Date: Tue, 03 Jul 2012 14:17:40 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Mark Felder <feld@feld.me> Cc: freebsd-hackers@freebsd.org Subject: Re: Pull in upstream before 9.1 code freeze? Message-ID: <4FF36174.2000806@FreeBSD.org> In-Reply-To: <op.wgvhfja234t2sn@tech304> References: <CA%2BQLa9B-Dm-=hQCrbEgyfO4sKZ5aG72_PEFF9nLhyoy4GRCGrA@mail.gmail.com> <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <op.wgvhfja234t2sn@tech304>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/03/2012 06:36, Mark Felder wrote:
> On Tue, 03 Jul 2012 07:39:34 -0500, Dag-Erling Smørgrav <des@des.no> wrote:
>
>>
>> I don't think there will be as much whinging as you expect. Times have
>> changed.
>
> Agreed; if we need DNS in base (really, why?) then unbound+nsd are prime
> candidates, but they're healthily maintained in ports...soo... no real
> advantage.
We should not put nsd in the base. There is no need for an authoritative
server in the base, the only reason BIND is there is that it is also a
resolver, and, of course, hysterical raisins.
The dream scenario is one we've discussed in the past:
1. Promote certain ports to "system" status, with more stringent
requirements for both the ports, and the maintainers.
2. Re-tool the installer to give the users choice of which (if any) of
the key system components get installed. Obvious choices for this
category are the perennial favorites of DNS (resolver) and mail,
reasonable arguments can be made for others of course.
Whether we do the above or not, ldns/drill should be imported into the
base so that we have at least one command line DNS resolution tool. A
good "junior hacker" project would be to make a host(1) clone using
ldns. If users want the regular bind tools, ports/dns/bind-tools already
exists.
Given it's unlikely that actually making the installer more modular will
happen before 10-RELEASE, importing unbound is the next best
alternative. And regarding the "it's a young project" issue, I've
followed their development closely, I know the people involved, and I've
used it for some projects. I have zero hesitation.
And for those who are unclear on the problem we're trying to solve, a
quick recap. As things have evolved over time the BIND release cycles
and ours have diverged. Since we don't update the version of BIND in the
base for POLA reasons, for FreeBSD 6, and now 7, this has led to a
situation where our oldest release has an unsupported version of BIND.
Clearly this is unacceptable.
Oh, and to anticipate the traditional "zomg! don't turn freebsd into
linux!!!11!!!" response: First, just because linux does something
doesn't make it wrong, and Second, we can definitely add a *little* more
modularity (which the users have been asking for as long as I can
remember) without "turning into linux."
And finally, to address the "why have a resolver on the system at all?"
question, one word: DNSSEC. At this time there is no good solution to
the problem of the local host system being able to validate a DNSSEC
response. The only viable solution _at this time_ is to have a local,
validating resolver. (Of course, other solutions are being worked on,
but they aren't here yet.) This will become much more important over
time as DNSSEC adoption increases, and more things begin to use it (like
DANE).
Doug
--
This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FF36174.2000806>