Are there plans to pull the following into head before the code freeze for 9.1? BIND 9.9.1p1 OpenSSH 6.0p1 IPFilter 5.1.1
Robert Simmons <rsimmons0@gmail.com> writes:> OpenSSH 6.0p1No. It doesn't build cleanly on FreeBSD (I reported two issues during the pre-release cycle, one was fixed but the other was not), and even if it did, it's too big a change to push through on such short notice. DES -- Dag-Erling Sm?rgrav - des@des.no
On 07/02/2012 19:08, Robert Simmons wrote:> Are there plans to pull the following into head before the code freeze for 9.1? > > BIND 9.9.1p1We never change the version of BIND in a release branch. The 9.8 version that's there is up to date. The correct solution to this problem is to remove BIND from the base altogether, but I have no energy for all the whinging that would happen if I tried (again) to do that. Doug -- This .signature sanitized for your protection
Doug Barton
2012-Jul-08 09:33 UTC
Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?)
On 07/07/2012 17:47, Darren Pilgrim wrote:> On 2012-07-07 16:45, Doug Barton wrote: >> Also re DNSSEC integration in the base, I've stated before that I >> believe very strongly that any kind of hard-coding of trust anchors as >> part of the base resolver setup is a bad idea, and should not be done. >> We need to leverage the ports system for this so that we don't get stuck >> with a scenario where we have stale stuff in the base that is hard for >> users to upgrade. > > Considering the current root update cert bundle has a 20-year root CA > and 5-year DNSSEC and email CAs,Neither of which has any relevance to the actual root zone ZSK, which could require an emergency roll tomorrow.> I don't think it's unreasonable to > maintain a copy of icannbundle.pem in the source treeAgain, that has nothing to do with the actual ZSK, other than providing a way to validate the *existing* one. That's not the issue, at all. -- This .signature sanitized for your protection
On 9 July 2012 16:16, Mark Felder <feld@feld.me> wrote:> On Mon, 09 Jul 2012 05:39:37 -0500, Dag-Erling Sm?rgrav <des@des.no> wrote: > >> What sort of benchmarks do you envision? Unlike named, unbound is >> intended to serve only one client (localhost) or a small number of >> clients (a SOHO). > > > Highly disagree; we use it (ISP) as our resolving nameserver for all of our > customers.As Doug has pointed out, you can always get BIND from a port; not every installation requires a heavyweight resolver. Chris