Future plans for BIND versions in the base, and DNSSEC readiness

Doug Barton dougb at FreeBSD.org
Mon Feb 22 04:45:06 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Howdy,

This message is to describe the current status of BIND support in
FreeBSD, list my plans for the future, and solicit comments from the
community. If you have any feedback, particularly if you disagree with
my proposed course of action, please speak up sooner rather than later.

In the past release policies for both FreeBSD and BIND have been
different than what they have evolved into. In the last few years both
FreeBSD and BIND have done major version releases on a much more
aggressive schedule, and the policies for what does and does not go into
a major version release have been modified. With the larger number of
extant BIND releases ISC has also updated their End of Life (EOL)
policies for older versions as well.

Given that all up to date versions of BIND (and other name server
software options) are available in the ports tree, and given the desire
not to violate POLA for our users by making changes to the BIND version
in a given branch we have traditionally made the decision not to update
them.

The current status of our supported branches is as follows:

FreeBSD Version	|	BIND Version	|	BIND Status
- ------------------------------------------------------------------------
       6	|	  9.3.6-P1	|	   EOL
- ------------------------------------------------------------------------
       7	|	  9.4-ESV	| Supported through 2010-12-31
- ------------------------------------------------------------------------
       8	|	  9.6.1-P3	|    Active development
- ------------------------------------------------------------------------
     HEAD	|	  9.6.1-P3	|    Active development
- ------------------------------------------------------------------------

The new development in that list is the 9.4-ESV version. You can see
ISC's policy on Extended Support Versions at
https://www.isc.org/softwaresupportpolicy. This is a new policy for them
to provide a longer time period of support for certain versions. This
9.4-ESV will not be supported for the full 3 years, so after 2010-12-31
FreeBSD 7 users with serious DNS needs will either have to upgrade to a
newer FreeBSD version or they will have to use a supported version of
BIND (or another name server) from ports, the same way that FreeBSD 6
users need to do now. The upcoming DNSSEC signing of the root zone will
likely make such an upgrade necessary anyway (see below).

For FreeBSD version 8 there will be at least one more regular release of
BIND 9.6 (9.6.2), and that -ESV version will be supported for 3 years
after it is released. Therefore in all likelihood we will have full
support for BIND 9.6 throughout the lifetime of FreeBSD version 8.

BIND version 9.7.0 is the latest new-feature release from ISC. The major
differences between this version and 9.6 have to do with better support
for DNSSEC, including better automation support for "unattended"
signing. A more detailed list of 9.7's new features is available at
https://www.isc.org/software/bind/new-features/9.7. My plan is to import
BIND 9.7 into HEAD. Assuming that it is still the most current BIND
version when FreeBSD 9-RELEASE is ready to go it's the version that it
will be released with. This should hopefully allow that version of
FreeBSD to have a supported version of BIND throughout its lifetime as well.

DNSSEC Considerations
- ---------------------

I think most people are familiar with the concept of DNSSEC. It provides
cryptographic signatures on DNS responses that allow resolving name
servers with the right software to be sure that the answer they received
is the same one that the domain holder intended. While there are many
early adopters of DNSSEC today, including many Top Level Domains (TLDs)
the linchpin event that most people are waiting for in order to get
really excited about DNSSEC deployment is the signing of the root zone.
The plans for this have been laid, and the first stages of the
deployment of the signed zone are already under way. You can read all
about these plans, and the projected timetable at
http://www.root-dnssec.org/. The key elements of the timetable are that
by the end of May all root name servers will be serving a zone that
contains DNSSEC signatures, although they will be unvalidatable (for a
variety of complicated reasons outside the scope of this document).
Assuming that there are no show-stopping problems in the initial
deployment phases by July 1st the real root zone keys will have been
published, and the real zone will be signed on the root name servers.

There are two implementation details for DNSSEC signing of the root zone
that are important for people interested in configuring their resolvers
for validation to begin planning for now. The first is the much greater
size of the DNS responses that include DNSSEC information. Any name
server software that is modern enough to support DNSSEC also implements
something called EDNS which allows name servers to operate with UDP
packet sizes up to 4096 bytes, which is much greater than the 512 bytes
that were specified in the earliest DNS standards. Unfortunately,
although the EDNS standard has been around for a long time there are
still many "middleboxes" (firewalls, broadband routers, etc.) that have
problems with these larger responses. You can test your network by using
the tools and techniques described at the following sites:
https://www.dns-oarc.net/oarc/services/replysizetest
http://labs.ripe.net/content/testing-your-resolver-dns-reply-size-issues

The other important issue with the DNSSEC signing of the root zone (and
the reason for including it here) is the key protocol that will be used.
The RSA/SHA256 key protocol was only recently codified in an RFC, and
BIND version 9.7.0 is the first release version of BIND to support it.
This support will be backported to version 9.6.2 as well, however it
will not be ported to 9.4-ESV. Therefore users of FreeBSD 6 and 7 who
wish to validate DNSSEC signatures will either have to update to FreeBSD
8 or 9; or they will have to update their name server software via the
ports.

I hope that this overview is useful.


Regards,

Doug

- -- 

	... and that's just a little bit of history repeating.
			-- Propellerheads

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)

iEYEAREDAAYFAkuCC88ACgkQyIakK9Wy8PuiJwCgm1QYtcNNC6awe5a3iKW3xuBv
C58An3Mlioa6eHidWDZOCAjjqgk8JVkf
=9GL0
-----END PGP SIGNATURE-----


More information about the freebsd-arch mailing list