Replacing BIND with unbound 9.1 code freeze?)

Peter Jeremy peter at
Tue Jul 10 02:46:15 UTC 2012

Firstly, I should note that I'm not against removing bind from base.
I'm merely saying that users are going to need some guidance during
the transition.

On 2012-Jul-09 13:52:15 -0700, Doug Barton <dougb at> wrote:
>On 07/09/2012 13:47, Peter Jeremy wrote:
>> On 2012-Jul-09 14:15:13 +0200, in freebsd-security, "Andrej (Andy)
>> Brodnik" <andrej at> wrote:
>>> Excuse my ignorance - but is there a how-to paper on transition
>>> from bind to unbound for SOHO?
>You don't need to transition if you don't want to. Just install BIND
>from the ports.

IMHO, this is a copout.  If the default response to anyone asking a
question about transitioning is "install bind" then we might as well
leave bind in the base system.

As I see it, FreeBSD systems fall roughly into 3 categories:
1) Client systems that need to lookup external DNS servers only.
2) SOHO systems that primarily do external lookups but need to
   be internally authoritative about their local network.
3) Systems that are primarily DNS servers.

The third category is clearly a "use ports" case - there's no need
for the base system to include all the tools necessary to build one
of the root nameservers.

The base system _must_ handle the first category - and I'll accept
advice from dougb@ & des@ that unbound is a good choice for this.  The
issues people seem to have with the change here are the user tools
to interface with DNS - currently dig(1), host(1) and nslookup(1) -
and des@ has now adequately covered this.

I think the majority of the remaining unease in this thread comes from
people who administer systems in the second category.  I (and I expect
lots of other people) use bind for this solely because it is in the
base system, not because it is the best tool for the job.

>> In particular, if unbound has no authoritative server capabilities,
>> what suggestions are there for handling the private hosts in a SOHO
>> environment?
>Stub and/or forward zones. The unbound docs have more information.

But unfortunately no tutorial guides.  Having looked at the online
copy of unbound.conf(5), it appears that unbound _does_ have some
limited server capabilities - this wasn't clear in the original
proposal.  It's not immediately clear to me whether it's adequate for
my purposes and, if it isn't, what I should use.  This is an area
where I expect there will be community input - potentially via the
FreeBSD wiki.

Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url :

More information about the freebsd-hackers mailing list