Date: Thu, 14 Nov 2002 02:23:43 -0800 From: Doug Barton <DougB@FreeBSD.org> To: Philip Paeps <philip@paeps.cx> Cc: ports@FreeBSD.org Subject: Re: net/bind9 port and overwriting base-system? Message-ID: <3DD379AF.B6D90CCC@FreeBSD.org> References: <20021114010927.GP17974@juno.home.paeps.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
Philip Paeps wrote: > > Maybe this is a silly idea, or just plain impossible. I haven't tried :-) > > The lang/perl5 port includes a utility 'use.perl', with which one can select > which version of Perl to use, the one in the base-system, or the one from the > port. > > Would something like that be faesible for net/bind9? Yes. I have patches for this, but haven't had a chance to commit them yet. I'm also waiting on portmgr to commit a small patch for bsd.port.mk to make this a little easier (although I can work around that). The port will use the PORT_REPLACES_BASE_BIND9 define just like bind8 does now. > (Getting BIND9 into the -STABLE basesystem would be nice too, but I guess it's > not going to happen anytime soon? BIND 9 will never go into RELENG_4, and isn't anywhere near ready for -current either. Here are my reasons: 1. The devils you know are better than the devils you don't. BIND 8 has many orders of magnitude more hours of use in production, and hours of blackhats poking at it. This factor shouldn't be underestimated. 2. There are still stability concerns. It performs fairly well as an authoritative name server, but as a resolver, it falls down under load. Of course, my load is a lot greater than average, but at the same time, bind 8 doesn't fall over under it. 3. BIND 9 is very resource hungry. Even as an authoritative server, it takes 2 to 3 times more memory to load the same data, and up till very recently the performance (in terms of queries per second) for both resolvers and auth. servers has been 2 or 3 times slower than bind 8. Now it's down to only 1.5 to 2 times slower. The more recent bind 9.3.x snapshots have improved this somewhat, but the current focus of development in that branch is related to DNSSEC, not performance. 4. That last point shouldn't be overlooked either. Almost all of the vulnerabilities found in BIND 8 over the last two years have been related to the cryptographic elements (DNSSEC and TSIG). The DS protocol hasn't even been finalized yet, and getting that working is going to be a primary focus for BIND 9.3 in order to finish DNSSEC. By moving to BIND 9 in the base we'd be early adopters of unknown, and rapidly changing bugs, and these are amongst the most difficult bugs to track down, even on a good day. Hope this helps, Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DD379AF.B6D90CCC>