What is Win2000's BIND version?

  • Thread starter Thread starter David Adner
  • Start date Start date
KP> It has some very nice diagnostic tools that Windows lacks,
KP> though, like dig and nsupdate.

Whilst, conversely, Microsoft's DNS server is far better documented than ISC's
BIND is. (In respect of the vendor-supplied documentation, Microsoft's DNS
server is the best documented of those that I have encountered, with "djbdns"
coming second. ISC's BIND is actually quite poorly documented in comparison
to either. Taking third-party books into account as well, Microsoft's DNS
server is _still_ better documented than ISC's BIND.)

It's a bit tricky to class "nsupdate" as a diagnostic tool, by the way. I've
encountered softwares (DHCP clients) that use it for the purpose of adding
data to the DNS database, rather than as a diagnostic tool.
 
NC> Except (possibly) for djbdns ( http://cr.yp.to/djbdns.html ) all
NC> the DNS in popular (96%) use are related directly or indirectly
NC> to the original (or a later derivative) of the BIND stucture or
NC> code.

I don't know whence you obtained that 96% figure from, but the only survey
done in recent years whose results I've seen actually published puts BIND 4,
8, and 9 combined at 75% (of the servers that actually responded), with
"djbdns" at 8.5%, eNom DNS server at 3%, with the remainder being either
unidentifiable or softwares with a 1% or less share.

<URL:http://cr.yp.to/surveys/dns1.html>

Bill Manning claims to still do a survey every quarter year, but, despite mine
and others' repeated requests, has not published the results of any of his
surveys later than the 2000Q2 one, which was around the time that "djbdns"
properly entered the picture, so really cannot be counted on to reflect the
current situation at all. However, this out of date survey appears to be a
possible source for your 96% figure.

<URL:http://www.isi.edu./~bmanning/in-addr-versions.html>

Both of these surveys are, of course, surveys of content DNS servers. No-one
has done a survey of proxy DNS servers (where, I suspect, Microsoft's DNS
server would actually have a significant share), or even come up with a method
of performing such a survey.
 
NC> Except (possibly) for djbdns ( http://cr.yp.to/djbdns.html ) all
NC> the DNS [servers] in popular (96%) use are related directly or
NC> indirectly to the original (or a later derivative) of the BIND
NC> stucture or code.

It's not just a possibility. "djbdns" is definitely not related to BIND.
And, actually, it's not just "djbdns" that is not based upon BIND code. There
are quite a lot of DNS server softwares that aren't derivatives of BIND.

Moreover, it's not just "djbdns" that (in contrast with Microsoft's DNS
server) doesn't imitate the BIND all-of-the-hats-at-once design, either. For
example: PowerDNS doesn't.
 
NC> MS does not currently have as strong options for security when
NC> jumping into public DNS (internet) as could_be accomplished.

I mostly disagree. The options for security are largely equivalent to, and
have the same strength as, those in BIND. Microsoft's DNS server has security
against cache pollution, which is now (at last) enabled by default, allowing
it to be used as a secure resolving proxy DNS server; and it can be made into
a secure content DNS server in the very same way that one makes BIND into a
secure content DNS server, by disabling recursion entirely.

I would agree insofar as it is impossible to have multiple different instances
of Microsoft's DNS server, providing different DNS services, listening on
different IP addresses on a single machine; something which is dead easy with
some other DNS server softwares, and at least possible (albeit not easy to set
up) with ISC's BIND.

Which leads on to an area where Microsoft's DNS server is significantly
deficient: "split horizon" DNS service. It needs some form of database record
tagging and client differentiation mechanism. (This would actually put it
ahead of BIND's "views" mechanism.)
 
Herb Martin said:
Just the management snap-in or the DNS server functionality also?

One thing nice for the DNS snap-in would be an "easy export/import
configuration" mechanism -- might be more trouble and work that the value
but it would be nice.

Export (all zones OR by checkbox) and import them on another server.
(Probably not that hard either.)
Click to expand...

Good feedback, that does sound like it would be a useful feature to add.
I'll see if I can get project management to make that change for the next
version.

I personally own testing of the DNS Manager snapin, but I do work closely
with the DNS team and will make sure that they see any comments that you
have about the DNS Server.

Thanks!
 
Jonathan de Boyne Pollard said:
MSM> I would love to hear any comments, complaints, missing features,
MSM> or other improvements that anyone would like to see in the DNS
MSM> Manager snapin.

