From owner-freebsd-security Mon Jan 29 19:15:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 6D88C37B400 for ; Mon, 29 Jan 2001 19:15:37 -0800 (PST) Received: (from root@localhost) by cage.simianscience.com (8.11.1/8.11.1) id f0U3Fal00721 for freebsd-security@freebsd.org; Mon, 29 Jan 2001 22:15:36 -0500 (EST) (envelope-from mike@sentex.net) Received: from chimp (fcage [192.168.0.2]) by cage.simianscience.com (8.11.1/8.11.1av) with ESMTP id f0U3FTe00713 for ; Mon, 29 Jan 2001 22:15:30 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20010129221351.03331388@marble.sentex.net> X-Sender: mdtancsa@marble.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 29 Jan 2001 22:15:28 -0500 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: RE: BIND 8.2.3 upgrade available In-Reply-To: <4.2.2.20010129175758.03255570@marble.sentex.net> References: <006901c08a45$30d64860$46010a0a@sysadmininc.com> <20010129143300.A38419@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:00 PM 1/29/2001 -0500, Mike Tancsa wrote: >At 05:45 PM 1/29/2001 -0500, Peter Brezny wrote: >>Is there a big reason why anyone would not want to just go ahead and run >>bind 9? > >I dont think all the features are there yet. At least the last time I >looked at it, there were some things unimplemented. Also, the >configuration is not totally compatible. I also found it to be a little >unpredictable when I tried version 9.0.1. Perhaps its more stable now, >but I personally would wait another month or so for it to shake out. Here is a good summary from the NANOG list by Greg Wood on some of the things missing, and some of the things that are different. >From: woods@weird.com (Greg A. Woods) >[ On Monday, January 29, 2001 at 01:36:42 (-0800), Eric A. Hall wrote: ] > > Subject: Re: sorry to ruin several of your evenings... > > > > Somebody asked about an in-place upgrade from BIND 8.x to BIND 9.1.0 > > (sorry I purged some mails before their time). Just for the sake of > > readiness, be aware that there are some 8.x options which are unsupported > > in 9.x. I did an in-place upgrade and had to make a few (mostly > > insignificant) changes which may be problematic for larger sites. > > > > The global config entries I had to remove were: > > > > fake-iquery yes > > multiple-cnames yes > > rfc2308-type1 yes > > check-names slave ignore > > maintain-ixfr-base true > >That's just the beginning! :-) > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option >'memstatistics-file' is not yet implemented >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: the default for the >'auth-nxdomain' option is now 'no' >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option >'host-statistics' is not yet implemented >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'use-id-pool' is >obsolete >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'check-names' is >not implemented >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging >category 'os' ignored >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging >category 'parser' ignored >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging >category 'load' ignored >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging >category 'panic' ignored >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging >category 'packet' ignored >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging >category 'eventlib' ignored > >I don't yet know if "host-statistics" is still necessary to be able to >see the source of an RR in a dump file, or not, but if so then that'll >be a road-block in keeping me from using 9.1.0 in production. > >I'm also very partial to 'check-names'. I've been happy using the >following in many locations: > > check-names master fail; > check-names slave fail; > check-names response fail; > > >Even more critically the old 'ndc' program has been replaced by 'rndc', >which won't work until you've configured it (/etc/rndc.conf) *and* you >add "controls" statements to your /etc/named.conf to allow it to >connect, authenticate, and send commands. There doesn't seem to be a >default way of setting it up for local-only control. I haven't done >this yet > >Even worse than that the new BIND-9 'named' not only doesn't handle >signals in the same way as previous versions, but it shuts down instead >of ignoring SIGINT (which used to generate a dump file, which is why >I've not yet successfully generated and viewed a dump file to see if the >source of the RR is recorded in there!). So: > > >WARNING: Anyone with scripts or other programs that use signals >(i.e. kill(1), or kill(2)) to control their named process will almost >certainly have to re-code to work with BIND-9 (and use 'rndc' and/or its >mechanisms)! > > >You'll also find that the new named-checkconf fails if you use: > > options { > directory "/etc/namedb"; > }; > >and then try to do something like: > > include "named-rfc1918.conf"; > include "named-slave.conf"; > include "named-master.conf"; > >However the named process itself does seem to do the >chdir("/etc/namedb") before trying to do the "include"s, >and if you start named-checkconf from within the right >directory it'll work.... -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message