Results of BIND RFC

Doug Barton dougb at
Thu Apr 1 22:17:02 UTC 2010

Hash: RIPEMD160



On February 21 I sent a message to freebsd-arch at detailing
the current state of BIND on FreeBSD, and plans for the future. You can
see that message here:

In that message I asked for feedback on my plans for dealing with BIND
in the base. There wasn't much response on the lists, however I did
receive a great deal of response privately, all more or less to the
effect of, "Do we really need to continue having BIND in the base at
all?" After careful consideration and private discussion about this
issue the conclusion has been reached that the answer to this question
is, "No." Therefore we will be removing BIND from the FreeBSD base.


"Back in the day" when the FreeBSD project started there was really only
one show in the DNS town, BIND. In the last 10 years several truly
viable, first-class DNS options have been developed, in both the
authoritative and resolving server spaces. There are ports available for
each of these options, and many FreeBSD users take advantage of them.
There are of course also ports available for all supported BIND
versions, as well as dns/bind9 for BIND version 9.3 which has been
EOL'ed by ISC but is still in FreeBSD version 6.

This also leads to the issue mentioned in the post above, the
desynchronization between FreeBSD and ISC release schedules. While
FreeBSD 6 is scheduled to EOL in November of this year, it contains BIND
version 9.3.6-P1, which has long been EOL. There are a number of
problems related to upgrading the version of BIND in a release branch of
FreeBSD. Given the ease with which FreeBSD users can upgrade BIND with
the ports tree, and given the characteristics of the vulnerabilities
that have come to light with BIND 9.3.x to date, this hasn't been a
problem. There is no guarantee that this will continue to be the case.
This problem will reappear again in FreeBSD version 7 with BIND 9.4, and
FreeBSD version 8 with BIND 9.6.


This change will have several advantages.

1) Users of all FreeBSD versions will be able to have easy access to the
latest versions of BIND, and an easy upgrade path that does not involve
a full OS upgrade.
2) The release synchronization problem mentioned above will no longer be
a problem.
3) Users of other DNS solutions will no longer need to customize their
build using the various WITH/WITHOUT_BIND* knobs.


Of course this change will have some costs. Users of named who rely on
the current defaults will have some change management to deal with,
however the costs will be minimal. The one area that has come up
repeatedly in previous discussions about this topic is that users like
having access to the command line tools dig, host, and nslookup. To deal
with that issue I will be creating a bind-tools port so that those who
want just those tools can easily add them, without the overhead of the
rest of the BIND suite. If anyone has suggestions for other BIND tools
that should be included in the port, please let me know.


I will be removing BIND from HEAD today. Removal from the other branches
will occur far enough in advance of their upcoming releases to ensure
that the users have a chance to shake things out first. I'll also be
committing the bind-tools and bind-config ports today so that users will
continue to have easy access to the work I've done on named.conf,
rc.d/named, etc.

I have been maintaining BIND in the base for almost 8 years now, and
while it's been challenging in a lot of ways, it's also been a great
privilege to be able to help the FreeBSD community in this way. I can't
say that I'll miss the drama of src updates though. :)

Many happy returns of the day,


- -- 

	... and that's just a little bit of history repeating.
			-- Propellerheads

	Improve the effectiveness of your Internet presence with
	a domain name makeover!

Version: GnuPG v2.0.14 (FreeBSD)


More information about the freebsd-current mailing list