That's the thing, though. Your request is somewhat blinkered. It's not just
the DNS Manager Snap-In that needs improvement. One of the areas where
Microsoft's DNS server is in serious need of improvement is, as Kenneth
pointed out, in the area of _textual_ diagnostic tools. "nslookup" simply
doesn't cut the mustard. (After all, it's even been deprecated by the very
people that wrote it.) Microsoft's DNS server needs a good DNS diagnosis
tool, without any of the numerous flaws that "nslookup" has, and with a
_textual_ user interface so that its output can be copied and pasted into a
newsgroup posting.

Microsoft's DNS server needs an equivalent to "dnsqr", "dnsq", "dig",
"dnsquery", "dnsqry", and "askmara" (which are some of the various such tools
that come bundled with _other_ DNS server softwares).
Click to expand...

Thank you! I'll make sure that the appropriate people see this.

I initially asked specifically about DNS Manager because I own testing of it
and want to make sure that we make the needed changes in the next version to
meet your needs. I do, however, work with the DNS server and client team
and will make sure that they hear any feedback that you have about it too.
 
I personally own testing of the DNS Manager snapin, but I do work closely
with the DNS team and will make sure that they see any comments that you
have about the DNS Server.
Click to expand...

Here's my short list for the DNS server itself:

Add IP-subnet ACLs a la BIND 9
(not to be confused with NTFS or object ACLs) on a per zone basis
Add (along with the above) Views so that a zone can be defined with
multiple views
(see BIND 9)
Add the ability to Pre-Load and Save the Cache file (BIND 9)
Add the ability to use multiple ROOTS (in parallel) with a NXDomain
having no
effect unless returned by BOTH (all)
Add the ability to both FORWARD and use ROOT hints for actual recursion
in a (private) DNS namespace IN PARALLEL and with NXDomain having no
effect unless BOTH (all) give that result
Add full DNSSec support (way down on my list of stuff) for compatibility
with BIND

All of the above will make solving multiple namespace issues easier and
eliminate the
problem of having to create multiple DNS servers (especially in small
companies) and
to simplify a vast range of DNS architecture problems.
 
Jonathon is right about one thing -- NSLookup.

Don't remove it but fix that (default) behavior where the "real scary"
message
is given for merely being unable to reverse the server IP to name.

Add Dig or something similar too. Make all of these available for all
supported
OSs. (Win9x, NT etc.)

I would also like a "search and replace" in the GUI so that all addresses
could
be either Found or actually Modified...(but that is "bigger" and my idea of
export
and import could work if you made the export format a TEXT FILE.
 
Both of these surveys are, of course, surveys of content DNS servers.
No-one
has done a survey of proxy DNS servers (where, I suspect, Microsoft's DNS
server would actually have a significant share), or even come up with a method
of performing such a survey.
Click to expand...

Especially if you consider all the Win98/ME and Pro ICS machines acting as
caching only DNS servers (they are.)

Many of the MS NAT servers are probably doing this too (although it must
be turned on.)
 
It's not just a possibility. "djbdns" is definitely not related to BIND.
And, actually, it's not just "djbdns" that is not based upon BIND code. There
are quite a lot of DNS server softwares that aren't derivatives of BIND.
Click to expand...

Jonathan is correct. If you think the MS vs. Linux or BIND vs. MS-DNS
arguments are heated, you should read some of the BIND vs. DJBDNS
articles.

Those folks come right out and accuse each other of lying.
 
Michael Snyder said:
I would love to hear any comments, complaints, missing features, or other
improvements that anyone would like to see in the DNS Manager snapin.
Either in a newsgroup post, or feel free to remove the online from my email
address and send directly to me.

I'll make sure the feedback is used in the consideration of the design of
the Longhorn version.
Click to expand...

I know it's not necessarily a DNS Manager snapin thing only, but one of
the features our DNS folks like is the ability to provide a brief
annotation to each record (if desired). This allows them to provide
basic info surrounding the record, such as who created it, why, what
it's used for, etc. NetWare's DNS provides this feature and it's
something I miss in MS's DNS. Trust me, I much prefer MS's DNS, but
this is something I'd like to see added in.

This one might be more DNS Manager snap-in related. When I deploy an
additional AD-integrated DNS server, I simply install the DNS Server
service on a DC and the zones automatically show up. Well, if I then
single-click on the server in the left-hand pane, the right-hand pane
prompts to "Configure this DNS server" or something like that instead of
immediately showing the zones. If I actually go through the Configure
this DNS Server wizard, it prompts to create forward/reverse lookup
zones. It'd be nice if there was a way to say "already configured" or
something like that. Hope this all makes sense.

