BIND vs. djbware flamefest

>> there really is no reason to use qmail or djbdns

Umm... WHY NOT? Even you are just running a standalone workstation you still should install dnscache (package of djbdns).

>> but sendmail and bind have no problem with it

Talking about world most insecure software:
1) BIND
2) Sendmail

You might think it's just a security issue, but it's not. qmail+djbdns are also more reliable and use memory more efficiently.

>> I don't know why the qmail and djbdns camps are crying about softupdates

Let me repost the link (in case you can't see it in my first post of this thread) -> http://cr.yp.to/qmail/faq/reliability.html#filesystems

>> there really is no reason to use qmail or djbdns

>Umm... WHY NOT? Even you are just running a standalone workstation you still should install dnscache (package of djbdns).

Sure, of course that's a good idea but it's not necessary and besides a cacheing only DNS server is simple to set up with BIND. BIND has been a part of BSD since before BSD was BSD. It's entirely a matter of opinion as to what software you use to setup your nameserver. There are good reasons to run BIND instead of djbdns, and likewise there are just as many good reasons to run djbdns. BUT if you want to learn the system that is still the backbone of DNS on the internet, then there is no question that you want to learn BIND. It's my opinion, and only my opinion mind you, that if you don't know BIND, because you find it to hard to understand then you have no buisness running a nameserver of any kind whatsoever, with djbdns or anything else. Let your ISP handle that.

BTW I don't have to run a cache on every machine, I have one for every segment (14) and all my machines can resolve names in less than .005 sec, that's fast enough for me, and I use BIND.

>> but sendmail and bind have no problem with it

>Talking about world most insecure software:
>1) BIND
>2) Sendmail

(sigh) that's your opinion again trying to pass as fact.

Sounds to me like your just trolling for flames here, ok I'll bite.
What makes you think that BIND or Sendmail are insecure? These are just old wifes tales handed down from the past. I challenge you to hack a properly configured, recent Sendmail or BIND implimentation on a Freebsd machine. You know what? YOU CAN'T. So until you can demonstrate that you've hacked a major sendmail site or one of the top level root name servers, and can provide proof, you should just drop that attitude. You should not use hearsay as an argument in a technical discussion.

>You might think it's just a security issue, but it's not. >qmail+djbdns are also more reliable and use memory more >efficiently.

Again with the security jab, see above.
Qmail+djbdns are no more reliable or efficient than BIND and Sendmail. Where's your proof that they are? I for one, and the rest of the internet too, would be very interested in the results of YOUR research. Where is it?

>> I don't know why the qmail and djbdns camps are crying about softupdates

>Let me repost the link (in case you can't see it in my first post of this thread) ->

(sigh) again with another jab, ok I'll bite again. But this is getting tiresome.

Yeah, yeah, I read your link to your so called proof. Maybe YOU should read it again. The author says not use it, most of the article is about something else entirely. Again without any proof, so it's his opinion again. He is the author of the software so don't use it if you want to run qmail, so what? If your file systems are crashing for no good reason other than power outages you've got bigger problems to worry about other than whether your running softupdates or not. Besides He doesn't even say anything about IDE disks which have write caching turned on by default, or most raid cards that have it on by defaut too. What about that? Those caches are just as lost during a crash as softupdates. Again my advice is to get a decent UPS and you should have no problems, and small sites don't even need qmail anyway.

You've got to remember the audience that your speaking to. Most of these people are at very small sites with few if any users. All of these users can get by with the default Sendmail and BIND and softupdates. There is no reason for them to bother with qmail or djbdns. What they get out of the box is plenty good enough, they should learn how to use it first, why go to the extra effort of learning something new when they haven't even learned the basics yet?

You should realize that when you trash a piece of software like Sendmail or BIND you are really trashing the authors of the software and their hardwork. Unless you have written something better and can prove it with research, you should not ever ever do that.

I see that you've posted over 2500 emails to these forums. It's begining to look like quantity is no substitute for quality.

