Open source DNS server takes on BIND  

Posted by Daniela Mehler

Four companies led by Dutch non-profit NLnet Labs have launched an open source, Linux-compatible DNS (Domain Name System) server. "Unbound," which is also sponsored by VeriSign, Nominet, and Kirei, claims to offer a validating, recursive, and caching DNS server that is faster than the open source DNS mainstay BIND.

Targeted primarily at ISPs and enterprise users, Unbound will also be available for embedding in customer devices such as dedicated DNS appliances and ADSL modems, say the developers. A DNS server ties domain names to the IP addresses and other information required by Web browsers, driving Internet-related services including browsing, email, messaging, and VoIP.

Since the 1980s, the open source BIND (Berkeley Internet Name Domain) has been the de facto DNS standard in the Unix and Linux worlds. Last year, BIND was updated to version 9, adding support for DNSSEC (DNS Security Extensions), a security enhancement to the DNS protocol that protects against attacks such as DNS cache poisoning.

DNSSEC support is also a central focus of Unbound. The DNS server provides a modular architecture, and is claimed to be faster, more secure, easier to use, and more flexible than BIND. Like BIND, Unbound is released under a BSD license.

The Unbound project was originally developed in 2004 by Jakob Schlyter of Swedish DNS consultancy Kirei, and Roy Arends of British Internet non-profit Nominet. The project was initially funded by Internet infrastructure services vendor VeriSign, and Internet consultancy and services provider EP.Net. At VeriSign, David Blacka and Matt Larson developed a Java-based prototype, but it was decided that a C version would be needed to achieve the required performance.

In late 2006, NLnet Labs joined the group and took over development of a C-based version. An R&D spinoff of the Dutch non-profit NLnet Foundation, NLnet Labs was founded to develop new protocols and applications for the Internet, in particular related to DNS, DNSSEC, IPv6, and routing.

Stated Wouter Wijngaards, lead Unbound developer at NLnet Labs, "We have placed extra attention on security features, particularly since DNSSEC is not yet deployed widely. Unbound provides defenses against forgery while suffering minimal degradation in performance. In addition, we have worked hard to produce well documented, readable, and elegant code. With that we try to make the barrier for security audit and code review as low as possible."

Stated Matt Larson, director of DNS Research at VeriSign, "The prototype was too promising to shelve. We were happy NLnet Labs could commit to the development of the C version of Unbound. NLnet Labs has the appropriate expertise and are committed to continue support for Unbound."


Unbound 1.0 is available for free download under a BSD license from the Unbound site, here. NLnet Labs offers support for Unbound through a bug-tracking system and user mailing lists, and promises to provide two years warning if the company ever decides to cease providing support. Unbound runs on POSIX-based operating systems such as Linux, MacOS X, FreeBSD, and Solaris, says the group.

RHSA-2008:0270-01 Important: libvorbis security update

This entry was posted on 6:37 PM .