From owner-freebsd-arch@FreeBSD.ORG Mon Feb 22 04:45:06 2010 Return-Path: Delivered-To: freebsd-arch@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B4C2106566B for ; Mon, 22 Feb 2010 04:45:06 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with ESMTP id 14E198FC08 for ; Mon, 22 Feb 2010 04:45:05 +0000 (UTC) Received: (qmail 31585 invoked by uid 399); 22 Feb 2010 04:45:04 -0000 Received: from localhost (HELO foreign.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 22 Feb 2010 04:45:04 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4B820BCF.2090908@FreeBSD.org> Date: Sun, 21 Feb 2010 20:45:03 -0800 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.7) Gecko/20100218 Thunderbird/3.0.1 MIME-Version: 1.0 To: freebsd-arch@FreeBSD.org X-Enigmail-Version: 1.0.1 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Future plans for BIND versions in the base, and DNSSEC readiness X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Feb 2010 04:45:06 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Howdy, This message is to describe the current status of BIND support in FreeBSD, list my plans for the future, and solicit comments from the community. If you have any feedback, particularly if you disagree with my proposed course of action, please speak up sooner rather than later. In the past release policies for both FreeBSD and BIND have been different than what they have evolved into. In the last few years both FreeBSD and BIND have done major version releases on a much more aggressive schedule, and the policies for what does and does not go into a major version release have been modified. With the larger number of extant BIND releases ISC has also updated their End of Life (EOL) policies for older versions as well. Given that all up to date versions of BIND (and other name server software options) are available in the ports tree, and given the desire not to violate POLA for our users by making changes to the BIND version in a given branch we have traditionally made the decision not to update them. The current status of our supported branches is as follows: FreeBSD Version | BIND Version | BIND Status - ------------------------------------------------------------------------ 6 | 9.3.6-P1 | EOL - ------------------------------------------------------------------------ 7 | 9.4-ESV | Supported through 2010-12-31 - ------------------------------------------------------------------------ 8 | 9.6.1-P3 | Active development - ------------------------------------------------------------------------ HEAD | 9.6.1-P3 | Active development - ------------------------------------------------------------------------ The new development in that list is the 9.4-ESV version. You can see ISC's policy on Extended Support Versions at https://www.isc.org/softwaresupportpolicy. This is a new policy for them to provide a longer time period of support for certain versions. This 9.4-ESV will not be supported for the full 3 years, so after 2010-12-31 FreeBSD 7 users with serious DNS needs will either have to upgrade to a newer FreeBSD version or they will have to use a supported version of BIND (or another name server) from ports, the same way that FreeBSD 6 users need to do now. The upcoming DNSSEC signing of the root zone will likely make such an upgrade necessary anyway (see below). For FreeBSD version 8 there will be at least one more regular release of BIND 9.6 (9.6.2), and that -ESV version will be supported for 3 years after it is released. Therefore in all likelihood we will have full support for BIND 9.6 throughout the lifetime of FreeBSD version 8. BIND version 9.7.0 is the latest new-feature release from ISC. The major differences between this version and 9.6 have to do with better support for DNSSEC, including better automation support for "unattended" signing. A more detailed list of 9.7's new features is available at https://www.isc.org/software/bind/new-features/9.7. My plan is to import BIND 9.7 into HEAD. Assuming that it is still the most current BIND version when FreeBSD 9-RELEASE is ready to go it's the version that it will be released with. This should hopefully allow that version of FreeBSD to have a supported version of BIND throughout its lifetime as well. DNSSEC Considerations - --------------------- I think most people are familiar with the concept of DNSSEC. It provides cryptographic signatures on DNS responses that allow resolving name servers with the right software to be sure that the answer they received is the same one that the domain holder intended. While there are many early adopters of DNSSEC today, including many Top Level Domains (TLDs) the linchpin event that most people are waiting for in order to get really excited about DNSSEC deployment is the signing of the root zone. The plans for this have been laid, and the first stages of the deployment of the signed zone are already under way. You can read all about these plans, and the projected timetable at http://www.root-dnssec.org/. The key elements of the timetable are that by the end of May all root name servers will be serving a zone that contains DNSSEC signatures, although they will be unvalidatable (for a variety of complicated reasons outside the scope of this document). Assuming that there are no show-stopping problems in the initial deployment phases by July 1st the real root zone keys will have been published, and the real zone will be signed on the root name servers. There are two implementation details for DNSSEC signing of the root zone that are important for people interested in configuring their resolvers for validation to begin planning for now. The first is the much greater size of the DNS responses that include DNSSEC information. Any name server software that is modern enough to support DNSSEC also implements something called EDNS which allows name servers to operate with UDP packet sizes up to 4096 bytes, which is much greater than the 512 bytes that were specified in the earliest DNS standards. Unfortunately, although the EDNS standard has been around for a long time there are still many "middleboxes" (firewalls, broadband routers, etc.) that have problems with these larger responses. You can test your network by using the tools and techniques described at the following sites: https://www.dns-oarc.net/oarc/services/replysizetest http://labs.ripe.net/content/testing-your-resolver-dns-reply-size-issues The other important issue with the DNSSEC signing of the root zone (and the reason for including it here) is the key protocol that will be used. The RSA/SHA256 key protocol was only recently codified in an RFC, and BIND version 9.7.0 is the first release version of BIND to support it. This support will be backported to version 9.6.2 as well, however it will not be ported to 9.4-ESV. Therefore users of FreeBSD 6 and 7 who wish to validate DNSSEC signatures will either have to update to FreeBSD 8 or 9; or they will have to update their name server software via the ports. I hope that this overview is useful. Regards, Doug - -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEAREDAAYFAkuCC88ACgkQyIakK9Wy8PuiJwCgm1QYtcNNC6awe5a3iKW3xuBv C58An3Mlioa6eHidWDZOCAjjqgk8JVkf =9GL0 -----END PGP SIGNATURE-----