Comment by kjellsbells
20 hours ago
I remember Dan Bernstein (djb) being scathing about BIND. To the extent of writing his own DNS suite. Is that all ancient history now?
20 hours ago
I remember Dan Bernstein (djb) being scathing about BIND. To the extent of writing his own DNS suite. Is that all ancient history now?
Most of the criticisms were accurate, if often very, very, very detail-oriented. DJB has always had a few settings: either you're on his level, on his wavelength, or he treats you as maybe bright enough to tie your own shoelaces on a good day.
That said, if you want to run a dns server and don't have huge scalable business to run on it, you can just run tinydns for a couple of decades and not worry about security issues, it just runs. BIND is more complex, and has evolved a lot more to do more because new features are implemented it as the reference, and so it needs to both scale up and out, and also change a lot, and for that, you get https://kb.isc.org/docs/aa-00913. So anyway, you can make up your mind, but my impression as a greying beard is that ISC has always been a risk you usually just need to accept if you need their tools since no-one else is doing anything to dethrone them.
[dead]
I'll let everyone make their own judgement :) https://en.wikipedia.org/wiki/Djbdns
Find something as popular that hasn't been scathed-about; I'll wait
No. Kea is making several of the same mistakes all over again, despite being in a good position to have learned from them.
It yet again runs as the superuser serving requests from potentially hostile clients. In fairness, a lot of DHCP servers do this; but Kea development was in a position to have learned the ideas about using unprivileged dæmons, having started years later than them. Instead, its documented approach to running as some other account is to add some of the superuser's privileges to Kea, completely missing the point of running large complex programs without privileges, which was a major long-standing criticism of BIND and Sendmail that didn't just come from Daniel J. Bernstein.
* https://kea.readthedocs.io/en/latest/arm/install.html#runnin...
It's interesting that systemd is mentioned there, because a socket unit would have had systemd doing the privileged opening of the sockets with low-numbered UDP ports, and the dropping of privileges, before starting up Kea. But Kea (again, like many of the pre-systemd DHCP servers like the WIDE one or the BusyBox one) opens and listens on sockets itself, and has no attempt at enabling use of systemd's mechanism in this regard.
There is still the old flawed mechanism of PID files liberally sprinkled around, too.
* https://github.com/isc-projects/kea/blob/048b1e9b1acbb0ff962...
And of course, Kea took some of the BIND 10 code. There is a lot of continuation of long standing BIND Think in Kea, alas.
There's so much promise to the idea of having DHCP servers use shared database back-ends, but it's spoiled by all of the continued BIND Think and things like having an HTTP server with JSON parser in all of these superuser-privileged dæmons. One of these days, someone will actually run with the idea that I mentioned somewhen in the early 2000s: a DHCP server that shared a common database with a content DNS server. No notification messages for mapping updates, no little shim dæmons, just serving out the information in the shared database directly, complete with (say) TTLs that match the lease expiry times.
People have danced around this idea for a long time, but never quite fully hit it. PowerDNS can use custom database back ends, for example, but people still have not fully run with that and instead ended up with a DHCP server with a database sending potentially dropped notifications over a terrible protocol to a content DNS server also with its own separate database back end.
* http://tuxad.com/txdyn-doc.html
* https://holland-consulting.net/tech/dhcp-dns.html
* https://github.com/AliveDevil/pdns-dhcp
* https://gitlab.isc.org/isc-projects/kea/-/issues/1409
Microsoft Windows Server's DNS server with AD integration perhaps came the closest, but even with that the out-of-the-box setup had things like DHCP clients sending (some of) the update notifications.
> Instead, its documented approach to running as some other account is to add some of the superuser's privileges to Kea [...]
Not disagreeing, just want to mention that Kea can run fine without privileges, which is also documented at the link provided. Key is to use DHCP relaying, a technique which becomes relevant quickly in larger setups anyways because you cannot (or don't want to) give the DHCP server access to all subnets: Instead of the DHCP server(s) processing local requests, DHCP relaying agents encapsulate and unicast-forward the whole DHCP request-response traffic to centralized DHCP instance(s). Those relaying agents (on switches/routers) do require privileges but potentially posing a smaller attack surface due to being much simpler. Sadly, ISC has not made a successor dhcprelay as part of Kea, but luckily systemd-networkd implements the RelayTarget parameter, adding this capability (at least for IPv4).
> It's interesting that systemd is mentioned there, because a socket unit would have had systemd doing the privileged opening of the sockets with low-numbered UDP ports, and the dropping of privileges, before starting up Kea.
Can systemd give you the raw sockets you need to answer DHCP on a local network?
One rather annoying thing that ISC dhcpd couldn't do was reload its config file without a full restart (and I believe Kea can). That's pretty hard to do if you insist on someone else opening sockets for you, although you could of course demand a restart in this case.
TBH my problem (well, one of my problems) with Kea is more that it's _too_ many different daemons that you have to configure separately and get to talk to each other, and it's not immediately obvious if any given configuration is secure or not (e.g., can others open a socket of the same name?).
Does systemd socket activation even work with broadcast packets? One of the things a dhcp server needs to do is respond to DHCPDISCOVER packets, which are sent to the all-broadcast 255.255.255.255 .
There's nothing stopping it. systemd doesn't do anything particularly special when opening a datagram socket that magically prevents it from receiving broadcast datagrams. There's no difference between Kea opening the socket and systemd opening the socket, except that systemd can do it and then drop privileges before Kea is loaded and run.
Or could do it.
If it weren't that Kea has no mechanism for taking and just using an already-open socket.
Remember that Accept in a socket unit has no meaning for ListenDatagram sockets. There's no waiting for incoming connections before activation going on.
If you're asking about the detailed internals of what systemd does with BPF and how that meshes with what Kea does, then I leave that to be answered by the systemd and Kea people. (-: