From owner-freebsd-arch@FreeBSD.ORG Fri Jun 6 10:26:31 2003 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83E1A37B401 for ; Fri, 6 Jun 2003 10:26:31 -0700 (PDT) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0837A43FBF for ; Fri, 6 Jun 2003 10:26:31 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.12.9/8.12.6) with ESMTP id h56HQUVI026474; Fri, 6 Jun 2003 10:26:30 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.12.9/8.12.6/Submit) id h56HQUiw026473; Fri, 6 Jun 2003 10:26:30 -0700 (PDT) Date: Fri, 6 Jun 2003 10:26:30 -0700 (PDT) From: Matthew Dillon Message-Id: <200306061726.h56HQUiw026473@apollo.backplane.com> To: Bill Moran References: <20030605235254.W5414@znfgre.qbhto.arg> <20030606024813.Y5414@znfgre.qbhto.arg> <3EE0A4F6.6020201@potentialtech.com> cc: freebsd-arch@freebsd.org Subject: Re: Way forward with BIND 8 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jun 2003 17:26:31 -0000 Bind-9 should be the default in both -current and -stable. Bind-8 has some serious, unfixable issues with it the biggest of which being that NS glue and additional-record returns are not properly separated out from official glue and official record data in internal structures and can poison the DNS cache. The second biggest problem has to do with the way Bind-8 forwards responses from servers to clients without regenerating them, leaving a path potentially open for hacked DNS sites to directly corrupt programs. Nobody with any serious DNS needs should be using bind-8 any more. There are two issues with a changeover to bind-9. First, the bind-9 port does not properly install the new encrypted command/management system (the equivalent to ndc in bind-8), and, second, there are some differences in named.conf and zone file operation. That said it only took me an hour to convert my moderate DNS setup (serving four or five domains) over to bind-9 a year or so ago. But it is something I think needs to be done. Using the whole -release/-stable mess as an excuse to not do it is a cop-out, especially considering that there is still a huge amount of kernel work currently being done that has nothing to do with the stabilization of critical subsystems, and nobody is stopping that. Another alternative is to make a clean break between 4.x and 5.x. The point when the FreeBSD project goes to 6-current/5-stable is the point when I have stated that I am going to make a decision whether to take the 4.* branch series under my wing or not. -Matt