(sigh) let's just agree to disagree here ok. The original topic was for an opinion on softupdates, I've given that and so have you, nuff said. You can even have the last word if you want I don't care.

>> a cacheing only DNS server is simple to set up with BIND

Easily enough and surely enough that it has been the most inefficient and insecure parts of BIND software.
1) Reliability: BIND cache uses too much of memory and without bound. A machine running BIND's cache heavily can never have a uptime longer than 10 days when it has insufficient memory.
For an equivalent machine that runs dnscache, it only needs 10 times fewer in RAM (64mb vs. 1GB) comparing to BIND. Not to mention when the size of cache is adjustible in dnscache for optimization.

2) Security#1: BIND trusts everyone as if it's running open relay SMTP and there ain't evils in the world. (recursion yes; by default). Therefore, as a result, BIND (even 9.x) is still suffering from DoS seriously.
Security#2: BIND cache caches everything more than you want it to cache. It caches good answers, bad answers, anything. As a result, BIND (even 9.x) is still suffering from Zone Spoofing seriously.

3) Efficiency: BIND's zone record is in ASCII file format (slow) vs. tinydns's cdb binary format.

Just so you know, setting up dnscache is as easy as setting up BIND's cache. Everyone (even on dialup without static IP) should setup dnscache and run it on 127.0.0.1.

>> It's entirely a matter of opinion as to what software you use to setup your nameserver

Of course. And it's a matter of smart vs. dumb. People who run insecure software intentionally are dumb. When you are ready to be a smartass, don't forget to give djb's software a try.

>> if you want to learn the system that is still the backbone of DNS

Unfortunately BIND people (the developers) don't even know anything about DNS. As a result, their software have misled million of people for years. And that's why 70% of DNS are somewhat misconfigured on the internet because of BIND's fault.

>> It's my opinion, and only my opinion mind you

That's why I am here to educate you.

>> all my machines can resolve names in less than .005 sec

Here's a free lesson, in a typical dnscache setup, it's roughtly 7000 times faster than BIND cache. Note, seven thousands.

>> that's your opinion again trying to pass as fact

Because they appear in bugtraq most frequently. No.1 -> BIND; No.2 -> Sendmail.

>> I challenge you to hack a properly configured

The insecurity of BIND is its design, it's a design flaw, thus you can't really fix it but to not use it. As for Sendmail, when they begin to use Maildir mailbox format (to steal the idea from qmail, just like postfix and exim) then that will be a good sign but so far it hasn't happened.

>> would be very interested in the results of YOUR research. Where is it?

Search devshed, I mentioned those several times here. Where else? djb site and google. Do I have to teach you how to RTFM?

>> and small sites don't even need qmail anyway

Most big ISPs in fact run qmail. What makes you (without trying) think that qmail is only for big sites?

>> What they get out of the box is plenty good enough

You might not care much about security but many other people do. That's why here's another free lesson: Go for djbware when you want more security. Of course, only when you are really ready (currently you are not).

>> why go to the extra effort of learning something new when they haven't even learned the basics yet?

Good point. For those who wish to run tinydns as a replacement of BIND's authoritative DNS server, it's suggested to start with BIND for a little while and understand about the basics.

>> The original topic was for an opinion on softupdates

Don't forget, you were the one who started the flame on djb vs. BIND/Sendmail.

BTW, how could you make the comparision when you are a non-djb user/administrator? Oh wait, I forgot you are just a newbie and I am here providing you free lessons.

>That's why I am here to educate you.

Now you're just being funny. LOL You have no idea of my qualifications, I've been doing this long before Steve Jobs stole the GUI concept from Xerox PARC, and before Bill Gates stole it from him. ROTFLOL

>>all my machines can resolve names in less than .005 sec

>Here's a free lesson, in a typical dnscache setup, it's roughtly 7000 times faster than BIND cache. Note, seven thousands.

Just how much faster than .005 seconds is fast enough for you? Yeah, 7000 times faster than that is cool, but who needs it. Only large sites need it but the largest are still using BIND. Why do you suppose that is? Certainly not small users with tiny zone records to start with who don't really have a requiement for it.

