From owner-freebsd-hackers@FreeBSD.ORG Tue Jul 10 02:46:15 2012 Return-Path: Delivered-To: freebsd-hackers@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82B69106564A; Tue, 10 Jul 2012 02:46:15 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (host-122-100-2-194.octopus.com.au [122.100.2.194]) by mx1.freebsd.org (Postfix) with ESMTP id 2DD338FC0C; Tue, 10 Jul 2012 02:46:14 +0000 (UTC) Received: from server.rulingia.com (c220-239-248-69.belrs5.nsw.optusnet.com.au [220.239.248.69]) by vps.rulingia.com (8.14.5/8.14.5) with ESMTP id q6A2kDwA059230 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 10 Jul 2012 12:46:13 +1000 (EST) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.14.5/8.14.5) with ESMTP id q6A2k660091298 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 10 Jul 2012 12:46:06 +1000 (EST) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.14.5/8.14.5/Submit) id q6A2k6gg091297; Tue, 10 Jul 2012 12:46:06 +1000 (EST) (envelope-from peter) Date: Tue, 10 Jul 2012 12:46:05 +1000 From: Peter Jeremy To: Doug Barton Message-ID: <20120710024605.GA90875@server.rulingia.com> References: <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF952FB.10200@FreeBSD.org> <4FFACB51.90001@brodnik.org> <20120709204749.GA88274@server.rulingia.com> <4FFB447F.9020001@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="X1bOJ3K7DJ5YkBrT" Content-Disposition: inline In-Reply-To: <4FFB447F.9020001@FreeBSD.org> X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-hackers@FreeBSD.org Subject: Re: Replacing BIND with unbound 9.1 code freeze?) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2012 02:46:15 -0000 --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Firstly, I should note that I'm not against removing bind from base. I'm merely saying that users are going to need some guidance during the transition. On 2012-Jul-09 13:52:15 -0700, Doug Barton wrote: >On 07/09/2012 13:47, Peter Jeremy wrote: >> On 2012-Jul-09 14:15:13 +0200, in freebsd-security, "Andrej (Andy) >> Brodnik" wrote: >>> Excuse my ignorance - but is there a how-to paper on transition >>> from bind to unbound for SOHO? > >You don't need to transition if you don't want to. Just install BIND >from the ports. IMHO, this is a copout. If the default response to anyone asking a question about transitioning is "install bind" then we might as well leave bind in the base system. As I see it, FreeBSD systems fall roughly into 3 categories: 1) Client systems that need to lookup external DNS servers only. 2) SOHO systems that primarily do external lookups but need to be internally authoritative about their local network. 3) Systems that are primarily DNS servers. The third category is clearly a "use ports" case - there's no need for the base system to include all the tools necessary to build one of the root nameservers. The base system _must_ handle the first category - and I'll accept advice from dougb@ & des@ that unbound is a good choice for this. The issues people seem to have with the change here are the user tools to interface with DNS - currently dig(1), host(1) and nslookup(1) - and des@ has now adequately covered this. I think the majority of the remaining unease in this thread comes from people who administer systems in the second category. I (and I expect lots of other people) use bind for this solely because it is in the base system, not because it is the best tool for the job. >> In particular, if unbound has no authoritative server capabilities, >> what suggestions are there for handling the private hosts in a SOHO >> environment? > >Stub and/or forward zones. The unbound docs have more information. But unfortunately no tutorial guides. Having looked at the online copy of unbound.conf(5), it appears that unbound _does_ have some limited server capabilities - this wasn't clear in the original proposal. It's not immediately clear to me whether it's adequate for my purposes and, if it isn't, what I should use. This is an area where I expect there will be community input - potentially via the FreeBSD wiki. --=20 Peter Jeremy --X1bOJ3K7DJ5YkBrT Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAk/7l20ACgkQ/opHv/APuIfP6gCfVKFxrbCxy8OJUYh/mE8J6DdL 5SoAnR+fZatQNXvtSQvX6GQ01HJwoBNh =sQo0 -----END PGP SIGNATURE----- --X1bOJ3K7DJ5YkBrT--