-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Howdy, Traditionally for contributed software generally, and BIND in particular we have tried to keep the major version of the contributed software consistent throughout a given RELENG_$N branch of FreeBSD. Hopefully the reasoning for this is obvious, we want to avoid POLA violations. However this policy led to an unfortunate situation with FreeBSD 6 and BIND 9.3. We ended up "supporting" it long after the vendor's EOL date, both in ports and in the base. I have written previously about this issue being an inevitable result of the fact that our release engineering schedule and ISC's have both changed, and diverged. In RELENG_6 the problem was exacerbated by the fact that BIND 9.3 was such an old version that there was no clean upgrade path, users needed to make changes to configuration files, regression test, etc. Therefore the decision was made to live with the issue in RELENG_6. We currently face a similar situation in RELENG_7, which has BIND 9.4-ESV; scheduled to EOL in May 2011. https://www.isc.org/software/bind/versions In contrast, BIND 9.6-ESV will be supported until March 2013. Additionally BIND 9.6 is a superset of 9.4, and users should not need to make any changes to their configuration files. In fact, at the moment src/etc/namedb is identical in head/ stable/8, and stable/7. There may be some differences in operation; for example in some situations BIND 9.6 can use more memory than an identically configured 9.4 server. But in the overwhelming number of situations users would simply be able to upgrade in place without concern. In order to avoid repeating the scenario where we have a version of BIND in the base that is not supported by the vendor I am proposing that we upgrade to BIND 9.6-ESV in FreeBSD RELENG_7. There is an additional element to this decision that is relevant for users who wish to set up their resolving name servers for DNSSEC validation. BIND 9.6 is the oldest version that has (or will have) support for the algorithms and other features necessary for modern DNSSEC. While I do not think that the decision of changing BIND versions should turn exclusively on this element, I do think it is a factor that should be considered. My purpose in writing this message is to solicit feedback from users who would be adversely affected if this change was made. Please do not devolve down the rathole of whether BIND should be removed from the base altogether. This is incredibly unlikely to happen for RELENG_7 or RELENG_8. The question of whether or not it should happen in HEAD prior to the eventual 9.0-RELEASE is a topic for another thread. I am particularly interested in feedback from users with significant DNS usage that are still using 9.4, especially if you're using the version in the base. I would appreciate it if you could install 9.6 from the ports and at minimum run /usr/local/sbin/named-checkconf to see if any errors are generated. Of course it would be that much more helpful if you could also evaluate BIND 9.6 in operation in your environment. Your feedback on the issue of upgrading BIND in RELENG_7 is welcome. Sooner is better. :) Regards, Doug - -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iQEcBAEBCAAGBQJNDEmiAAoJEFzGhvEaGryEZMEH/RrDmyaJj/1kXzNIua7wSmIN pP/Bp6A9yh2IPao7fAb5Zo8EfEsN5dfhJNyCl/xXRTODZqv5iBo1AaJpQ4ezKkpm y2tbWczOZyWU+yFyG2trdQorDUMc57M2Q6NULENglvDlTsf5sk3pLid+rOXHIs9c cIB3WdUe1A38qHzPjLOsCAQIY0u2/doNoCE1ltK2yYWew/l8inVnNxUqaMBgFNf1 8cElZ9D+biqzNLt1Gd8k6xMePspwebT+T21aB03m2BylslSEa6m/pdw1N4H4D25W 0EsJnf9ryYfodl2Q5/gq9cGDIXAvo4llzPeMMoJuqvlwmh9TChjy9dhR8ZJnLfA=Ug9P -----END PGP SIGNATURE-----
Doug Barton wrote:
> In order to avoid repeating the scenario where we have a version of BIND
> in the base that is not supported by the vendor I am proposing that we
> upgrade to BIND 9.6-ESV in FreeBSD RELENG_7.
I agree.
