Re: [knot-dns-users] Knot DNS, DNS UPDATE and OpenDNSSEC

Hi Jan, On Oct 23, 2013, at 10:50 , Jan Včelák wrote: Thank you. Which is fine. I'm fully aware that many people want that. And some people want their own pony. And lower taxes. ;-) I'm also aware that many people would like to continue to just use BIND9 forever, because BIND9 is the ultimate all-in-one-solution... only the world has come to understand after BIND9 was designed that "all-in-one" has serious drawbacks. To some extent the primary reason that we're here, the reason why we have NSD3/4, Unbound, Yadifa, Knot-DNS, etc, is because of the drawbacks of the BIND9 all-in-one alternative, which are increasingly obvious. But ISC really cannot "fix" BIND9, in spite of being aware of the drawbacks of all-in-one, because of the installed base. I'd hate to see Knot-DNS go down the same path (and get stuck there, which happens quickly when there's adoption) when you're starting out late enough to both be aware of the arthitectural drawbacks and not be captive to a gigantic installed base. That's really the core question. Will the addition of lots of stuff that I don't want in my authoritative servers impact performance? Impact stability? Impact frequency of bugs? Obviously we don't know yet, but we all hope it'll work out. Please do. From my point-of-view an ideal solution would be one where you had all the functionality we're discussing (I think everyone is mostly in agreement about that: auth server, key mgmt, signer, rollover support, etc, etc), but designed in a sufficiently modular fashion to allow an option to either compile the separate "signer" and a "clean" authoritative server or, the BIND9-lookalike monolithic combo that apparently many people want. Of course that flexibility wouldn't come for free, there's certainly a noticeable design cost and some maintenance cost associated with it. But it would be much easier to achieve the earlier you look at that design. Regards, Johan