Trying to understand DNSSEC and BIND versions better

Chris Buxton cbuxton at menandmice.com
Thu Jun 11 00:11:39 UTC 2009 

On Jun 9, 2009, at 5:21 PM, Mark Andrews wrote:
>
> In message  
> <20090609113700.GA6813 at evileye.atkac.englab.brq.redhat.com>, Adam Tk
> ac writes:
>> On Tue, Jun 09, 2009 at 11:22:12AM +1000, Mark Andrews wrote:
>>>
>>> In message  
>>> <99E6A67A9DA87041A8020FBC11F480B3031CCEE4 at EXVS01.dsw.net>, "Jeff
>> Lig
>>> htner" writes:
>>>> BIND versions on RHEL (e.g. 9.3.4-6.0.3.P1.el5_2) have backported
>>>> patches from later BIND versions so it isn't exactly the same  
>>>> animal as
>>>> the EOL 9.3 which is why it isn't listed simply as 9.3
>>>
>>> I've yet to see a vendor back port every bug fix and that is what
>>> would be required to really support a product in a OS which is at
>>> EOL by the producer.
>>>
>>> Mark
>>
>> This is neverending discord between you (upstream) and vendors.
>>
>> You are right the ideal approach is to backport all fixes but it
>> simply consumes much manpower. Update to newer version is not  
>> possible
>> because there are configuration incompatibilities.
>>
>> Optimal software from economic perspective is usually different from
>> optimal software from programming perspective. If you combine both
>> perspectives you probably get answer why vendors backport patches  
>> only
>> for issues which are reported by their customers.
>>
>> Regards, Adam
>
> 	There are very few backwards compatiblilty issues with BIND
> 	in terms of configuration files.  If you ignore the logging
> 	stanza you should be able take most BIND 8.1 configuration
> 	files and have BIND 9.6.1 use it.  There are even tools in
> 	the distribution to take a BIND 4 configuration file and
> 	convert it to BIND 8/9 format and use it.
>
> 	The master files go back to the earliest version of BIND 4.
> 	New version are just less tolerent of errors in the master
> 	files.  Correct master files from 2 decades ago just work.
>
> 	Almost all the changes in major revisions is new functionality.


The change to the default value of allow-recursion is still tripping  
up our customers. Otherwise, I agree.

On the other hand, the builds from the Linux vendors have been less  
than perfectly stable at moderately high levels of traffic. Rebuilding  
from stock source code has always fixed this problem. We've seen this  
problem with both the Red Hat build and the Debian build.

Chris Buxton
Professional Services
Men & Mice

More information about the bind-users mailing list