Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 7 Jul 2012 23:34:45 +0000
From:      "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To:        Doug Barton <dougb@FreeBSD.org>
Cc:        freebsd-security@freebsd.org, =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>, FreeBSD Hackers <freebsd-hackers@freebsd.org>
Subject:   Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?)
Message-ID:  <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net>
In-Reply-To: <4FF8C3A1.9080805@FreeBSD.org>
References:  <CA%2BQLa9B-Dm-=hQCrbEgyfO4sKZ5aG72_PEFF9nLhyoy4GRCGrA@mail.gmail.com> <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 7. Jul 2012, at 23:17 , Doug Barton wrote:

> On 07/07/2012 14:16, Bjoern A. Zeeb wrote:
>>=20
>> On 3. Jul 2012, at 12:39 , Dag-Erling Sm=F8rgrav wrote:
>>=20
>>> Doug Barton <dougb@FreeBSD.org> writes:
>>>> The correct solution to this problem is to remove BIND from the =
base
>>>> altogether, but I have no energy for all the whinging that would =
happen
>>>> if I tried (again) to do that.
>>>=20
>>> I don't think there will be as much whinging as you expect.  Times =
have
>>> changed.
>>>=20
>>> I'm willing to import and maintain unbound (BSD-licensed validating,
>>> recursive, and caching DNS resolver) if you remove BIND.
>>=20
>> I'd object to it.  Trading one for another without gaining anything =
does
>> not help us much.
>=20
> Au contraire. It solves the problem of BIND release cycles not =
matching
> up with ours. This is a very important problem to solve.

Right and unbound et al are better?   Bind at least gives us long term
support releases these days.  We just need to make sure we pick them
for releases.


> I've already written at length as to what I think the dream solution =
is,
> but we don't have anyone willing to code that yet, and even if we did,
> there is no guarantee that we'd get the buy-in to make it happen. In
> addition to being a good first step, doing this for DNS will also help
> us shake out the exact issues you allude to below.
>=20
>> Don't get me wrong I have both running for years and even maintain =
patches
>> for unbound for 2 years now for functionality they do not provide, =
which
>> named happily gives me.
>=20
> Other than authoritative DNS, what features does unbound lack that you =
want?

DNS64 as a start.  I don't care about the auth. support really with what =
is
in base; it is nice that it comes for free and it is nice, that I'll not
run into port 53 conflicts on single-IP systems .... but the only thing =
we
really need is a caching resolver.


>> If you want to do this, I would prefer a properly laid out action =
plan
>> as the import is by far the easiest but the integration into various
>> parts of the system is harder.
>=20
> BIND in the base today comes with a full-featured local resolver
> configuration, which I'm confident that Dag-Erling can do for unbound
> (and which I would be glad to assist with if needed). Other than that,
> what integration are you concerned about?

startup scripts; resolvconf, named.conf -> unbound.conf guides for our =
users,
and not solving the issue that we really want a DNSSEC enabled caching
resolver with libc APIs for applications to use DNSSEC in base that =
people
are working on.   We will probably need a crpyto and most likely also an
external dnssec speaking resolver library for this in the future, but
which of the 7 it will be we don't know yet.

/bz

--=20
Bjoern A. Zeeb                                 You have to have visions!
   It does not matter how good you are. It matters what good you do!




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C>