Date: Mon, 29 Jan 2001 22:39:43 -0600 From: Marius Strom <marius@marius.org> To: Mike Tancsa <mike@sentex.net> Cc: freebsd-security@freebsd.org Subject: BIND9 Migration from BIND8 (Was: BIND 8.2.3 upgrade available) Message-ID: <20010129223943.L388@marius.org> In-Reply-To: <4.2.2.20010129221351.03331388@marble.sentex.net>; from mike@sentex.net on Mon, Jan 29, 2001 at 10:15:28PM -0500 References: <006901c08a45$30d64860$46010a0a@sysadmininc.com> <20010129143300.A38419@xor.obsecurity.org> <4.2.2.20010129175758.03255570@marble.sentex.net> <4.2.2.20010129221351.03331388@marble.sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I've posted the migration text file out of the bind-9.1.0 package at http://www.marius.org/~marius/unix/migration should anyone care for ISC's full details without downloading the full archive. On Mon, Jan 29, 2001 at 10:15:28PM -0500, Mike Tancsa wrote: > At 06:00 PM 1/29/2001 -0500, Mike Tancsa wrote: > >At 05:45 PM 1/29/2001 -0500, Peter Brezny wrote: > >>Is there a big reason why anyone would not want to just go ahead and run > >>bind 9? > > > >I dont think all the features are there yet. At least the last time I > >looked at it, there were some things unimplemented. Also, the > >configuration is not totally compatible. I also found it to be a little > >unpredictable when I tried version 9.0.1. Perhaps its more stable now, > >but I personally would wait another month or so for it to shake out. > > > Here is a good summary from the NANOG list by Greg Wood on some of the > things missing, and some of the things that are different. > > >From: woods@weird.com (Greg A. Woods) > >[ On Monday, January 29, 2001 at 01:36:42 (-0800), Eric A. Hall wrote: ] > > > Subject: Re: sorry to ruin several of your evenings... > > > > > > Somebody asked about an in-place upgrade from BIND 8.x to BIND 9.1.0 > > > (sorry I purged some mails before their time). Just for the sake of > > > readiness, be aware that there are some 8.x options which are unsupported > > > in 9.x. I did an in-place upgrade and had to make a few (mostly > > > insignificant) changes which may be problematic for larger sites. > > > > > > The global config entries I had to remove were: > > > > > > fake-iquery yes > > > multiple-cnames yes > > > rfc2308-type1 yes > > > check-names slave ignore > > > maintain-ixfr-base true > > > >That's just the beginning! :-) > > > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option > >'memstatistics-file' is not yet implemented > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: the default for the > >'auth-nxdomain' option is now 'no' > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option > >'host-statistics' is not yet implemented > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'use-id-pool' is > >obsolete > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'check-names' is > >not implemented > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > >category 'os' ignored > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > >category 'parser' ignored > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > >category 'load' ignored > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > >category 'panic' ignored > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > >category 'packet' ignored > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > >category 'eventlib' ignored > > > >I don't yet know if "host-statistics" is still necessary to be able to > >see the source of an RR in a dump file, or not, but if so then that'll > >be a road-block in keeping me from using 9.1.0 in production. > > > >I'm also very partial to 'check-names'. I've been happy using the > >following in many locations: > > > > check-names master fail; > > check-names slave fail; > > check-names response fail; > > > > > >Even more critically the old 'ndc' program has been replaced by 'rndc', > >which won't work until you've configured it (/etc/rndc.conf) *and* you > >add "controls" statements to your /etc/named.conf to allow it to > >connect, authenticate, and send commands. There doesn't seem to be a > >default way of setting it up for local-only control. I haven't done > >this yet > > > >Even worse than that the new BIND-9 'named' not only doesn't handle > >signals in the same way as previous versions, but it shuts down instead > >of ignoring SIGINT (which used to generate a dump file, which is why > >I've not yet successfully generated and viewed a dump file to see if the > >source of the RR is recorded in there!). So: > > > > > >WARNING: Anyone with scripts or other programs that use signals > >(i.e. kill(1), or kill(2)) to control their named process will almost > >certainly have to re-code to work with BIND-9 (and use 'rndc' and/or its > >mechanisms)! > > > > > >You'll also find that the new named-checkconf fails if you use: > > > > options { > > directory "/etc/namedb"; > > }; > > > >and then try to do something like: > > > > include "named-rfc1918.conf"; > > include "named-slave.conf"; > > include "named-master.conf"; > > > >However the named process itself does seem to do the > >chdir("/etc/namedb") before trying to do the "include"s, > >and if you start named-checkconf from within the right > >directory it'll work.... > > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Network Administration, mike@sentex.net > Sentex Communications www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Marius Strom <marius@marius.org> Professional Geek/Unix System Administrator URL: http://www.marius.org/ http://www.marius.org/marius.pgp 0x55DE53E4 "Never underestimate the bandwidth of a mini-van full of DLT tapes traveling down the highway at 65 miles per hour..." -Andrew Tanenbaum, "Computer Networks" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010129223943.L388>