Way forward with BIND 8
Matthew Dillon
dillon at apollo.backplane.com
Fri Jun 6 10:26:31 PDT 2003
Bind-9 should be the default in both -current and -stable. Bind-8 has
some serious, unfixable issues with it the biggest of which being that
NS glue and additional-record returns are not properly separated out from
official glue and official record data in internal structures and can
poison the DNS cache. The second biggest problem has to do with the way
Bind-8 forwards responses from servers to clients without regenerating
them, leaving a path potentially open for hacked DNS sites to directly
corrupt programs. Nobody with any serious DNS needs should be using
bind-8 any more.
There are two issues with a changeover to bind-9. First, the bind-9
port does not properly install the new encrypted command/management
system (the equivalent to ndc in bind-8), and, second, there are some
differences in named.conf and zone file operation. That said it only
took me an hour to convert my moderate DNS setup (serving four or five
domains) over to bind-9 a year or so ago.
But it is something I think needs to be done. Using the whole
-release/-stable mess as an excuse to not do it is a cop-out, especially
considering that there is still a huge amount of kernel work currently
being done that has nothing to do with the stabilization of critical
subsystems, and nobody is stopping that.
Another alternative is to make a clean break between 4.x and 5.x. The
point when the FreeBSD project goes to 6-current/5-stable is the point
when I have stated that I am going to make a decision whether to take
the 4.* branch series under my wing or not.
-Matt
More information about the freebsd-arch
mailing list