It's nice to see you interested like this. :)
 
In
Michael Snyder said:
Thank you! I'll make sure that the appropriate people see this.

I initially asked specifically about DNS Manager because I own
testing of it and want to make sure that we make the needed changes
in the next version to meet your needs. I do, however, work with the
DNS server and client team and will make sure that they hear any
feedback that you have about it too.
Click to expand...

Michael, all these suggestions are awesome by Jonathan and Herb and would
look forward to seeing them. Wonder about the reality of actually seeing
these as an SP release or update for W2k3 and not just for a future OS
version release?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
MSM> Thank you! I'll make sure that the appropriate people see this.

If they ask what the flaws in "nslookup" are, that any new tool
should avoid duplicating:

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/nslookup-daft-error-message.html>
<URL:http://groups.google.com/[email protected]>
<URL:http://groups.google.com/[email protected]>
<URL:http://groups.google.com/[email protected]>
<URL:http://groups.google.com/[email protected]>
<URL:http://groups.google.com/[email protected]>
<URL:http://groups.google.com/[email protected]>

Also remind them that when it comes to detailed output (that people
are going to be copying and pasting into newsgroup postings), a single
resource record should not occupy more than one line, and extraneous
chaff (like version numbers, copyright strings, and "here is the
next bit" lines) is simply more rubbish to scroll past. Small is
beautiful:

[C:\]dnsqry /server:a.ns.yp.to a cr.yp.to
[0.0.0.0:0000] -> [131.193.178.181:0035] 26
Header: 0001 1+0+0+0, Q, , query, no_error
Question: cr.yp.to. IN A

[131.193.178.181:0035] -> [0.0.0.0:0000] 109
Header: 0001 1+1+2+2, R, AUTH, query, no_error
Question: cr.yp.to. IN A
Answer: cr.yp.to. IN A 86400 131.193.178.160
Authority: yp.to. IN NS 259200 a.ns.yp.to.
Authority: yp.to. IN NS 259200 b.ns.yp.to.
Additional: a.ns.yp.to. IN A 259200 131.193.178.181
Additional: b.ns.yp.to. IN A 259200 131.193.178.160

[C:\]dnsquery -n a.ns.yp.to -t a cr.yp.to
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23678
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; cr.yp.to, type = A, class = IN
cr.yp.to. 1D IN A 131.193.178.160
yp.to. 3D IN NS a.ns.yp.to.
yp.to. 3D IN NS b.ns.yp.to.
a.ns.yp.to. 3D IN A 131.193.178.181
b.ns.yp.to. 3D IN A 131.193.178.160
[C:\]
 
MSM> I do, however, work with the DNS server and client team
MSM> and will make sure that they hear any feedback that you
MSM> have about it too.

Then my other suggestion for improvement would be the ability to tag
individual resource records in the database with a tag denoting the
record's scope, and to classify clients into matching scopes by their
IP address. The responses sent to a client would be constructed based
upon the resource records in the client's scope (and the "global"
scope).

You could, of course, mimic BIND's "views" mechanism. However, a
record tagging mechanism is both simpler (even just in terms of
implementation, because it doesn't require the invention of extra
supporting mechanisms, such as structures for handling multiple
"zones" with the same apex) and superior (because, for one thing,
it has a much finer granularity, and thus requires less copying of
data around the place by an administrator).

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon.html#TaggedRecords>
 
JdeBP> It's not just a possibility. "djbdns" is definitely not
JdeBP> related to BIND. And, actually, it's not just "djbdns"
JdeBP> that is not based upon BIND code. There are quite a lot
JdeBP> of DNS server softwares that aren't derivatives of BIND.

HM> Jonathan is correct.

I didn't mention the subject of the arguments that people have, though. I
just talked about the relationships (or lack of them) between the softwares.

HM> If you think the MS vs. Linux or BIND vs. MS-DNS arguments
HM> are heated, you should read some of the BIND vs. DJBDNS articles.
HM>
HM> Those folks come right out and accuse each other of lying.

Saying that someone is lying is not necessarily a bad thing, of course, if
they actually _are_ lying. It is not so much the accusation of lying that
casts such a discussion in a bad light, but more the fact that in such a
discussion people will actually stoop to lying in the first place.

