Fully automated DNSSEC with BIND 9.16

[Emmanuel Fusté]

Le 17/04/2023 à 20:40, Petr Menšík a écrit :
> Ondřej,
>
> it would be awesome if we could choose a higher quality release 
> instead to use for our longer support. But we lack any good metric to 
> choose one. So we update from time to time unless there is something 
> stopping us.
>
....

How could you elaborate or argument later after such a statement ?
It simply prove (and the rest of your answer confirm it) that you did 
not event take the time to read the ISC release numbering/policy or if 
you need "facts" the release notes of the 9.16 release(*) series and/or 
that you never operate "real" production grade Bind server.
Don't take the "you" for yourself. As the email used, you represent RH here.

The truth is that there is a market for RH like release policy choices. 
You work for this business. Perfect.
98% of your clients choose this release model for wrong, non technical 
reasons: that a/my personal strong opinion based on my latest 25 years 
of professional experience.
So don't ask people to stop asking to install latest ISC release on one 
of the still supported branch to get free technical support. All people 
on this list get no direct revenues for helping others, even ISC employee.
Otherwise, the only fair answer that we could give to the people asking 
for help on RH or derivative distribution would be: ask your distributor 
support.
I even was one time in this position, with a payed RH support contract 
with lots of zero at the end. The answer was go away or if your problem 
is really solved by a new release (and do the analyses yourself) , pay 
for a custom package.

[*]On the 9.16 release front, a lots of critical operational fixes where 
made on the fully automated signing process since your latest point release.

Regards,
Emmanuel.