> I am particularly interested in feedback from users with significant DNS
> usage that are still using 9.4, especially if you're using the version
> in the base. I would appreciate it if you could install 9.6 from the
> ports and at minimum run /usr/local/sbin/named-checkconf to see if any
> errors are generated. Of course it would be that much more helpful if
> you could also evaluate BIND 9.6 in operation in your environment.
I already installed the ports' version of BIND 9.6 a few
months ago on two stable/7 machines that are primary and
secondary nameservers for a bunch of domains. It was a
simple drop-in replacement, no problems whatsoever.
> Your feedback on the issue of upgrading BIND in RELENG_7 is welcome.
> Sooner is better. :)
I vote for the upgrade. It's easy and seamless for users,
as far as I can tell, and it avoids problems in the long
run. I agree with you that the situation that we had with
FreeBSD 6 should be avoided.
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Gesch?ftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M?n-
chen, HRB 125758, Gesch?ftsf?hrer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
C++: "an octopus made by nailing extra legs onto a dog"
-- Steve Taylor, 1998
On 18.12.2010 11:41, Doug Barton wrote:> I am particularly interested in feedback from users with significant DNS > usage that are still using 9.4, especially if you're using the version > in the base. I would appreciate it if you could install 9.6 from the > ports and at minimum run /usr/local/sbin/named-checkconf to see if any > errors are generated. Of course it would be that much more helpful if > you could also evaluate BIND 9.6 in operation in your environment. > > Your feedback on the issue of upgrading BIND in RELENG_7 is welcome. > Sooner is better. :)I run serveral DNS servers based on FreeBSD+bind. One of them is FreeBSD 7.3-STABLE and bind-9.4. It's public primary server for two zones (one forward and one reverse) and public secondary for several others; plus it's recursive caching DNS server for users, low-loaded. I've just updated ports tree and installed dns/bind96. /usr/local/sbin/named-checkconf shows no messages at all. I've restarted bind using ports version. All seems OK. I'll write back if problems arise. About upgrading bind version in RELENG_7, I'm for it. Btw, I run one bind96 server/4.11-STABLE for long time (and even one bind95/4.11-STABLE) and six 6.11-STABLE servers with stock bind93 ;-) Never had a problem with them. Eugene Grosbein
On Fri, Dec 17, 2010 at 09:41:54PM -0800, Doug Barton wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Howdy, > > Traditionally for contributed software generally, and BIND in particular > we have tried to keep the major version of the contributed software > consistent throughout a given RELENG_$N branch of FreeBSD. Hopefully the > reasoning for this is obvious, we want to avoid POLA violations.Actually not. My own POV is that we should follow the vendor release cycle, and not the FreeBSD release cycle, for the contributed software. I do not advocate immediate upgrade of the third-party software that reached its EOL, but I think that we should do this without pushback if maintainer consider the neccessity of upgrade. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20101218/50142cd9/attachment.pgp
Hello Doug, List, I confirm the upgrade from 94 to 96 is very minor. I'm running several fbsd8.0 and 8.1 servers but I still have a 7.2-STABLE box here. I just upgraded from the ports collections 9.4.4.ESV.2 to 9.6.3.ESV3 named-checkconf doesn't report any error, neither does checkzone. I started the new named daemon successfully and can still resolve just fine, both with recursion from localhost and without from external hosts. Please note that I was using 94 from ports and not the base system, but either way I haven't made a single change to my configuration files. I am also in favor of upgrading the base system's version of BIND to 9.6. -- Damien On 12/18/10 6:41 AM, Doug Barton wrote:> Howdy, > > Traditionally for contributed software generally, and BIND in particular > we have tried to keep the major version of the contributed software > consistent throughout a given RELENG_$N branch of FreeBSD. Hopefully the > reasoning for this is obvious, we