Goodbye, djb dnscache

April 23, 2013

I've been using djb's dnscache for what is now a very long time; the dates on some old scripts suggest that I started using it on both my home and office machines no later than some time in the summer of 2004. At the time I switched to using it as my local recursive DNS server it was for the same reason that I imagine any number of other people have; to put it simply I was tired of Bind being a pig. Dnscache promised (and delivered) much lower and more efficient memory use, which very much mattered on the machines that I had in 2004.

This weekend, I turned dnscache off on my home machine (it's been off on my office machine for some time). There wasn't any particular immediate reason to do so, no specific thing I cared about the dnscache was failing me at, no unpatched security hole (that I know about), nothing like that. My direct reason for making the switch was that I've been worried for some time about how dnscache was going to deal with the growing new worlds of IPv6 and DNSSEC, or more accurately I was pretty sure that it wasn't going to do so very well.

But the larger reason is that djb's software is effectively dead software, dnscache included. Perhaps there are some people hacking on it somewhere, but the canonical source (djb himself) has walked away from it. As I wrote about qmail, the reality is that software on the Internet rots if not actively maintained because the Internet itself keeps changing. It was clear to me that I could either wait quietly until dnscache blew up in some obvious way or I could change over to something else. The something else might not be as pure or as minimal as dnscache but it wouldn't be quietly rotting, and some of the minimal purity of dnscache no longer matters on today's machines.

On my office machine I made the switch in late 2010 (judging from the last timestamps on dnscache's query logs and, now that I look, this old entry). I dragged my feet on my home machine for various reasons, partly laziness, but finally decided that it was time this weekend. There's a part of me that regrets this because it likes the purity and minimalism of dnscache, but the greater part of me knows that this is the sensible course. Still, I'll miss dnscache a bit. And it certainly served faithfully for all of these years.

(For those that are curious, I switched to Unbound, as suggested in that old entry.)

PS: I'm still running djb's tinydns for some primary DNS serving, but I suppose I should look into a replacement. It's just that I've hated all of the primary DNS servers I've ever looked at even more than I hate the various recursive caching nameservers. And there's also the security issues. My recursive nameservers are not exposed to the Internet; my primary DNS servers necessarily are.


Comments on this page:

From 64.235.151.250 at 2013-04-23 09:55:56:

I'm a big fan of PowerDNS. It does both authoritative DNS and recursive resolver - using two different daemons. It's fast, it's easy to set up, and it's very actively maintained. (It does handle DNSSEC, IPv6, etc. properly.)

Written on 23 April 2013.
« RCS should not be your first choice for version control
Two mistakes I made with VMs today »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Apr 23 00:41:16 2013
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.