From owner-freebsd-stable@FreeBSD.ORG Sat Dec 18 13:56:52 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 81FD3106564A for ; Sat, 18 Dec 2010 13:56:52 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 2017D8FC0A for ; Sat, 18 Dec 2010 13:56:51 +0000 (UTC) Received: by wyf19 with SMTP id 19so1495057wyf.13 for ; Sat, 18 Dec 2010 05:56:51 -0800 (PST) Received: by 10.227.69.202 with SMTP id a10mr1311503wbj.141.1292679180777; Sat, 18 Dec 2010 05:33:00 -0800 (PST) Received: from dfleuriot.local (angel.c-mal.com [82.241.189.111]) by mx.google.com with ESMTPS id 11sm1101717wbi.6.2010.12.18.05.32.57 (version=SSLv3 cipher=RC4-MD5); Sat, 18 Dec 2010 05:33:00 -0800 (PST) Message-ID: <4D0CB7FC.7020103@my.gd> Date: Sat, 18 Dec 2010 14:32:44 +0100 From: Damien User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6 MIME-Version: 1.0 To: freebsd-stable@freebsd.org References: <4D0C49A2.4000203@FreeBSD.org> In-Reply-To: <4D0C49A2.4000203@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: RFC: Upgrade BIND version in RELENG_7 to BIND 9.6.x X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2010 13:56:52 -0000 Hello Doug, List, I confirm the upgrade from 94 to 96 is very minor. I'm running several fbsd8.0 and 8.1 servers but I still have a 7.2-STABLE box here. I just upgraded from the ports collections 9.4.4.ESV.2 to 9.6.3.ESV3 named-checkconf doesn't report any error, neither does checkzone. I started the new named daemon successfully and can still resolve just fine, both with recursion from localhost and without from external hosts. Please note that I was using 94 from ports and not the base system, but either way I haven't made a single change to my configuration files. I am also in favor of upgrading the base system's version of BIND to 9.6. -- Damien On 12/18/10 6:41 AM, Doug Barton wrote: > Howdy, > > Traditionally for contributed software generally, and BIND in particular > we have tried to keep the major version of the contributed software > consistent throughout a given RELENG_$N branch of FreeBSD. Hopefully the > reasoning for this is obvious, we want to avoid POLA violations. > > However this policy led to an unfortunate situation with FreeBSD 6 and > BIND 9.3. We ended up "supporting" it long after the vendor's EOL date, > both in ports and in the base. I have written previously about this > issue being an inevitable result of the fact that our release > engineering schedule and ISC's have both changed, and diverged. In > RELENG_6 the problem was exacerbated by the fact that BIND 9.3 was such > an old version that there was no clean upgrade path, users needed to > make changes to configuration files, regression test, etc. Therefore the > decision was made to live with the issue in RELENG_6. > > We currently face a similar situation in RELENG_7, which has BIND > 9.4-ESV; scheduled to EOL in May 2011. > https://www.isc.org/software/bind/versions In contrast, BIND 9.6-ESV > will be supported until March 2013. Additionally BIND 9.6 is a superset > of 9.4, and users should not need to make any changes to their > configuration files. In fact, at the moment src/etc/namedb is identical > in head/ stable/8, and stable/7. There may be some differences in > operation; for example in some situations BIND 9.6 can use more memory > than an identically configured 9.4 server. But in the overwhelming > number of situations users would simply be able to upgrade in place > without concern. > > In order to avoid repeating the scenario where we have a version of BIND > in the base that is not supported by the vendor I am proposing that we > upgrade to BIND 9.6-ESV in FreeBSD RELENG_7. > > There is an additional element to this decision that is relevant for > users who wish to set up their resolving name servers for DNSSEC > validation. BIND 9.6 is the oldest version that has (or will have) > support for the algorithms and other features necessary for modern > DNSSEC. While I do not think that the decision of changing BIND versions > should turn exclusively on this element, I do think it is a factor that > should be considered. > > My purpose in writing this message is to solicit feedback from users who > would be adversely affected if this change was made. Please do not > devolve down the rathole of whether BIND should be removed from the base > altogether. This is incredibly unlikely to happen for RELENG_7 or > RELENG_8. The question of whether or not it should happen in HEAD prior > to the eventual 9.0-RELEASE is a topic for another thread. > > I am particularly interested in feedback from users with significant DNS > usage that are still using 9.4, especially if you're using the version > in the base. I would appreciate it if you could install 9.6 from the > ports and at minimum run /usr/local/sbin/named-checkconf to see if any > errors are generated. Of course it would be that much more helpful if > you could also evaluate BIND 9.6 in operation in your environment. > > Your feedback on the issue of upgrading BIND in RELENG_7 is welcome. > Sooner is better. :) > > > Regards, > > Doug > _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"