From owner-freebsd-security@FreeBSD.ORG Sun Jul 8 00:35:14 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 107FF106567C; Sun, 8 Jul 2012 00:35:14 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by mx1.freebsd.org (Postfix) with ESMTP id 04C0D8FC14; Sun, 8 Jul 2012 00:35:12 +0000 (UTC) Received: by wibhm11 with SMTP id hm11so1501146wib.13 for ; Sat, 07 Jul 2012 17:35:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2CTH9upuzO+LJD76N93BdCTBQgg2aRfHsKhVUB5ciYE=; b=ha/NVrvf9W5ezvevnEri2qY3Oa3tF1Tg2bpvoczrfCfev8bteVwzq+CFvn/QOTt//0 nrziOcAcvhU6b5NkRmJ8mP5zE+ufGR8l3qIvfmQ89OfwDwEnqyVqDgPMz/W6ZG4PvcTe mb/nWy2ReQFHzQwZEuwuyTRv5Zren53dfsCJ7pMDbMbOVmHjk4YBFFoAc1gUMNsCCqRM 9OtHvntAYYx7UHJeKOu8L/NEoy21P34UkM6fBXet94eN7gC1VbN69hj+HBmSeCsdCG3A dIz7Zqv3Mbi+VfqqMBON5jMvHrgJ5eMOfX6wJfRYjTXO4LDsGI6kk9pWtvVi4yR8ZhQp 6Eyw== MIME-Version: 1.0 Received: by 10.180.105.130 with SMTP id gm2mr18539835wib.6.1341707712042; Sat, 07 Jul 2012 17:35:12 -0700 (PDT) Received: by 10.223.88.155 with HTTP; Sat, 7 Jul 2012 17:35:11 -0700 (PDT) In-Reply-To: <4FF8CA35.7040209@FreeBSD.org> References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> Date: Sat, 7 Jul 2012 19:35:11 -0500 Message-ID: From: Adam Vande More To: Doug Barton X-Mailman-Approved-At: Sun, 08 Jul 2012 00:38:56 +0000 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "Bjoern A. Zeeb" , =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= , FreeBSD Hackers , freebsd-security@freebsd.org Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 00:35:14 -0000 On Sat, Jul 7, 2012 at 6:45 PM, Doug Barton wrote: > On 07/07/2012 16:34, Bjoern A. Zeeb wrote: > > On 7. Jul 2012, at 23:17 , Doug Barton wrote: > > > >> On 07/07/2012 14:16, Bjoern A. Zeeb wrote: > >>> > >>> On 3. Jul 2012, at 12:39 , Dag-Erling Sm=F8rgrav wrote: > >>> > >>>> Doug Barton writes: > >>>>> The correct solution to this problem is to remove BIND from the bas= e > >>>>> altogether, but I have no energy for all the whinging that would > happen > >>>>> if I tried (again) to do that. > >>>> > >>>> I don't think there will be as much whinging as you expect. Times > have > >>>> changed. > >>>> > >>>> I'm willing to import and maintain unbound (BSD-licensed validating, > >>>> recursive, and caching DNS resolver) if you remove BIND. > >>> > >>> I'd object to it. Trading one for another without gaining anything > does > >>> not help us much. > >> > >> Au contraire. It solves the problem of BIND release cycles not matchin= g > >> up with ours. This is a very important problem to solve. > > > > Right and unbound et al are better? Bind at least gives us long term > > support releases these days. We just need to make sure we pick them > > for releases. > > > > > >> I've already written at length as to what I think the dream solution i= s, > >> but we don't have anyone willing to code that yet, and even if we did, > >> there is no guarantee that we'd get the buy-in to make it happen. In > >> addition to being a good first step, doing this for DNS will also help > >> us shake out the exact issues you allude to below. > >> > >>> Don't get me wrong I have both running for years and even maintain > patches > >>> for unbound for 2 years now for functionality they do not provide, > which > >>> named happily gives me. > >> > >> Other than authoritative DNS, what features does unbound lack that you > want? > > > > DNS64 as a start. > > Personally I would classify that as a highly-specialized request, and > would point you to the bind* ports. I acknowledge that others may have a > different view. I am unclear on how this solves the main problem I think was stated about syncing up with release branches. If it doesn't solve that, isn't this just busy work? --=20 Adam Vande More