A decade after work first began on version 9 of BIND, the widely deployed open source DNS
It’s a closely watched and long-anticipated overhaul. BIND is in wide use among used by enterprises, ISPs and service providers to route domain name traffic to the correct IP address.
The upcoming BIND 10 release will focus on usability, extensibility and security improvements. The focus on security is a key one for BIND, especially in light of the Kaminsky DNS vulnerability that affected BIND in 2008, which potentially could have disrupted Internet traffic.
“One of the goals for BIND 10 is to allow people to customize and extend without too much trouble,” Shane Kerr, BIND 10’s program manager at the Internet Systems Consortium (ISC), told InternetNews.com. “Every design decision will be documented in a way that makes sense without having to know the details of the entire system. The same applies to APIs and the code itself.”
The ISC is the lead backer behind BIND, though for BIND 10, the ISC will have plenty of help technically and financially from other parties. Kerr noted that with BIND 10, there is a steering committee that will oversee the direction of the project.
Kerr added that the new committee will mean more formalism in the project management, as well as more overhead and work, but the result should be happier users and higher visibility for the effort being put into BIND.
Sponsors of the BIND 10 effort include, Japan Registry Services Co. (JPRS), Canadian Internet Registration Authority (CIRA) and Afilias, which manages the .org top-level domain (TLD) and uses BIND 9.x as part of its infrastructure.
The effort aims to revamp a critical, yet aging, piece of software that Dave Knight, director of resolution services at Afilias, described as a product of the time in which it was conceived.
“As a response to the security problems of its [BIND 9’s] predecessors, it is a triumph and provides added enhancements that are useful for the concerns of today, such as [DNS Security Extensions],” Knight told InternetNews.com. “But it is a single, monolithic piece of software. At once authority server, caching resolver and standards reference implementation, it lacks the flexibility and easy expandability desired by those trying to build innovative services on top of DNS.
With BIND 10, we seek modularity and easy customization as key improvements,” he added.
DNS security
DNS Security Extensions (DNSSEC) is a critical part of the BIND 9.x server, though DNSSEC itself is not yet widely deployed. DNSSEC offers a mechanism for digitally signing a domain name to ensure its authenticity. The technology has been widely hailed as the ultimate solution to the Kaminsky DNS flaw.
However, among the major top-level domains, currently only .org is now signed for DNSSEC.
In BIND 10, a key goal is to make it easier for DNS administrators to actually manage DNSSEC. Kerr said it’ll do that by improving usability.
“There is a lot of missing functionality for DNSSEC, such as full automation of DNSSEC,” he said.
Kerr explained that with BIND 10, it may be as simple as clicking the “sign this zone” button on the
administration interface to implement DNSSEC.
It will also provide handholding to admins in other ways.
“BIND 10 might warn administrators when signatures are soon to expire, or indeed have expired,” Kerr said.
Release date?
The ISC has been talking about BIND 10 for several years at this point. In 2007, at the time of the BIND 9.4 release, the ISC’s Paul Vixie told InternetNews.com that work was beginning on BIND 10.
Yet BIND 10 development hasn’t gotten rolling in earnest until now. What happened?
“Between that announcement and now, we’ve been fundraising and creating the framework for the development effort,” Kerr said. “Research had to be done and decisions had to be made about tools, languages, feature order, etc.”
In terms of timing for the actual BIND 10 release, Kerr said that the first deliverable is an authoritative-only server, which is scheduled to be delivered a year from now.
“We expect the total development to take five years, at which point the software will enter maintenance as a relatively mature product,” Kerr said.
The challenges in building the new BIND 10 server are as much about the new technology as it is in keep existing BIND 9 users happy.
“BIND 9 is the most successful piece of DNS software ever written,” Kerr said. “ISC needs to insure that BIND 9 users are happy until BIND 10 is ready to replace it. This means there is a tension between improving the ‘old’ product and working on the ‘new’ one.”
“One of the goals of BIND 10 is that it will be a 100 percent drop-in replacement for BIND 9, but there is always resistance to change in the computer world,” he added.