From owner-freebsd-ports Thu Nov 14 2:23:47 2002 Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A88237B401 for ; Thu, 14 Nov 2002 02:23:45 -0800 (PST) Received: from 12-234-90-219.client.attbi.com (12-234-90-219.client.attbi.com [12.234.90.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id C632743E4A for ; Thu, 14 Nov 2002 02:23:44 -0800 (PST) (envelope-from DougB@FreeBSD.org) Received: from FreeBSD.org (master.gorean.org [10.0.0.2]) by 12-234-90-219.client.attbi.com (8.12.6/8.12.6) with ESMTP id gAEANhb1087388; Thu, 14 Nov 2002 02:23:44 -0800 (PST) (envelope-from DougB@FreeBSD.org) Message-ID: <3DD379AF.B6D90CCC@FreeBSD.org> Date: Thu, 14 Nov 2002 02:23:43 -0800 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.8 [en] (X11; U; FreeBSD 4.7-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Philip Paeps Cc: ports@FreeBSD.org Subject: Re: net/bind9 port and overwriting base-system? References: <20021114010927.GP17974@juno.home.paeps.cx> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Philip Paeps wrote: > > Maybe this is a silly idea, or just plain impossible. I haven't tried :-) > > The lang/perl5 port includes a utility 'use.perl', with which one can select > which version of Perl to use, the one in the base-system, or the one from the > port. > > Would something like that be faesible for net/bind9? Yes. I have patches for this, but haven't had a chance to commit them yet. I'm also waiting on portmgr to commit a small patch for bsd.port.mk to make this a little easier (although I can work around that). The port will use the PORT_REPLACES_BASE_BIND9 define just like bind8 does now. > (Getting BIND9 into the -STABLE basesystem would be nice too, but I guess it's > not going to happen anytime soon? BIND 9 will never go into RELENG_4, and isn't anywhere near ready for -current either. Here are my reasons: 1. The devils you know are better than the devils you don't. BIND 8 has many orders of magnitude more hours of use in production, and hours of blackhats poking at it. This factor shouldn't be underestimated. 2. There are still stability concerns. It performs fairly well as an authoritative name server, but as a resolver, it falls down under load. Of course, my load is a lot greater than average, but at the same time, bind 8 doesn't fall over under it. 3. BIND 9 is very resource hungry. Even as an authoritative server, it takes 2 to 3 times more memory to load the same data, and up till very recently the performance (in terms of queries per second) for both resolvers and auth. servers has been 2 or 3 times slower than bind 8. Now it's down to only 1.5 to 2 times slower. The more recent bind 9.3.x snapshots have improved this somewhat, but the current focus of development in that branch is related to DNSSEC, not performance. 4. That last point shouldn't be overlooked either. Almost all of the vulnerabilities found in BIND 8 over the last two years have been related to the cryptographic elements (DNSSEC and TSIG). The DS protocol hasn't even been finalized yet, and getting that working is going to be a primary focus for BIND 9.3 in order to finish DNSSEC. By moving to BIND 9 in the base we'd be early adopters of unknown, and rapidly changing bugs, and these are amongst the most difficult bugs to track down, even on a good day. Hope this helps, Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message