>You might not care much about security but many other people do. That's why here's another free lesson: Go for djbware when you want more security. Of course, only when you are really ready (currently you are not).

Again here you go with this garbage, like you could give me lessons. LOL. What makes you think I don't already administer it? I never said I haven't used it in the past or that I am not currently administering sites that use it now. I said that I don't use it, me. Where are you getting these ideas.

>Most big ISPs in fact run qmail. What makes you (without trying) think that qmail is only for big sites?

For your information I've installed qmail djbdns sendmail and BIND but only where they are appropriate. I've installed these systems for user bases of 100's to multiple 1000's. I even help to administer a world wide Lotus Notes implimentation, which goes way beyond anything sendmail or qmail or exim can begin to imagine, but again the small user doesn't need it so I don't reccomend it for them.

I'll say it once again for your benefit. Small sites or new users don't need to use anything outside of what's in the base distribution. They should learn these and then experiment and test with whatever they chose and never take anyones word for it, wether it's from this forum or some other persons web site. Published scientific results are handy, but even these should be viewed with a jaundiced eye and you should perform your own tests. But, wait you haven't produced anything have you except a lot of opinion and what you've heard others say.

>Don't forget, you were the one who started the flame on djb vs. BIND/Sendmail.

Flame, what flame. I went out of my way to say that I didn't want to start flames. You're the one who's trolling here not me. For your benefit I'll quote it here again.

"I don't know why the qmail and djbdns camps are crying about softupdates, I'm sure they have their reasons though. It's just kind of funny that they also don't tell everyone to turn off write cacheing on their IDE disks."

How you get a flame bait out of that, only the Lord and you know.

>BTW, how could you make the comparision when you are a non-djb user/administrator? Oh wait, I forgot you are just a newbie and I am here providing you free lessons.

LOL LOL LOL HA HA HA HO HO HO, don't quit your day job there sparky, comedieans are starving for work.

I've been doing this for over 25 years now, and getting paid for it, alot, and I've never been hacked, never been DOSd, never lost data. But of course compared to you I'm a rank newbie, after all you've posted to this list over 2500 times. Now that is saying something there, with that and 25 cents you might be able to make a phone call to someone who cares. Almost as funny as when they rolled in our brand new PDP-11, oops now I'm showing my age.

>Unfortunately BIND people (the developers) don't even know anything about DNS. As a result, their software have misled million of people for years. And that's why 70% of DNS are somewhat misconfigured on the internet because of BIND's fault.

You are a riot.
It's not BINDs fault if people misconfigure their installation of it. I'll say it once more, without BIND there would be no DNS. How much plainer do I have to say it? Your also quoting god knows who's statistics. Unfounded blather.

LOLOLOLO Stop it you're killing me.

Will you please get back to the thread now. Let's see, your opinion of using softupdates was not to use it at all if I remember correctly. Hmmm, it's installed by default in the base operating system now. Your saying that the entire core group at freebsd doesn't know what their doing? Maybe you should tell them. You are a member of stable arn't you?

>Unfortunately BIND people (the developers) don't even know anything about DNS. As a result, their software have misled million of people for years. And that's why 70% of DNS are somewhat misconfigured on the internet because of BIND's fault.

Your saying that hundreds of developers over the past 20 years wasted their time with sendmail and BIND, and lied to everyone in the process, and that you know more than them too. BTW I don't remember seeing anyone named freebsd at the RFC meetings, or publishing anything at all. I'll check again...nope you're not listed. I guess they secretly removed your comments too.

You apparently know more than everyone else on the planet about everything.

You are God.
I bow to your kung fu, grasshopper.

First off, don't try to get away by changing the subject back to softupdates, the flame topic has been djbware vs. BIND/Sendmail for the past few posts.

>> 7000 times faster than that is cool, but who needs it

When dnscache outperforms BIND in all the way, everyone (except dumbass like you) should use it.
STOP telling people not to use djbware just because you are technically incapble to handle it. And of course, don't be shy to ask djbware question and I'll be more than happy to educate you for free.

