried.

"We like and have a lot of respect for the people at NLnet Labs, where this was built, and we like the license they chose -- BSD-derived, like ours, and we're happy to have another fellow traveler," said Vixie, who also co-founded Internet Systems Consortium (ISC), which helps to maintain, develop and support BIND.

He told InternetNews.com that although he supposed Unbound could represent a new form of competition to BIND, it's actually a good thing in a broader context.

"Competing to see who can give more software away sounds like it will be good for the community," Vixie said. "ISC, as a public-benefit, non-profit company, is happy that the community will get the boon of this kind of competition."

The competition could also potentially end up making BIND itself better. Considering that Unbound is open source, BIND developers could use code from Unbound if it made sense to do so.

"We have not looked at it yet to see if there are good ideas we can crib, but rest assured, if there's a better way to do something, ISC will study it carefully and learn or adopt what we can from it," Vixie said.

"The final measure of our success is always 'How well does it work?' and never, 'Whose idea was it?'"

VeriSign's Larson added that Unbound is not meant to single out what is wrong with BIND, merely about offering an alternative.

"Our main involvement is to give something back," he said.