want to avoid POLA violations. > > However this policy led to an unfortunate situation with FreeBSD 6 and > BIND 9.3. We ended up "supporting" it long after the vendor's EOL date, > both in ports and in the base. I have written previously about this > issue being an inevitable result of the fact that our release > engineering schedule and ISC's have both changed, and diverged. In > RELENG_6 the problem was exacerbated by the fact that BIND 9.3 was such > an old version that there was no clean upgrade path, users needed to > make changes to configuration files, regression test, etc. Therefore the > decision was made to live with the issue in RELENG_6. > > We currently face a similar situation in RELENG_7, which has BIND > 9.4-ESV; scheduled to EOL in May 2011. > https://www.isc.org/software/bind/versions In contrast, BIND 9.6-ESV > will be supported until March 2013. Additionally BIND 9.6 is a superset > of 9.4, and users should not need to make any changes to their > configuration files. In fact, at the moment src/etc/namedb is identical > in head/ stable/8, and stable/7. There may be some differences in > operation; for example in some situations BIND 9.6 can use more memory > than an identically configured 9.4 server. But in the overwhelming > number of situations users would simply be able to upgrade in place > without concern. > > In order to avoid repeating the scenario where we have a version of BIND > in the base that is not supported by the vendor I am proposing that we > upgrade to BIND 9.6-ESV in FreeBSD RELENG_7. > > There is an additional element to this decision that is relevant for > users who wish to set up their resolving name servers for DNSSEC > validation. BIND 9.6 is the oldest version that has (or will have) > support for the algorithms and other features necessary for modern > DNSSEC. While I do not think that the decision of changing BIND versions > should turn exclusively on this element, I do think it is a factor that > should be considered. > > My purpose in writing this message is to solicit feedback from users who > would be adversely affected if this change was made. Please do not > devolve down the rathole of whether BIND should be removed from the base > altogether. This is incredibly unlikely to happen for RELENG_7 or > RELENG_8. The question of whether or not it should happen in HEAD prior > to the eventual 9.0-RELEASE is a topic for another thread. > > I am particularly interested in feedback from users with significant DNS > usage that are still using 9.4, especially if you're using the version > in the base. I would appreciate it if you could install 9.6 from the > ports and at minimum run /usr/local/sbin/named-checkconf to see if any > errors are generated. Of course it would be that much more helpful if > you could also evaluate BIND 9.6 in operation in your environment. > > Your feedback on the issue of upgrading BIND in RELENG_7 is welcome. > Sooner is better. :) > > > Regards, > > Doug >_______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
On 12/18/2010 12:41 AM, Doug Barton wrote:> > I am particularly interested in feedback from users with significant DNS > usage that are still using 9.4, especially if you're using the version > in the base. I would appreciate it if you could install 9.6 from the > ports and at minimum run /usr/local/sbin/named-checkconf to see if any > errors are generated. Of course it would be that much more helpful if > you could also evaluate BIND 9.6 in operation in your environment.Its significant to us, but not compared to large orgs usage wise:) IFF we had to make any config changes on this end we would view it as work that would eventually need to be done regardless. That being said, the new named-checkconf seems happy on our main servers (~2,000 zones each) so we would welcome this update to RELENG_7. ---Mike
In article <4D0C49A2.4000203@FreeBSD.org>, dougb@freebsd.org writes:>In order to avoid repeating the scenario where we have a version of BIND >in the base that is not supported by the vendor I am proposing that we >upgrade to BIND 9.6-ESV in FreeBSD RELENG_7.+1 All users are going to want working DNSsec soon, if they don't already, and that requires 9.6. (In fact, we should start shipping with DNSsec enabled by default and the root key pre-configured, if we aren't already doing so.) -GAWollman -- Garrett A. Wollman | What intellectual phenomenon can be older, or more oft wollman@bimajority.org| repeated, than the story of a large research program Opinions not shared by| that impaled itself upon a false central assumption my employers. | accepted by all practitioners? - S.J. Gould, 1993
