It’s been more than a year since I read things on DJB and why Bind sucked. I don’t really remember - and remember that I’m not a programmer and I talk s**t a lot.
All I know is that DJB was a very smart individual who made a few very good tools like qmail, djbdns, daemontools and contributed to cryptography with Edward Curves, which became the EdDSA standard. Additionally, he also created ChaCha20 cipher and Poly1305 authentication method, all 3 of which were adopted most notably by Wireguard.
And DJB has quite some wild fans out there, or at least people who complain about DJB claim that they were attacked on the Internet for criticizing DJB by his fans - I never witnessed the supposed fans in action.
Daemontools is the grand-daddy of inits and process supervisors like Runit, s6 and perp.
Other than that, the story behind DJB is that BIND had too many security holes (probably BIND8 at that time, during the 90s), so he made djbdns. Actually, given that version 1.05 was released in 2001 and that BIND9 was released in 2000, I’m not sure if djbdns predates BIND9.
Even so, I have read opinions on the Internet, so they must be true, that BIND9 still suffers from security exploits because of its non-Unix design. Jokes aside, this appeared to be true, as BIND9 had some security exploits:
In particular CVE-2020-8625 (severity ISC 8.1 HIGH), CVE-2021-25216 (severity ISC 8.1 HIGH / NIST 9.8 CRITICAL) and CVE-2021-25220 (severity ISC 8.1 MEDIUM / NIST 8.6 HIGH) prove the point. Those are pretty recent CVEs. While djbdns isn’t invulnerable, its code base its much smaller and it does a lot less. Also, it was found to be vulnerable to a certain cache poisoning attack, but people patched it, but the patch is not available in the main server, which hasn’t been updated since 2001. And that’s only if you cache queries, so if you don’t, you could be completely fine.
Still, I don’t know that I would use djbdns, compared to Unbound or NSD. Or rather both, one as a recursive resolver (Unbound) and the later as an authoritative resolver (NSD), because having them separate gives you the advantage that one compromised one can’t affect the other one, instead of using BIND9, which could potentially have both instances hacked through the same exploit.
Anyway, don’t take my biases against BIND9 too serious. Just because a software is found to be vulnerable, doesn’t necessarily mean that you will be hacked, although with all the scraper bots on the internet, that could be possible if your service is found. But again, just because a vulnerability is discovered, doesn’t mean that hackers knew of it before the discovery and subsequent patch of it, although in theory not impossible.