Deprecation notice for BIND 9.20+: Unix Domain Sockets for control channel (rndc)
Hello,
in line with out deprecation policy, I am notifying the mailing list about
deprecation
of the 'unix' clause in the controls {} configuration block. The support for
Unix
Domain Sockets is already non-operational since BIND 9.18.0 and it is a fatal
error in named. This is properly documented in BIND 9.18.0 release notes and
known issues.
We are now proceeding to complete remove the rest of the code and documentation
from BIND 9.20+ (future release).
The 'unix' description from the ARM:
>A :any:`unix` control channel is a Unix domain socket listening at the
>specified path in the file system. Access to the socket is specified by
>the ``perm``, ``owner``, and ``group`` clauses. Note that on some platforms
>(SunOS and Solaris), the permissions (``perm``) are applied to the parent
>directory as the permissions on the socket itself are ignored.
In BIND 9.20:
1. Using 'unix' option in 'controls {}' block in named.conf will be a fatal
error in named and named-checkconf
In BIND 9.18 :
1. Using 'unix' option in 'controls {}' block in named.conf is already a fatal
error in named
The original issue is tracked under:
https://gitlab.isc.org/isc-projects/bind9/-/issues/1759
This is tracked under https://gitlab.isc.org/isc-projects/bind9/-/issues/4311
Cheers,
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Dnstap Re: Deprecation notice for BIND 9.20+: Unix Domain Sockets for control channel (rndc)
No objections, however I hope somebody lets me know if the same thing is
contemplated for Dnstap and what the timeline is. I won't be unduly
lathered by such an occurrence but I'd rather not have fire drills (and
it's not just me it's people / projects downstream of me).
FTR, I've always used an IP address with RNDC.
On Tue, 12 Sep 2023, Ondřej Surý wrote:
[...] The support for Unix
Domain Sockets is already non-operational since BIND 9.18.0 and it is a fatal
error in named. This is properly documented in BIND 9.18.0 release notes and
known issues.
We are now proceeding to complete remove the rest of the code and documentation
from BIND 9.20+ (future release).
[...]
1. Using 'unix' option in 'controls {}' block in named.conf is already a fatal
error in named
The original issue is tracked under:
https://gitlab.isc.org/isc-projects/bind9/-/issues/1759
This wasn't particularly reassuring considering the Dnstap case. It
discusses something called "netmgr" which is used for "incoming DNS
queries and responses" and that now is apparently being adapted to a
control channel; it talks about modifying it to support outbound TCP
connections.
Dnstap has never been a server, it establishes an outbound connection to a
listener (server) on a unix socket. Seems like TCP has always been an
option for rndc, while it's never been an option for Dnstap; so that's a
difference, there's no explicit migration path at this moment.
Personally I'd be happy to see the last of framestreams (we don't need the
handshake, I've never used it and I've only ever seen it create confusion
for people trying to roll their own servers). I'd love to see UDP so that
we could get multicast (without a T/MG), but that doesn't allow for the
Dnstap overhead since DNS message sizes are already capped at the maximum
possible size of a UDP message.
Doing nothing is an option. ;-)
Thanks for all the work you do...
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Dnstap Re: Deprecation notice for BIND 9.20+: Unix Domain Sockets for control channel (rndc)
Hi Fred,
the Dnstap UDS support is only tangential to this - the support for AF_UNIX is
implemented in the fstrm library
and is outside of the scope for this change.
Ondřej
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 12. 9. 2023, at 18:18, Fred Morris wrote:
>
> No objections, however I hope somebody lets me know if the same thing is
> contemplated for Dnstap and what the timeline is. I won't be unduly lathered
> by such an occurrence but I'd rather not have fire drills (and it's not just
> me it's people / projects downstream of me).
>
> FTR, I've always used an IP address with RNDC.
>
> On Tue, 12 Sep 2023, Ondřej Surý wrote:
>>
>> [...] The support for Unix
>> Domain Sockets is already non-operational since BIND 9.18.0 and it is a fatal
>> error in named. This is properly documented in BIND 9.18.0 release notes and
>> known issues.
>>
>> We are now proceeding to complete remove the rest of the code and
>> documentation
>> from BIND 9.20+ (future release).
>>
>> [...]
>>
>> 1. Using 'unix' option in 'controls {}' block in named.conf is already a
>> fatal error in named
>>
>> The original issue is tracked under:
>> https://gitlab.isc.org/isc-projects/bind9/-/issues/1759
>
> This wasn't particularly reassuring considering the Dnstap case. It discusses
> something called "netmgr" which is used for "incoming DNS queries and
> responses" and that now is apparently being adapted to a control channel; it
> talks about modifying it to support outbound TCP connections.
>
> Dnstap has never been a server, it establishes an outbound connection to a
> listener (server) on a unix socket. Seems like TCP has always been an option
> for rndc, while it's never been an option for Dnstap; so that's a difference,
> there's no explicit migration path at this moment.
>
> Personally I'd be happy to see the last of framestreams (we don't need the
> handshake, I've never used it and I've only ever seen it create confusion for
> people trying to roll their own servers). I'd love to see UDP so that we
> could get multicast (without a T/MG), but that doesn't allow for the Dnstap
> overhead since DNS message sizes are already capped at the maximum possible
> size of a UDP message.
>
> Doing nothing is an option. ;-)
>
>
> Thanks for all the work you do...
>
> --
>
> Fred Morris
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
