Unbound Wants to Challenge the DNS Monoculture

With gazillions of sites on the internet, one of the key pieces of infrastructure is the lowly DNS server. If you think about a world where you're required to locate servers by IP address instead of name, you'll quickly appreciate DNS. In the world of DNS servers, BIND is dominant, running over 70 percent of all DNS servers according to a recent survey. Now a relatively new entry in the market, Unbound, wants to change that.

Though it pretty much owns DNS serving, BIND has had its share of security issues. Some of these have been blamed on code quality - the complete rewrite between BIND 8 and BIND 9 was designed to address that. But some are just because it's a big, critical target. Although there are other DNS servers (such as CNS and PowerDNS) with relatively large distribution, they don't challenge BIND's supremacy.

Unbound was developed specifically to create a validating, recursive, and caching DNS server with high performance and good security. Some fairly heavy hitters collaborated in its initial development, including NLnet Labn, Verisign, Nominet, and Kirei. The source code is available, and it's been released under the BSD license to encourage its rapid uptake.

Unbound includes some key features that folks have been wanting to spread in the next-generation internet, including DNSSEC support. In addition to a standalone server, it's also designed to use as an embedded DNS server in applications.

Without taking anything away from the long-term success of BIND (how many other applications first written in the early 1980s are still playing a key part in the Internet?), it's good to see a serious, open-source alternative available in this market. The more choices there are for running DNS servers - and the more widespread those choices become - the less chance there is of a single vulnerability hurting large portions of the Internet.