Deprecation notice force BIND 9.20+: source port(s)

[Ondřej Surý]

Hi,

in line with out deprecation policy, I am notifying the mailing list about our preliminary
intent to deprecate the definition of the source ports and rely on the operating system
to provide reasonable ephemeral port range for outgoing UDP and TCP connections.

Specifying outgoing ports is a bad practice, it's already discouraged, it's prone to errors
(it's not only specifying single port, but specifying not enough ports removes a layer
of protection) and is already full of caveats like:

   .. note:: The address specified in the :any:`query-source` option is used for both
      UDP and TCP queries, but the port applies only to UDP queries. TCP
      queries always use a random unprivileged port.

   .. warning:: Specifying a single port is discouraged, as it removes a layer of
      protection against spoofing errors.

   .. warning:: The configured :term:`port` must not be the same as the listening port.

The deprecation will include:

* specifying **port** in following statements:
  - `query-source`
  - `query-source-v6`
  - `transfer-source`
  - `transfer-source-v6`
  - `notify-source`
  - `notify-source-v6`
  - `parental-source`
  - `parental-source-v6`
* following statements as whole:
  - `use-v4-udp-ports`
  - `use-v6-udp-ports`
  - `avoid-v4-udp-ports`
  - `avoid-v6-udp-ports`

These options will be marked as deprecated in BIND 9.20[1][2] and removed in BIND 9.22[3].

1. BIND 9.20 will be released early 2024
2. Most probably we will also enable the warning in BIND 9.18 to notify users
that skip versions.
3. BIND 9.22 will be release in early 2026

Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230105/1ba7acd6/attachment.htm>