From owner-freebsd-security@FreeBSD.ORG Sat Jul 7 23:17:54 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 2A31A106564A; Sat, 7 Jul 2012 23:17:54 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id A849914D8E8; Sat, 7 Jul 2012 23:17:53 +0000 (UTC) Message-ID: <4FF8C3A1.9080805@FreeBSD.org> Date: Sat, 07 Jul 2012 16:17:53 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120621 Thunderbird/13.0.1 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> In-Reply-To: <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , FreeBSD Hackers Subject: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jul 2012 23:17:54 -0000 On 07/07/2012 14:16, Bjoern A. Zeeb wrote: > > On 3. Jul 2012, at 12:39 , Dag-Erling Smørgrav wrote: > >> Doug Barton writes: >>> The correct solution to this problem is to remove BIND from the base >>> altogether, but I have no energy for all the whinging that would happen >>> if I tried (again) to do that. >> >> I don't think there will be as much whinging as you expect. Times have >> changed. >> >> I'm willing to import and maintain unbound (BSD-licensed validating, >> recursive, and caching DNS resolver) if you remove BIND. > > I'd object to it. Trading one for another without gaining anything does > not help us much. Au contraire. It solves the problem of BIND release cycles not matching up with ours. This is a very important problem to solve. I've already written at length as to what I think the dream solution is, but we don't have anyone willing to code that yet, and even if we did, there is no guarantee that we'd get the buy-in to make it happen. In addition to being a good first step, doing this for DNS will also help us shake out the exact issues you allude to below. > Don't get me wrong I have both running for years and even maintain patches > for unbound for 2 years now for functionality they do not provide, which > named happily gives me. Other than authoritative DNS, what features does unbound lack that you want? > If you want to do this, I would prefer a properly laid out action plan > as the import is by far the easiest but the integration into various > parts of the system is harder. BIND in the base today comes with a full-featured local resolver configuration, which I'm confident that Dag-Erling can do for unbound (and which I would be glad to assist with if needed). Other than that, what integration are you concerned about? ... and just in case, these are sincere "project requirement gathering" questions, I'm not attempting to be snarky in any way. Doug -- This .signature sanitized for your protection