From owner-freebsd-security Mon Jan 29 20:47:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id A58F937B402 for ; Mon, 29 Jan 2001 20:47:20 -0800 (PST) Received: from fpsn.net (control.fpsn.net [63.224.69.60]) by mail.fpsn.net (8.9.3/8.9.3) with ESMTP id VAA98074; Mon, 29 Jan 2001 21:47:07 -0700 (MST) (envelope-from cfaber@fpsn.net) Message-ID: <3A764723.DCF37DD2@fpsn.net> Date: Mon, 29 Jan 2001 21:46:27 -0700 From: Colin Faber Reply-To: cfaber@fpsn.net Organization: fpsn.net, Inc. X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Marius Strom Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: BIND9 Migration from BIND8 (Was: BIND 8.2.3 upgrade available) References: <006901c08a45$30d64860$46010a0a@sysadmininc.com> <20010129143300.A38419@xor.obsecurity.org> <4.2.2.20010129175758.03255570@marble.sentex.net> <4.2.2.20010129221351.03331388@marble.sentex.net> <20010129223943.L388@marius.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks. Marius Strom wrote: > I've posted the migration text file out of the bind-9.1.0 package at > http://www.marius.org/~marius/unix/migration should anyone care for > ISC's full details without downloading the full archive. > > On Mon, Jan 29, 2001 at 10:15:28PM -0500, Mike Tancsa wrote: > > At 06:00 PM 1/29/2001 -0500, Mike Tancsa wrote: > > >At 05:45 PM 1/29/2001 -0500, Peter Brezny wrote: > > >>Is there a big reason why anyone would not want to just go ahead and run > > >>bind 9? > > > > > >I dont think all the features are there yet. At least the last time I > > >looked at it, there were some things unimplemented. Also, the > > >configuration is not totally compatible. I also found it to be a little > > >unpredictable when I tried version 9.0.1. Perhaps its more stable now, > > >but I personally would wait another month or so for it to shake out. > > > > > > Here is a good summary from the NANOG list by Greg Wood on some of the > > things missing, and some of the things that are different. > > > > >From: woods@weird.com (Greg A. Woods) > > >[ On Monday, January 29, 2001 at 01:36:42 (-0800), Eric A. Hall wrote: ] > > > > Subject: Re: sorry to ruin several of your evenings... > > > > > > > > Somebody asked about an in-place upgrade from BIND 8.x to BIND 9.1.0 > > > > (sorry I purged some mails before their time). Just for the sake of > > > > readiness, be aware that there are some 8.x options which are unsupported > > > > in 9.x. I did an in-place upgrade and had to make a few (mostly > > > > insignificant) changes which may be problematic for larger sites. > > > > > > > > The global config entries I had to remove were: > > > > > > > > fake-iquery yes > > > > multiple-cnames yes > > > > rfc2308-type1 yes > > > > check-names slave ignore > > > > maintain-ixfr-base true > > > > > >That's just the beginning! :-) > > > > > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option > > >'memstatistics-file' is not yet implemented > > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: the default for the > > >'auth-nxdomain' option is now 'no' > > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option > > >'host-statistics' is not yet implemented > > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'use-id-pool' is > > >obsolete > > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'check-names' is > > >not implemented > > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > > >category 'os' ignored > > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > > >category 'parser' ignored > > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > > >category 'load' ignored > > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > > >category 'panic' ignored > > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > > >category 'packet' ignored > > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > > >category 'eventlib' ignored > > > > > >I don't yet know if "host-statistics" is still necessary to be able to > > >see the source of an RR in a dump file, or not, but if so then that'll > > >be a road-block in keeping me from using 9.1.0 in production. > > > > > >I'm also very partial to 'check-names'. I've been happy using the > > >following in many locations: > > > > > > check-names master fail; > > > check-names slave fail; > > > check-names response fail; > > > > > > > > >Even more critically the old 'ndc' program has been replaced by 'rndc', > > >which won't work until you've configured it (/etc/rndc.conf) *and* you > > >add "controls" statements to your /etc/named.conf to allow it to > > >connect, authenticate, and send commands. There doesn't seem to be a > > >default way of setting it up for local-only control. I haven't done > > >this yet > > > > > >Even worse than that the new BIND-9 'named' not only doesn't handle > > >signals in the same way as previous versions, but it shuts down instead > > >of ignoring SIGINT (which used to generate a dump file, which is why > > >I've not yet successfully generated and viewed a dump file to see if the > > >source of the RR is recorded in there!). So: > > > > > > > > >WARNING: Anyone with scripts or other programs that use signals > > >(i.e. kill(1), or kill(2)) to control their named process will almost > > >certainly have to re-code to work with BIND-9 (and use 'rndc' and/or its > > >mechanisms)! > > > > > > > > >You'll also find that the new named-checkconf fails if you use: > > > > > > options { > > > directory "/etc/namedb"; > > > }; > > > > > >and then try to do something like: > > > > > > include "named-rfc1918.conf"; > > > include "named-slave.conf"; > > > include "named-master.conf"; > > > > > >However the named process itself does seem to do the > > >chdir("/etc/namedb") before trying to do the "include"s, > > >and if you start named-checkconf from within the right > > >directory it'll work.... > > > > -------------------------------------------------------------------- > > Mike Tancsa, tel +1 519 651 3400 > > Network Administration, mike@sentex.net > > Sentex Communications www.sentex.net > > Cambridge, Ontario Canada www.sentex.net/mike > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > Marius Strom > Professional Geek/Unix System Administrator > URL: http://www.marius.org/ > http://www.marius.org/marius.pgp 0x55DE53E4 > > "Never underestimate the bandwidth of a mini-van full of DLT > tapes traveling down the highway at 65 miles per hour..." > -Andrew Tanenbaum, "Computer Networks" > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message