>> but the largest are still using BIND. Why do you suppose that is?

Like I said, 70% of DNS are misconfigured on the Internet.

>> who don't really have a requiement for it

You're right that djbware is not required and it will never make it to a default install because of djb licensing.
And it's for those who want more security and reliablity (not you apparently).

>> What makes you think I don't already administer it?

Stop lying. You obviously don't have a clue about djbware. Why in the world do you have to pretend to be a smartass when you are really a kid.

>> For your information I've installed qmail djbdns

Just don't lie, kid!

>> I've installed these systems for user bases of 100's to multiple 1000's

You don't have to tell us that tiny figure.

>> I even help to administer a world wide Lotus Notes implimentation

If you read the recent article about ORBZ shuts down you'd know Lotus Notes is still having way too many bugs.
Oh wait, for a technical illiterate kid like you, you probably have never heard of ORBZ anyway.

>> Small sites or new users don't need to use anything outside of what's in the base distribution

I agree on new users but again, you still think djbware is for large sites, which tells me you really know nothing (but instead pretending to be a djb user) about djbware.
Kid, just so you know, djbware is for small/mid/large sites.

>> I went out of my way to say that I didn't want to start flames

When someone posts a thread title with BSD vs. Linux, that's to start a flame war.
Similarily, you told everyone to not use djbware because it's for large sites, then you told people your strong statement didn't want (but intended) to start a flame? When you talk **** to djbware, a djb fan like me will have to get involved, and in purpose to educate you technical illiterated admin.

>> It's not BINDs fault if people misconfigure their installation of it

BIND (even 9.x) has had tons of design flaws, and that'd be BIND's fault.

>> without BIND there would be no DNS

Kid, do you know what BIND stands for?

>> Will you please get back to the thread now

Stop changing our recent subject on djbware. Believe me, you'll be loser on djb flame, just because you don't have a clue about DNS.

>> Your saying that the entire core group at freebsd doesn't know what their doing?

My personal statement on softupdates was crystal clear: Do not enable softupdates if at all possible. You will never know if freebsd group will disable softupdates on future releases.

>> and lied to everyone in the process, and that you know more than them too

An average djbware user would know 10 times more about SMTP/DNS/Security than BIND/Sendmail user. Like I said, BIND developers are plain illiterated on security/DNS. Thanks djb on his great software.

>> You apparently know more than everyone else on the planet about everything

Nope. Perhaps a little more than rsowders (a kid who tries to be a smart ***), and particularly on HTTP/DNS/Mail/Security topics.

Although djbdns faq refers to BIND as the Buggy Internet Name Daemon, actually BIND is short for ISC BIND. Or Internet Software Consortium Berkley Internet Name Domain, they're right across the bay from me, and Pau Vixie works about 4 miles down the road. You can tell him he's lied to everyone face to face.

Ok, so far you have called me a dumbass, smartass, kid, a liar. Did I leave anything out there?

I have not called into question your integrity or had to resort to name calling. That is what children do.

It is apparent that you are immature, and incabable of participating in a technical discussion.

I will not stoop to your level on this list. Why should I, it proves nothing. I'm sure anyone who bothers to read any of this has already formed the opinion that you are immature.

I tell you what, I work in Menlo Park, CA. Give me a email contact off list and we can get together and settle this face to face. That is if you are not a coward in addition to being immature.

Besides, your not afraid of some kid are you? While I am young at heart, I only wish I was still a kid. When Paul Vixie was rewriting BIND in 1988 for DECWRL, I was 35. But it's one thing to spout a lot of insults on a mailing list, and another to do it face to face. So let's get together there Sparky and you can deliver these insults directly.

Oh, and why do you hide behind the pseudomyn "freebsd", when you don't agree with their decisions? You do know what a pseudonym is or is that too much english for you to handle?

