Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 14 Nov 2002 13:29:30 +0100
From:      Philip Paeps <philip@paeps.cx>
To:        ports@FreeBSD.org
Subject:   Re: net/bind9 port and overwriting base-system?
Message-ID:  <20021114122930.GQ17974@juno.home.paeps.cx>
In-Reply-To: <3DD379AF.B6D90CCC@FreeBSD.org>
References:  <20021114010927.GP17974@juno.home.paeps.cx> <3DD379AF.B6D90CCC@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2002-11-14 02:23:43 (-0800), Doug Barton <DougB@FreeBSD.org> wrote:
> Philip Paeps wrote:
> > Maybe this is a silly idea, or just plain impossible.  I haven't tried :-)
> > 
> > The lang/perl5 port includes a utility 'use.perl', with which one can
> > select which version of Perl to use, the one in the base-system, or the
> > one from the port.
> > 
> > Would something like that be faesible for net/bind9? 
> 
> Yes. I have patches for this, but haven't had a chance to commit them yet.
> I'm also waiting on portmgr to commit a small patch for bsd.port.mk to make
> this a little easier (although I can work around that). The port will use
> the PORT_REPLACES_BASE_BIND9 define just like bind8 does now. 

That would be brilliant.  Though I'm still _extremely_ reluctant to upgrade to
BIND9 in production environments, I would like to give it a go under testing
conditions.  ISC has been 'strongly recommending' BIND9 for ages now, which
makes me worry about the 'lifetime' of BIND8.

> > (Getting BIND9 into the -STABLE basesystem would be nice too, but I guess
> > it's not going to happen anytime soon? 
> 
> BIND 9 will never go into RELENG_4, and isn't anywhere near ready for
> -current either. Here are my reasons:
> 
> 1. The devils you know are better than the devils you don't. BIND 8 has many
> orders of magnitude more hours of use in production, and hours of blackhats
> poking at it. This factor shouldn't be underestimated.

I agree with you.  I didn't want to open the can of worms again :-).  'Nice'
in my original message was a poor choice of words.  I much prefer a
known-to-be stable piece of software that's slightly outdated to a
claimed-to-be-stable piece of software packed with features that I don't
really need and with which I'm not familiar.

> 2. There are still stability concerns. It performs fairly well as an
> authoritative name server, but as a resolver, it falls down under load.  Of
> course, my load is a lot greater than average, but at the same time, bind 8
> doesn't fall over under it.

Mmm, this sounds a bit like the story of the times.  Software becoming more
and more bloated and us poor admins, with miserable budgets, having the run it
on the same hardware :-)

It's also a bit of a chicken/egg tale: as long as it underperforms, people
like me will be reluctant to try it.  Without enough people complaining about
sloth, there won't be much incentive for improvement.

> 3. BIND 9 is very resource hungry. Even as an authoritative server, it takes
> 2 to 3 times more memory to load the same data, and up till very recently
> the performance (in terms of queries per second) for both resolvers and
> auth. servers has been 2 or 3 times slower than bind 8.  Now it's down to
> only 1.5 to 2 times slower. The more recent bind 9.3.x snapshots have
> improved this somewhat, but the current focus of development in that branch
> is related to DNSSEC, not performance.

That worries me :-/

I run mainly authoritative nameservers, but it's critical that they perform,
or I get phone calls and people yelling at me.

What I _do_ like is that ISC seems to be focussing a bit more on security
these days.  I don't really need all the fancies of DNSSEC, I'm quite happy
just using shared secrets and all that jazz, but it's good to know that it's
there, and that people are putting time into it.  

> 4. That last point shouldn't be overlooked either. Almost all of the
> vulnerabilities found in BIND 8 over the last two years have been related to
> the cryptographic elements (DNSSEC and TSIG). The DS protocol hasn't even
> been finalized yet, and getting that working is going to be a primary focus
> for BIND 9.3 in order to finish DNSSEC. By moving to BIND 9 in the base we'd
> be early adopters of unknown, and rapidly changing bugs, and these are
> amongst the most difficult bugs to track down, even on a good day.

That's been my prime concern about upgrading.  I don't have a _clue_ about how
all these features work.  I have been using BIND8 for years, and I know pretty
well how it all fits together and what the nasties are.  BIND9 is loads more
complex and paranoid people like me will want to first have a damn good look
at it all before we upgrade production machines.

It would be great if you could get the patches to the port in the tree so it
at least makes studying things a bit easier on a test environment.  The more
eyes studying BIND9, the easier bugs will be found, and the quickers they'll
be fixed.  That's the theory, anyway :-)

> Hope this helps,

It does, thanks!  You've put my thoughts into words!

 - Philip

-- 
Philip Paeps                                          Please don't CC me, I am
philip@paeps.cx                                       subscribed to the list.

  The faster the plane,
  the narrower the seats.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021114122930.GQ17974>