Diverse DNS Code

TCPWave IPAM comes with ISC’s BIND and NSD. TCPWave has chosen NSD as a safe alternate name server implementation developed by NLnet Labs of Amsterdam. NLnet Labs developed NSD in cooperation with the RIPE NCC from scratch to add variance to the “gene pool” of DNS implementations used by higher-level name servers and thus increase the resilience of DNS against software flaws or exploits. TCPWave’s backup authoritative DNS server software is an authoritative name server in both a master and slave configuration. It is RFC compliant, written from scratch in C, uses a clean implementation leveraging the openssl library, supports EDNS0, and supports DNSSEC with NSEC and NSEC3. It has full and incremental zone transfer handling (AXFR and IXFR), contains source code updates to securely support dynamic updates from TCPWave’s IIPAM, and supports SNMP. It is not exposed to the BIND vulnerabilities since the code base is entirely different. TCPWave has chosen Unbound as a component for the cache appliances controlled and managed by the TCPWave IPAM. Unbound is a secure validating, recursive, and caching DNS server primarily developed by NLnet Labs, VeriSign Inc, Nominate, and Kirei. The binaries are written with a high-security focus, tight C code with enhancements done by the TCPWave product development team. Unbound’s design consists of modular components that incorporate features including enhanced security (DNSSEC) validation, Internet Protocol Version 6 (IPv6), and a client resolver library API as an integral part of the architecture.