This is for anyone who has bothered to read through all of the junk thus far. You might find this interesting. It's a quote from Jim Reid on another article of BIND vs djbdns. It's kind of old, BIND 9.2 is out now.

Well roughly 90% of the world's name servers run BIND. AFAIK all the
important zones in the world - like the root zone and top-level
domains - are served exclusively by BIND. It's also possible to get a
support contract for BIND from my employer, Nominum. IIUC, there is no
professional support infrastructure - contracts, SLAs, 24x7 telephone
assistance, etc - available for tinydns. BIND is a (the?) complete
implementation of DNS and supports the latest standards and features
like EDNS0, DNSSEC and IPv6. Admittedly some of these things are only
in BIND9, which is due out soon. The last time I looked at tinydns, it
only supported a small number of resource record types. [From memory,
SRV records were not supported. There was definitely nothing on DNSSEC
or even TSIG. Or dynamic updates or incremental zone transfer.]
Another issue with tinydns is that it uses different config files -
names and formats - as well as a different format for zone files. This
isn't necessarily a bad thing, but when all the literature - books,
vendor manuals, training courses, Linux HOWTOs, etc - don't mention
tinydns, these obscure formats have an uphill struggle to find
acceptance. The same goes for DNS administration. It's already very
hard to find people with good DNS skills. Most of them will only have
worked with BIND, mainly because of market share, history and
literature. Finding someone who knows DNS and can administer tinydns
will be next to impossible. AFAIK all the UNIX vendors ship BIND with
their OS. None distribute tinydns. If you install tinydns, you'll lose
whatever DNS support your OS provider supplies. I'd also say that
because BIND has been around so long, there's a lot more "real-world"
experience with it: huge zones, high query rates, interoperability
with other implementations, etc, etc. I think this is a major factor
for anyone choosing a platform for doing serious stuff with the DNS.

And all the while djb and others chuck rocks at BIND, BIND just gets
on with the job of handling 90% of the world's DNS queries and keeping
the Internet running. That's not bad going, is it? So if Dan Bernstein
has a low opinion of BIND, maybe he's right and the rest of the world
is wrong. Then again, maybe I'm biased. :-)

Yet more articles, this one from Linux Security interviewing Paul Vixie and David Conrad. They address some of Dan Bernsteins mudslinging on page 3 and 4.

Have a look freebsd guy.

http://www.linuxsecurity.com/featur...ad_vixie-1.html

one more

http://linuxmafia.com/~rick/faq/#djb

>> they're right across the bay from me, and Pau Vixie works about 4 miles down the road.

So what's your point? Are you proud of yourself for living in the Bay Area or what?

>> Ok, so far you have called me a dumbass, smartass, kid, a liar.

Just because you've been lying and exaggerating all over your posts, and only kids would do that.

>> incabable of participating in a technical discussion.

I'm more than capable with my technical knowledge. You, however, keep on telling people to not use djbware because of two reasons:
1) djbware is for big sites
2) why use djbware when BIND/Sendmail comes with your sytem by default

>> I'm sure anyone who bothers to read any of this has already formed the opinion that you are immature.

I might be a little immature comparing to your age. You too are immature to me in technical knowledge. I don't care what you do for living or how many systems you had administered. I also don't care your immaturity in technical knowledge. What I do care is, when you post something to mislead readers.
1) You obviously don't know anything about security, else you wouldn't even be promoting webmin to users in your posts here and here. You don't care about security and you can use insecure software all you want, but others don't, so don't mislead users.
2) Next, you lied to everyone by saying you are familiar with BIND and djbware but prefer to use BIND over djbware with a lame reason -> BIND is installed by default, therefore it makes your life easier.
3) Then you started saying qmail is for big sites only and not recommend for small sites or so, just because Sendmail is installed by default.

Just so you know, they are the 3 most insecure software in the UNIX world. So just shut the **** up and stop telling people to not use djbware without a valid technical (not political) reason.

>> and we can get together and settle this face to face

Settle what? You ain't a chick why should I meet you? Hey man, this is just a little flame why in the world do you have to take it so seriously?