And whilst there is a lot of ignorance (especially on the part of those people
who only know BIND and that haven't even concieved the notion of DNS server
softwares operating differently to the way that BIND operates), discussion
arising from that ignorance, and too much uncritical acceptance of what the
authors of a software say as gospel truth, the actual lying is limited to a
very few people.

Also: The difference between the "BIND versus 'djbdns'" and "BIND versus
Microsoft's DNS server" arguments is that there is no-one from Microsoft who
steps up and says "No. What you are saying about my software and about the
DNS is false.". I've seen the same "That software doesn't comply with DNS
standards whereas BIND does." denigration made about both "djbdns" and
Microsoft's DNS server (and, indeed, about other non-BIND DNS server softwares
as well). Only in the case of "djbdns" has such disparagement been actually
challenged to a great extent.

On the gripping hand, however, I disagree with you. I've seen far worse in
the operating system debates than I've _ever_ seen in the DNS server software
debates. You should have put it the other way around: If you think that the
"BIND versus 'djbdns'" arguments are heated, you should see the operating
system debates.
 
"Ace Fekay [MVP]"
In Michael Snyder [MSFT] <[email protected]> posted their thoughts,
Thank you! I'll make sure that the appropriate people see this.

I initially asked specifically about DNS Manager because I own
testing of it and want to make sure that we make the needed changes
in the next version to meet your needs. I do, however, work with the
DNS server and client team and will make sure that they hear any
feedback that you have about it too.
Click to expand...

Michael, all these suggestions are awesome by Jonathan and Herb and would
look forward to seeing them. Wonder about the reality of actually seeing
these as an SP release or update for W2k3 and not just for a future OS
version release?
Click to expand...

<snip>

I agree, and want to thank Jonathan and Herb for their excellent
suggestions!

We normally don't add new features in SP releases. Decisions like this are
made much higher up the organizational management chain, and I can't say
what our future priorities will be, but fixing security for current
customers is very important to Microsoft today.

Aside from that, I can't say.

I will push to have these issues considered and fixed as soon as possible,
but I don't know if that will be Server SP1, two major versions from now, or
somewhere in the middle.
 
AF> Wonder about the reality of actually seeing these as an SP
AF> release or update for W2k3 and not just for a future OS
AF> version release?

.... or (in the case of the better DNS diagnosis tool that I mentioned) even in
a resource kit.
 
In
<snip>

I agree, and want to thank Jonathan and Herb for their excellent
suggestions!

We normally don't add new features in SP releases. Decisions like
this are made much higher up the organizational management chain, and
I can't say what our future priorities will be, but fixing security
for current customers is very important to Microsoft today.

Aside from that, I can't say.

I will push to have these issues considered and fixed as soon as
possible, but I don't know if that will be Server SP1, two major
versions from now, or somewhere in the middle.
Click to expand...


Makes sense, and yes, I do understand Security is a priority. I guess
hopefully that this wish list will be all part of it one day soon.
Thanks Michael,

:-)

Ace
 
In Jonathan de Boyne Pollard <[email protected]> posted their
thoughts, then I offered mine
On the gripping hand, however, I disagree with you. I've seen far
worse in the operating system debates than I've _ever_ seen in the
DNS server software debates. You should have put it the other way
around: If you think that the "BIND versus 'djbdns'" arguments are
heated, you should see the operating system debates.
Click to expand...

I think the OS debates will continue forever, just as some of the ongoing
conflicts that are going on in our world will have no end.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Saying that someone is lying is not necessarily a bad thing, of course, if
they actually _are_ lying. It is not so much the accusation of lying that
casts such a discussion in a bad light, but more the fact that in such a
discussion people will actually stoop to lying in the first place.
Click to expand...

Liars should be exposed -- no politeness required, JUST THE FACTS.

The point was that the arguments among THOSE folks has degernated to
the point where EACH claims the other side is lying which virtually
guarantees
that one or both sides is doing so.
And whilst there is a lot of ignorance (especially on the part of those people
who only know BIND and that haven't even concieved the notion of DNS server
softwares operating differently to the way that BIND operates), discussion
Click to expand...

Yes, someone knowledgeable posted that "BIND was a reference implementation"
in this thread or a nearby one -- not so, and this is mistaken impression of
BIND.
It might be a de facto implementation but it is not an official reference
implementation.

The versions of BIND don't even all do the same thing -- and many of these
are not
just the addition of features in later versions. Features appear and
disappear as the
version number increases.
 
Back
Top