RFC: Upgrade BIND version in RELENG_7 to BIND 9.6.x

Damien ml at my.gd
Sat Dec 18 13:56:52 UTC 2010 

Hello Doug, List,


I confirm the upgrade from 94 to 96 is very minor.
I'm running several fbsd8.0 and 8.1 servers but I still have a
7.2-STABLE box here.

I just upgraded from the ports collections 9.4.4.ESV.2 to 9.6.3.ESV3
named-checkconf doesn't report any error, neither does checkzone.

I started the new named daemon successfully and can still resolve just
fine, both with recursion from localhost and without from external hosts.
Please note that I was using 94 from ports and not the base system, but
either way I haven't made a single change to my configuration files.

I am also in favor of upgrading the base system's version of BIND to 9.6.

--
Damien

On 12/18/10 6:41 AM, Doug Barton wrote:
> Howdy,
> 
> Traditionally for contributed software generally, and BIND in particular
> we have tried to keep the major version of the contributed software
> consistent throughout a given RELENG_$N branch of FreeBSD. Hopefully the
> reasoning for this is obvious, we want to avoid POLA violations.
> 
> However this policy led to an unfortunate situation with FreeBSD 6 and
> BIND 9.3. We ended up "supporting" it long after the vendor's EOL date,
> both in ports and in the base. I have written previously about this
> issue being an inevitable result of the fact that our release
> engineering schedule and ISC's have both changed, and diverged. In
> RELENG_6 the problem was exacerbated by the fact that BIND 9.3 was such
> an old version that there was no clean upgrade path, users needed to
> make changes to configuration files, regression test, etc. Therefore the
> decision was made to live with the issue in RELENG_6.
> 
> We currently face a similar situation in RELENG_7, which has BIND
> 9.4-ESV; scheduled to EOL in May 2011.
> https://www.isc.org/software/bind/versions In contrast, BIND 9.6-ESV
> will be supported until March 2013. Additionally BIND 9.6 is a superset
> of 9.4, and users should not need to make any changes to their
> configuration files. In fact, at the moment src/etc/namedb is identical
> in head/ stable/8, and stable/7. There may be some differences in
> operation; for example in some situations BIND 9.6 can use more memory
> than an identically configured 9.4 server. But in the overwhelming
> number of situations users would simply be able to upgrade in place
> without concern.
> 
> In order to avoid repeating the scenario where we have a version of BIND
> in the base that is not supported by the vendor I am proposing that we
> upgrade to BIND 9.6-ESV in FreeBSD RELENG_7.
> 
> There is an additional element to this decision that is relevant for
> users who wish to set up their resolving name servers for DNSSEC
> validation. BIND 9.6 is the oldest version that has (or will have)
> support for the algorithms and other features necessary for modern
> DNSSEC. While I do not think that the decision of changing BIND versions
> should turn exclusively on this element, I do think it is a factor that
> should be considered.
> 
> My purpose in writing this message is to solicit feedback from users who
> would be adversely affected if this change was made. Please do not
> devolve down the rathole of whether BIND should be removed from the base
> altogether. This is incredibly unlikely to happen for RELENG_7 or
> RELENG_8. The question of whether or not it should happen in HEAD prior
> to the eventual 9.0-RELEASE is a topic for another thread.
> 
> I am particularly interested in feedback from users with significant DNS
> usage that are still using 9.4, especially if you're using the version
> in the base. I would appreciate it if you could install 9.6 from the
> ports and at minimum run /usr/local/sbin/named-checkconf to see if any
> errors are generated. Of course it would be that much more helpful if
> you could also evaluate BIND 9.6 in operation in your environment.
> 
> Your feedback on the issue of upgrading BIND in RELENG_7 is welcome.
> Sooner is better. :)
> 
> 
> Regards,
> 
> Doug
> 
_______________________________________________
freebsd-stable at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"

More information about the freebsd-stable mailing list