>> why do you hide behind the pseudomyn "freebsd", when you don't agree with their decisions?

Come on, you know what username/nickname is? It can be anything I want. I have been using all 3 BSDs for years and each of them has things I dislike, no one seems perfect to me.

>> You do know what a pseudonym is or is that too much english for you to handle?

You better watch out. A teacher saying this in class can be taken to court in no time.
Sorry English is not my native language. Is English language the only thing you can outtalk me? I guess so. You'd be a real jerk when you discriminate against other members' English. Don't forget, I bet neither do you know what ???? means.

>> there is no professional support infrastructure - contracts, SLAs, 24x7 telephone assistance, etc - available for tinydns

Because tinydns requires you to have DNS knowledge beforehand. Therefore, it's not suitable for DNS illiterated admins to use it, because they don't met the technical qualification. As a result, when it comes to support in tinydns, you are really on your own. In fact, a robust DNS software doesn't need support, unless you don't know much about DNS.

>> BIND is a (the?) complete implementation of DNS and supports the latest standards and features like EDNS0, DNSSEC and IPv6

I will go over that one by one in a moment.

>> It's already very hard to find people with good DNS skills. Most of them will only have worked with BIND

DNS actually is a rather simple protocol but unfortunately most people only have DNS skills with BIND. That's why 70% of DNS administrators all over the world admittedly don't have deep understanding of DNS. Not to mention when BIND puts a cap on your growing DNS knowledge because BIND developers don't even know much about DNS and security themselves.

>> AFAIK all the UNIX vendors ship BIND with their OS. None distribute tinydns

That's true because djb license prohibits that from happening thus far.

>> BIND just gets on with the job of handling 90% of the world's DNS queries and keeping the Internet running.

If 90% goes to tinydns+dnscache entire Internet would have less crime and less DoS, less zone spoofing, at least on DNS. Systems running BIND could have spent less on hardware and resources if they were to run tinydns+dnscache in the first place, mainly because djbdns concentrates not only on security but reliability and stability.

>> So if Dan Bernstein has a low opinion of BIND, maybe he's right and the rest of the world is wrong.

Now that I'm telling you, djb is the smartest + most knowledgeable UNIX software developer in the world. djbware will never be broken, there has not been a single exploit (remote/local/anything) found in any djbware. Many big ISPs chose qmail over any other MTAs because qmail is more than capable to handle large sites (your only point thus far), not only that, it's also the most secure, stable and reliable MTA on earth. Only thing you can argue against qmail robustness may just be speed. It might not be the fastest MTA in some situations where you need to do mass mailing frequently.

continue from previous post...

>> They address some of Dan Bernsteins mudslinging on page 3 and 4

Okay, page 3:

>> David Conrad: I can't speak to earlier versions of BIND (I wasn't involved in their design), but security was among the core requirements of the BIND version 9 project.

As you can see, Dave mentioned he wasn't involved in BIND's design explicitly so he can keep his reputation, because BIND has always been the world no.1 most insecure software in UNIX world. Now that BIND developers finally realized security is an important goal for 9.X, that implicitly means BIND software had never been secure in the old versions.

Page 4:

>> Paul Vixie: Nothing really comes to mind here, except that Bernstein's software does not support
>> either DNSSEC or TSIG, and as far as I know there are no plans to implement either one. BIND implements both.
>> Even Microsoft implements TSIG

Because dnscache is already using a cryptographic generator. Read here to find out more. As far as TSIG start here.

>> I will note that Bernstein's djbdns does not support DNSSEC, A6, DNAME, bitstring labels, Dynamic DNS, outgoing AXFR, IXFR,
>> and other of the more modern features of the DNS

DNSSEC - Like I said in the past, this is not necessary in djbdns. BIND trusts everyone from anywhere, as a result, BIND 4.X, 8.X, 9.X (earlier patch branch) are still vulnerable to cache posioning.

