Diverse DNS Code
TCPWave
IPAM comes with ISC’s BIND and NSD. TCPWave has chosen NSD as
a safe alternate name server implementation developed by NLnet Labs
of Amsterdam. NLnet Labs developed NSD in cooperation with the RIPE
NCC from scratch to add variance to the “gene pool” of
DNS implementations used by higher-level name servers and thus
increase the resilience of DNS against software flaws or exploits.
TCPWave’s backup authoritative DNS server software is an
authoritative name server in both a master and slave configuration.
It is RFC compliant, written from scratch in C, uses a clean
implementation leveraging the openssl library, supports EDNS0, and
supports DNSSEC with NSEC and NSEC3. It has full and incremental
zone transfer handling (AXFR and IXFR), contains source code
updates to securely support dynamic updates from TCPWave’s
IIPAM, and supports SNMP. It is not exposed to the BIND
vulnerabilities since the code base is entirely different. TCPWave
has chosen Unbound as a component for the cache appliances
controlled and managed by the TCPWave IPAM. Unbound is a secure
validating, recursive, and caching DNS server primarily developed by
NLnet Labs, VeriSign Inc, Nominate, and Kirei. The binaries are
written with a high-security focus, tight C code with enhancements
done by the TCPWave product development team. Unbound’s design
consists of modular components that incorporate features including
enhanced security (DNSSEC) validation, Internet Protocol Version 6
(IPv6), and a client resolver library API as an integral part of the
architecture.