Date: Tue, 25 Nov 1997 19:30:19 -0500 (EST) From: Bill Paul <wpaul@skynet.ctr.columbia.edu> To: gordon@drogon.net (Gordon Henderson) Cc: hackers@freebsd.org Subject: Re: BIND 8.1.1 Message-ID: <199711260030.TAA03805@skynet.ctr.columbia.edu> In-Reply-To: <Pine.LNX.3.95.971125204643.13531A-100000@unicorn> from "Gordon Henderson" at Nov 25, 97 08:50:06 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Of all the gin joints in all the towns in all the world, Gordon Henderson had to walk into mine and say: > On Tue, 25 Nov 1997, Stephen Roome wrote: > > > On Tue, 25 Nov 1997 sthaug@nethelp.no wrote: > > > As far as I know there are no *security* reasons to switch to 8.1.1 - > > > the security fixes that are in 8.1.1 are also in 4.9.6. If you switch > > > to 8.1.1 you're most likely doing it in order to use some of the new > > > functionality in 8.1.1 - but the people who need the new features are > > > going to have to tweak the named.conf file anyway. > > > > If there's no secuity implications then there's no rush, true, and if > > no-one else is sending it out by default again, there's no rush. > > > > But when will it be the default? If there's no bugs (well, no serious ones > > that have been found) then why delay ? Consider for a moment that BIND includes more than just named and named-xfer. There's also the client side resolver code, which needs to be merged correctly into libc. In BIND 8.x, this is complicated by the addition of IRS, the Information Retrieval System. (Don't be alarmed if you've never noticed the irs directory in the BIND 8.x source distribution before; I think even the implementors have forgotten about it, to the point where they forgot to include an irs.conf(5) man page until I asked about it on Usenet. :) IRS is more or less the same thing as Sun's Name Service Switch, which is part of Solaris 2.x. For those who don't know, in Solaris you have a file called /etc/nsswitch.conf where you can specify things like: passwd: files nis nisplus group: files nis nisplus hosts: files dns This controls how the various getXXXbyname()/getXXXbyaddr()/getXXXent() routines behave. For the 'hosts' case, gethostbyname(3) will first search the /etc/hosts files, then, if that doesn't procude a match, it will do a DNS lookup. If that in turn doesn't pan out, you get back an error. IRS is similar in concept but a bit different in implementation: with Sun's Name Service Switch, lookup methods are implemented as shared objects (.so files) which can be dlopen()ed on the fly, thereby allowing user-defined methods to be added without recompiling. IRS doesn't support this: if you want to add a new method, you have to recompile libbind (or libc, if the code is merged). If you have binaries linked statically with libbind, then you have to recompile those too. IRS could probably be modified to support the shared object approach, though care must be taken to insure that it would work correctly with statically linked objects (with older FreeBSD releases, it wasn't possible to use dlopen()/dlsym() and friends in a statically linked executable). I for one want IRS because it will make adding support for NIS+ (and maybe LDAP or, dare I say it, NDS) much easier, but incorporating it will take a lot of work since it will require modifying a lot of src/lib/libc/gen, possibly scrapping much of the getXXXent.c modules in favor of the IRS equivalents. This in turn requires lots of testing to make sure nothing gets horribly screwed up and that no existing functionality is lost. Before somebody brings it up, yes I know the GNU libc (and hence Linux) contains a name service switch implementation. I'd rather have IRS. 'Nuff said. > Converting the zone files from 4.X format to 8.x format might not be a > trivial task for some people. True, there is a little perl script which > will do the bulk of the work, but for an ISP who acts as secondary for > 1000's of their customers zones, they also have to make sure that they can > get the information in the right format from their customer! I do a small amount of secondary service; the conversion script seemed to do the right thing for me when I switched to 8.1.1. I'm a bit confused here though: the _named config_ file format has changed, but the _zone file_ format shouldn't have. The 8.1.1 named liked my 4.9.6 zone files just fine. Maybe I lead a charmed life. > 8.1.1 compiles and installs out of the box on all FreeBSD's I've tried it > on and it seems to work well, so I'm sure it will happen, but not right > away... I run it on SunOS 4.1.3 myself. Seems a bit less of a memory hog than 4.9.6. Again, I'm not so much worried about switching named/named-xfer as I am about merging the client side code into libc. I'm pretty sure this is Peter Wemm's department. I'm also pretty sure he'd rather it wasn't. :) -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "It is not I who am crazy; it is I who am mad!" - Ren Hoek, "Space Madness" =============================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199711260030.TAA03805>