In dnscache, it caches data from authoritative servers whose authority can be traced to the roots. Therefore, dnscache will never suffer zone spoofing attack and cache posioning. BIND needs all this crypto (DNSSEC and TSIG) because of its poor design flaws (latest 9.X is the same).

A6 + DNAME + bitstring + IPv6 - There is no need to support those because of compatibility problems with current DNS implementation worldwide. Check here. More than likely they will never gain acceptance, thus useless to support something that have never been accepted. You can call that features but I call them garbage.

Dynamic DNS,IXFR - With tinydns zone format you can easily do that with a simple script. Why call this a new feature in BIND when it can be implemented so easily.

outgoing AXFR - It's supported in ucspi-tcp (a djbware). For incoming that'd be axfrdns (from djbdns package).

BTW, just to name and illustrate a couple of design flaws in BIND to readers and maybe to you:

1) BINDs have been using so-called zone transfer implementation for slave to sync the zone from its master. This is just a matter of copying the zone record from master to slave and that's it. So you actually can ftp, scp, rsync or whatever way you wish, just to accomplish a simple file copying from one box to another. Therefore, djbdns recommends users to use rsync over ssh instead. That also means there really is no such thing as zone transfer on earth.

2) Please note that many people use confusing terminology because of BIND, which integrates a caching DNS resolver and a DNS server into one package, making people say "DNS server" when they are really talking about a "DNS resolver" (actually a client). The most serious design flaws in BIND is its DNS resolver (caching nameserver). BIND caches everything (good answers + bad answers), thus using memory inefficiently. When a bad answer is in your cache, it won't be flushed unless you restart BIND or just wait until its TTL expiration. Some bad answers, of course, are known as cache posioning. Note, dnscache will never suffer this attack or problem.

Another critical design flaw of BIND's DNS resolver is its non-configurable ulimit and cache size. Like I said, BIND will use up your memory because its cache size will grow without bound. Don't forget, BIND caches useless answers all the time, thus wasting memory, that's why BIND consumes quite a lot of memory. Note, this won't happen in dnscache and dnscache uses memory very efficiently.

3) BIND's slave waste so much unnecessary resource by asking its master for zone changes (Refresh).

Why? Only the master authoritative DNS server is authoritative, and to make zone record updates. That said, whatever changes slave has made to its zone is useless because it will be overwritten again when it's updated from its master.
Imagine the following:

Mr. Slave: Hey master, it's been 30 minutes have you made any changes to foobar zone?
Mr. Master: Nope.
Mr. Slave: 30 minutes later, hey any changes?
Mr. Master: Hell No!! Just stop bugging me I will let you know when it's updated.

As you can see, BIND's implementation is just lame. Mr. Master should inform Mr. Slave when foobar zone is changed/updated, not the other way around, as simple as that. This is done automatically in tinydns.

Finally, BIND 9.X claims to be rewritten from scratch, and by the same old DNS+Security illiterated developers. If BIND 9.X really makes that much difference (which I highly doubt that) in security, why take them so many years to finally be awaken and started concerning about security?
Don't forget, like ICQ, BIND tells people BIND 9.X is a beta software and is not ready for production environment. By saying that, they can take absolutely no responsibility or whatsoever in the event of a new exploit, which is still happening monthly (if not biweekly).

Now that you know BIND 9.X should be a little more secure than BIND 8.X, why in the world are most UNIX vendors out there still using BIND 8.X in the default base system?

Why do sysadmins have to keep up with bugtraq on BIND biweekly when they can simply migrate to djbdns without having to worry about security any longer?

People, djbdns is not that difficult to learn/use. Don't forget, I used to use BIND for years and switched to djbdns 2 years ago. Should you think rsowders, a BIND+Sendmail+webmin promoter, being the winner here, just stick with those insecure software (rsowders highly suggested over djbware) all you want, because your technical capabilities don't make you a qualified admin to ditch them and go for the most secure djbware, at least for this moment.
rsowders, it's rather difficult to outargue djbware (world most secure) with BIND (world most insecure). Oh wait, I forgot you are not a security wise person.