Hash: SHA256


Traditionally for contributed software generally, and BIND in particular
we have tried to keep the major version of the contributed software
consistent throughout a given RELENG_$N branch of FreeBSD. Hopefully the
reasoning for this is obvious, we want to avoid POLA violations.

However this policy led to an unfortunate situation with FreeBSD 6 and
BIND 9.3. We ended up "supporting" it long after the vendor's EOL date,
both in ports and in the base. I have written previously about this
issue being an inevitable result of the fact that our release
engineering schedule and ISC's have both changed, and diverged. In
RELENG_6 the problem was exacerbated by the fact that BIND 9.3 was such
an old version that there was no clean upgrade path, users needed to
make changes to configuration files, regression test, etc. Therefore the
decision was made to live with the issue in RELENG_6.

We currently face a similar situation in RELENG_7, which has BIND
9.4-ESV; scheduled to EOL in May 2011.
https://www.isc.org/software/bind/versions In contrast, BIND 9.6-ESV
will be supported until March 2013. Additionally BIND 9.6 is a superset
of 9.4, and users should not need to make any changes to their
configuration files. In fact, at the moment src/etc/namedb is identical
in head/ stable/8, and stable/7. There may be some differences in
operation; for example in some situations BIND 9.6 can use more memory
than an identically configured 9.4 server. But in the overwhelming
number of situations users would simply be able to upgrade in place
without concern.

In order to avoid repeating the scenario where we have a version of BIND
in the base that is not supported by the vendor I am proposing that we
upgrade to BIND 9.6-ESV in FreeBSD RELENG_7.

There is an additional element to this decision that is relevant for
users who wish to set up their resolving name servers for DNSSEC
validation. BIND 9.6 is the oldest version that has (or will have)
support for the algorithms and other features necessary for modern
DNSSEC. While I do not think that the decision of changing BIND versions
should turn exclusively on this element, I do think it is a factor that
should be considered.

My purpose in writing this message is to solicit feedback from users who
would be adversely affected if this change was made. Please do not
devolve down the rathole of whether BIND should be removed from the base
altogether. This is incredibly unlikely to happen for RELENG_7 or
RELENG_8. The question of whether or not it should happen in HEAD prior
to the eventual 9.0-RELEASE is a topic for another thread.

I am particularly interested in feedback from users with significant DNS
usage that are still using 9.4, especially if you're using the version
in the base. I would appreciate it if you could install 9.6 from the
ports and at minimum run /usr/local/sbin/named-checkconf to see if any
errors are generated. Of course it would be that much more helpful if
you could also evaluate BIND 9.6 in operation in your environment.

Your feedback on the issue of upgrading BIND in RELENG_7 is welcome.
Sooner is better. :)



- --
        Nothin' ever doesn't change, but nothin' changes much.
                        -- OK Go

        Breadth of IT experience, and depth of knowledge in the DNS.
        Yours for the right price.  :)  http://SupersetSolutions.com/

Version: GnuPG v2.0.16 (FreeBSD)

freebsd-stable@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Reply via email to