Hi-- On Dec 17, 2010, at 9:41 PM, Doug Barton wrote:> In order to avoid repeating the scenario where we have a version of BIND > in the base that is not supported by the vendor I am proposing that we > upgrade to BIND 9.6-ESV in FreeBSD RELENG_7.+1> I am particularly interested in feedback from users with significant DNS > usage that are still using 9.4, especially if you're using the version > in the base. I would appreciate it if you could install 9.6 from the > ports and at minimum run /usr/local/sbin/named-checkconf to see if any > errors are generated. Of course it would be that much more helpful if > you could also evaluate BIND 9.6 in operation in your environment.dns/bind-9.6 seems to work better for me than the 7-STABLE base version of BIND. [1] No errors from named-checkconf. "make test" (under /usr/ports/dns/bind96/work/bind-9.6-ESV-R3/bin/tests after running .../system/ifconfig.sh up) passed all of the tests; and normal operation serving zones and so forth also work fine. One gripe is that stopping via rc script fails: # grep named /etc/rc.conf named_enable="YES" named_program="/usr/local/sbin/named" # /etc/rc.d/named stop named not running? (check /var/run/named/pid). ...because of the "-t /var/named", probably. Is there a symlink or something I can do to fix this? Regards, -- -Chuck [1]: I did some comparisons, and it appears max-cache-size option wasn't being honored by base named (claims to be BIND 9.4.-ESV-R4) from: FreeBSD example.com 7.4-PRERELEASE FreeBSD 7.4-PRERELEASE #1: Tue Dec 14 19:55:55 EST 2010 ...whereas top showed that named from dns/bind-9.6 filled its cache under load until it reached the max-cache-size plus a chunk for the recursive clients, and then remained at a stable size afterwards.
On Dec 17, 2010, at 23:41 , Doug Barton wrote:> Your feedback on the issue of upgrading BIND in RELENG_7 is welcome. > Sooner is better. :)Seriously? For RELENG_7 which is going to be with us a long time. Looks like we have a bunch of DNS mongers here that have tested out their stuff with RELENG_8 to no apparent "omg, iceberg" ill-effect. Light blue touch paper. Stand back. -aDe
On Fri, Dec 17, 2010 at 09:41:54PM -0800, Doug Barton thus spake:>Your feedback on the issue of upgrading BIND in RELENG_7 is welcome. >Sooner is better. :)Does this mean that BIND would be updated in RELENG_7_x, as well, for the supported branches? I understand that they aren't security updates, per se, however it is an EOL issue as you have pointed out. I'm not certain if this could possibly fall under errata, but it does seem appropriate that if the branch isn't reaching EOL, and if third-party software will, it should be dealt with in some way for supporting the community through the RELENG_7_x tag. Just some thoughts... -- Jason Helfman
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Thanks to everyone who replied, the feedback was very useful. Unfortunately I have missed the deadline for getting this into 7.4, so the current thinking is that I will do the update after the release is cut so that those who need to stay with the RELENG_7 branch through its EOL will at least have the BIND 9.6.x version available 7-stable. I should also mention that regardless of the timing of the update in RELENG_7 I plan to remove the dns/bind94 port when that version of BIND EOLs. This is an intentional departure from how I did it with RELENG_6 and dns/bind9, so I thought it was worth pointing that out. :) hth, Doug - -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iQEcBAEBCAAGBQJNERCuAAoJEFzGhvEaGryEobYIAL84lGO+BvG5vBMhvlbyxjay PJGyN5lIUConmG9pN/mQCHvrGqGO3LrF1oCjXhMLB4PprHyf3fcl+/5YAyNAduhj APy5KZKTwESPvVMLtEsh6FoXdzyyGUwaeUPUoB++vVdO3EGBJ2tNt+mGyW4GXKUB 3tJXRCqzG7IiMAC31Jh8K0GaZ4uIswDWPqtX0UH0UWBrQb2ck4A7MHc4kjdVyDwU Y5P7tanTLPyAf0jJlQ3+AqHV+5+Bl8evVbyHGx3dkXoA4o/+mA4+z4R9hRUiB8X1 49MBPd2l81CeQiJ/gCnqF39VV8whDhenvT8DH4GX0scef4uaW2D/WowX31Hj2aI=Gwgw -----END PGP SIGNATURE-----