Fully automated DNSSEC with BIND 9.16

Ondřej Surý ondrej at isc.org
Mon Apr 17 12:49:35 UTC 2023 

Petr,

while I understand that you are trying to do a great job maintaining
the BIND 9 packages for RHEL, it is what it is - a random snapshot
defined not by the quality of the chosen version but by the time
availability. This is made even more complicated by applying a set
of patches where the set is defined by the downstream maintainer.

The whole idea that something frozen in time with patches applied
by distribution maintainer must be more stable than the software
actively developed by upstream developers is wrong. This could
perhaps work for slow-paced low complex software, but for anything
that's reasonably complex (as various network servers and clients
are) it's doomed to fail.

And what's even worse that people will come, use the distribution
package of BIND 9 and think this is the "best" quality they can get.

> If he wanted bleeding edge

This narrative is wrong. I am not recommending people to
run the latest development release - that would be "bleeding edge".

The latest stable BIND 9 version is not bleeding edge. You are trying to
frame it as it's something dangerous to use the latest version provided
by the upstream developers who are in all due respect more
knowledgeable about the upstream source code than any downstream
package maintainer could be. Sure, that doesn't mean that mistakes
doesn't happen, they do, but running latest upstream patch release
(or latest stable release) is considerably more safe for BIND 9 than
running BIND 9 release that's many version behind, often EOL and
with considerable amount of patches[1] applied.

So, no, I am not going to stop telling people to stop using packages
bundled with a distribution unless the distribution follows the latest
patch release.

Alternatively, the RedHat can dedicate a support team to triage,
answer and fix problems in these versions (taken from DistroWatch):

* RHEL 7 - BIND 9.11.4 - released on 2018-07-11 - 33 patch releases behind - EOL since March 2022[2]
* RHEL 8 - BIND 9.11.36 - released on 2021-10-27 - 1 patch release behind - EOL since March 2022[2]
* RHEL 9 - BIND 9.16.23 - released on 2021-11-17 - 16 patch releases behind

And since this is not really going to happen, I will continue people to
use upstream sanctioned packages because that will not waste the user
time and it will not waste the developers time.

> if the only issue in our version is unrelated to the problem investigated?


There were 448 merge requests between BIND version 9.16.23 and 9.16.39,
and 963 commits. So, how do you know that? I don't and I am certainly not
willing to spend my already spread-thin time investigating whether any issue
has been fixed in the last year and half, but I would be thrilled to fix any issue
found in the latest stable BIND release. We don't make changes to BIND 9
just because we can, there's (usually) a good reason behind every commit
and every merge request.

1. https://git.centos.org/rpms/bind/blob/c8s/f/SOURCES
2. https://lists.isc.org/pipermail/bind-announce/2022-March/001210.html

Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.



> On 17. 4. 2023, at 13:57, Petr Menšík <pemensik at redhat.com> wrote:
> 
> Our CentOS/RHEL 8 package are not just random BIND 9 snapshot. If he wanted bleeding edge, he would use RHEL 9 or even Fedora. But he uses conservative package I am looking after. While it may have some known issues, it has all important fixes it needs. Can you please stop telling people to not use our packages, if the only issue in our version is unrelated to the problem investigated?
> 
> But I admit we should update to more recent BIND 9.16 release already.
> 
> Cheers,
> Petr
> 
> On 4/13/23 15:40, Ondřej Surý wrote:
>>> On 13. 4. 2023, at 15:25, David Carvalho via bind-users <bind-users at lists.isc.org> wrote:
>>> 
>>> I'm using 9.16.23
>> Just don't.
>> 
>> ISC provides packages for major linux distributions (https://www.isc.org/download/),
>> so there's really no reason to shoot yourself into foot to use a random BIND 9
>> snapshot provided by your distro.
>> 
>> And while you are at it - upgrade straight to latest 9.18, your experience will be much
>> smoother.
>> 
>> Ondrej
>> --
>> Ondřej Surý (He/Him)
>> ondrej at isc.org
>> 
>> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>> 
> -- 
> Petr Menšík
> Software Engineer, RHEL
> Red Hat, https://www.redhat.com/
> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list