BIND 9 packages from ISC

We are going to start offering some additional binary packages for BIND9 on an experimental basis.  We already offer binaries for Windows users, which are very popular, and we have been hearing that some users of other operating systems would also like packages from ISC.

Why are we doing this?

For all open source users

We want to make sure that BIND users have access to binaries that include all of ISC’s latest bug fixes, the dependencies for key features like DNSTAP, and no other patches or fixes that ISC does not support.

  • Some of the distributions do not provide the latest version of BIND in their packages, because of their rules about updating applications.
  • Some of the BIND dependencies, specifically the DNSTAP feature, require software versions that are not up to date in the current official CentOS/RedHat packages.

For ISC Support Subscribers specifically

We would like to offer support subscribers a CentOS image that has no downstream patches that ISC has not created or tested.  Eventually we want to provide ISC Support Subscribers with an option for updating directly from a private ISC repository during the Advance Notification period immediately prior to announcing a BIND security vulnerability.  We will continue to supply ISC Support Subscribers who receive Advance Security Notifications with security patches or updated tarballs for everyone who wishes to build their own.

We also want to provide ISC Support Subscribers who use the -S Supported Preview version of BIND (aka the Subscription Edition) with an executable, since this version is not publicly available via the usual open source package sites. We plan to provide a CentOS package for BIND 9 -S edition before the end of 2018: this is not available yet.

 

New experimental packages:

OS Architecture How is this different from the official package? ISC package location
Windows 32-bit and 64-bit n/a isc.org/downloads
CentOS 6 & 7 i386, x86_64, ppc64le Minimal changes from official ISC releases. Includes DNSTAP copr.fedorainfracloud.org: BIND Extended Support Version (ESV), BIND Stable version, BIND Development version
Ubuntu 14.04, 16.04 & 18.04 Based on the official Debian package, includes downstream patches not from ISC. Includes DNSTAP. Launchpad:BIND Extended Support Version (ESV), BIND Stable version, BIND Development version
Fedora 27 & 28 i386, x86_64, ppc64le Minimal changes from official ISC releases. Includes DNSTAP copr.fedorainfracloud.org:  BIND Extended Support Version (ESV), BIND Stable version, BIND Development version

 

Debian – Ondřej Surý, Director of DNS Engineering at ISC has joined the official Debian BIND9 package maintainer’s team.

ISC Subscription support customers will also get:

CentOS 6 & 7 – packages with upcoming security patches incorporated will be available during the Advance Notification period to ISC support customers.

We plan to provide a CentOS version of the BIND-S subscription edition for support customers. This is not ready yet, but will be before the end of 2018. This won’t be available to the general public.


 

The advantages of using an ISC package are:

  • The BIND9 code is up to date. This may be particularly important when updating after a security vulnerability is announced, although some OS packagers issue updated packages immediately when we announce a CVE.
  • The BIND version number will match the versions we are publishing, so it will be easier to tell what you are running. (Some distributions change the version number in their packages)
  • We will include the required libraries to support DNSTAP, which is a popular BIND feature. This is not available currently in the standard RedHat packages.
  • The ISC packages will be supportable by ISC – some of the OS packages include other code that we cannot support.

The disadvantages of switching to an ISC package include:

  • The configuration may be different than the package you have been using. You will have to validate that the ISC package works for you.
  • There may be distribution-specific fixes that you rely on that we can’t or won’t include.
  • If you choose a binary with DNSTAP support, you will have some additional security exposure from the extra non-ISC code included. We cannot provide advance notification of security events for non-ISC code.

 


We need your feedback

  • Our CentOS package applied minimal, conservative configuration options (with the exception of DNSTAP). The configuration will be quite a bit different from the official RHEL and CentOS packages, but of course the BIND version is up to date.
  • The Ubuntu and Fedora packages use the same name as the existing Debian package, and is based on the existing Debian package – so it includes non-ISC patches. This package give you minimal changes from the packages you are used to, but with updated BIND versions.

These are obviously two very different approaches: do you prefer the ‘reset’ we are doing with CentOS, or the ‘easy migration path’ we are following with Debian, Ubuntu, Fedora?

Please share your comments on bind-users@lists.isc.org or in the ISC forum.  To report a bug, please open an issue on our BIND 9 Gitlab instance at https://gitlab.isc.org/isc-projects/bind9.

Last modified: September 7, 2018 at 12:10 am