dns/bind* ports overwriting conf files

Doug Barton dougb at dougbarton.us
Sat Dec 28 01:18:45 UTC 2013


On 12/27/2013 04:00 PM, Mathieu Arnold wrote:
> +--On 25 décembre 2013 22:16:07 -0800 Doug Barton <dougb at dougbarton.us>
> wrote:
> | While looking at the UPDATING entry for the bdb mess (more on that later)
> | I happened to see this:
> |
> | 20131209:
> |    AFFECTS: users of dns/bind96, dns/bind98 and bind99 on FreeBSD 10.0
> |    AUTHOR: erwin at FreeBSD.org
> |
> |    Bind versions before 9.6.3.2.ESV.R10_2, 9.8.6_2, and 9.9.4_2 on
> |    FreeBSD 10.0 will replace named.conf on upgrade.  Make sure to
> |    backup any local changes before upgrading to the _2 versions.
> |
> | This is not Ok. FreeBSD ports are NEVER supposed to blindly overwrite
> | config files. Please fix this so that it confirms to over a decade of
> | policy that FreeBSD ports users should be able to safely depend on.
>
> That's ok, because FreeBSD 10.0 is not released yet, and the current
> version of the bind ports doesn't overwrite the config files.

It's not Ok under any circumstances. FreeBSD ports should NEVER blindly 
overwrite config files. Period, end of discussion.

There is no doubt that the work to remove BIND from the base and make 
the ports version robust on 10.x will be difficult due to the fact that 
the port relied on several things already being present in the default 
base install. However "it's hard" is no excuse for not doing the work 
correctly.

What I proposed as part of this work years ago was to create something 
like a bind-config package that would (optionally) install the same 
default files and configuration for the port that are still in the base 
for [89].x. That way users who just wanted the old default local 
resolver could get that behavior easily, and users with other needs 
would not have to have it. I still think that's the easiest and least 
painful way to manage the transition, and would encourage Erwin to 
consider it. (For extra credit, a different but similar sort of port 
should be created to enable DNSSEC validation, and should include the 
root zone trust anchor, and a description of how the user can validate 
it for themselves.)

In any case even a _plan_ to overwrite conf files blindly is a bad idea. 
So much the better to fix it now before it actually bites any users.

Doug



More information about the freebsd-ports mailing list