From owner-freebsd-stable@FreeBSD.ORG Sat Dec 18 05:41:57 2010 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46152106564A for ; Sat, 18 Dec 2010 05:41:57 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6]) by mx1.freebsd.org (Postfix) with ESMTP id E75E18FC0C for ; Sat, 18 Dec 2010 05:41:56 +0000 (UTC) Received: (qmail 31960 invoked by uid 399); 18 Dec 2010 05:41:55 -0000 Received: from localhost (HELO doug-optiplex.ka9q.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 18 Dec 2010 05:41:55 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4D0C49A2.4000203@FreeBSD.org> Date: Fri, 17 Dec 2010 21:41:54 -0800 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.13) Gecko/20101210 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-stable@FreeBSD.org X-Enigmail-Version: 1.1.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: RFC: Upgrade BIND version in RELENG_7 to BIND 9.6.x X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2010 05:41:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Howdy, Traditionally for contributed software generally, and BIND in particular we have tried to keep the major version of the contributed software consistent throughout a given RELENG_$N branch of FreeBSD. Hopefully the reasoning for this is obvious, we want to avoid POLA violations. However this policy led to an unfortunate situation with FreeBSD 6 and BIND 9.3. We ended up "supporting" it long after the vendor's EOL date, both in ports and in the base. I have written previously about this issue being an inevitable result of the fact that our release engineering schedule and ISC's have both changed, and diverged. In RELENG_6 the problem was exacerbated by the fact that BIND 9.3 was such an old version that there was no clean upgrade path, users needed to make changes to configuration files, regression test, etc. Therefore the decision was made to live with the issue in RELENG_6. We currently face a similar situation in RELENG_7, which has BIND 9.4-ESV; scheduled to EOL in May 2011. https://www.isc.org/software/bind/versions In contrast, BIND 9.6-ESV will be supported until March 2013. Additionally BIND 9.6 is a superset of 9.4, and users should not need to make any changes to their configuration files. In fact, at the moment src/etc/namedb is identical in head/ stable/8, and stable/7. There may be some differences in operation; for example in some situations BIND 9.6 can use more memory than an identically configured 9.4 server. But in the overwhelming number of situations users would simply be able to upgrade in place without concern. In order to avoid repeating the scenario where we have a version of BIND in the base that is not supported by the vendor I am proposing that we upgrade to BIND 9.6-ESV in FreeBSD RELENG_7. There is an additional element to this decision that is relevant for users who wish to set up their resolving name servers for DNSSEC validation. BIND 9.6 is the oldest version that has (or will have) support for the algorithms and other features necessary for modern DNSSEC. While I do not think that the decision of changing BIND versions should turn exclusively on this element, I do think it is a factor that should be considered. My purpose in writing this message is to solicit feedback from users who would be adversely affected if this change was made. Please do not devolve down the rathole of whether BIND should be removed from the base altogether. This is incredibly unlikely to happen for RELENG_7 or RELENG_8. The question of whether or not it should happen in HEAD prior to the eventual 9.0-RELEASE is a topic for another thread. I am particularly interested in feedback from users with significant DNS usage that are still using 9.4, especially if you're using the version in the base. I would appreciate it if you could install 9.6 from the ports and at minimum run /usr/local/sbin/named-checkconf to see if any errors are generated. Of course it would be that much more helpful if you could also evaluate BIND 9.6 in operation in your environment. Your feedback on the issue of upgrading BIND in RELENG_7 is welcome. Sooner is better. :) Regards, Doug - -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iQEcBAEBCAAGBQJNDEmiAAoJEFzGhvEaGryEZMEH/RrDmyaJj/1kXzNIua7wSmIN pP/Bp6A9yh2IPao7fAb5Zo8EfEsN5dfhJNyCl/xXRTODZqv5iBo1AaJpQ4ezKkpm y2tbWczOZyWU+yFyG2trdQorDUMc57M2Q6NULENglvDlTsf5sk3pLid+rOXHIs9c cIB3WdUe1A38qHzPjLOsCAQIY0u2/doNoCE1ltK2yYWew/l8inVnNxUqaMBgFNf1 8cElZ9D+biqzNLt1Gd8k6xMePspwebT+T21aB03m2BylslSEa6m/pdw1N4H4D25W 0EsJnf9ryYfodl2Q5/gq9cGDIXAvo4llzPeMMoJuqvlwmh9TChjy9dhR8ZJnLfA= =Ug9P -----END PGP SIGNATURE-----