We have begun offering some additional binary packages for BIND 9 on an experimental basis. We already offer binaries for Windows users, which are very popular, and we have been hearing that some users of other operating systems would also like packages from ISC.
Why are we doing this?
For all open source users
We want to make sure that BIND users have access to binaries that include all of ISC’s latest bug fixes, the dependencies for key features like DNSTAP, and no other patches or fixes that ISC does not support.
- Some of the distributions do not provide the latest version of BIND in their packages, because of their rules about updating applications.
- Some of the BIND dependencies, specifically the DNSTAP feature, require software versions that are not up-to-date in the current official CentOS/RedHat packages.
For ISC Support Subscribers specifically
We would like to offer support subscribers a CentOS image that has no downstream patches that ISC has not created or tested. Eventually we want to provide ISC Support Subscribers with an option for updating directly from a private ISC repository during the Advance Notification period immediately prior to announcing a BIND 9 security vulnerability. We will continue to supply ISC Support Subscribers who receive Advance Security Notifications with security patches or updated tarballs for everyone who wishes to build their own.
We also want to provide ISC Support Subscribers who use the -S Supported Preview version of BIND (aka the Subscription Edition) with an executable, since this version is not publicly available via the usual open source package sites. We plan to provide a CentOS package for BIND 9 -S edition soon.
New experimental packages:
|OS||Architecture||How is this different from the official package?||ISC package location|
|Windows||32-bit and 64-bit||n/a||https://www.isc.org/download|
|CentOS 6 & 7||i386, x86_64, ppc64le||Minimal changes from official ISC releases. Includes DNSTAP||copr.fedorainfracloud.org: BIND 9 Extended Support Version (ESV), BIND 9 Stable version, BIND 9 Development version|
|Ubuntu 14.04, 16.04 & 18.04||Based on the official Debian package, includes downstream patches not from ISC. Includes DNSTAP.||Launchpad:BIND 9 Extended Support Version (ESV), BIND 9 Stable version, BIND 9 Development version|
|Fedora 27 & 28||i386, x86_64, ppc64le||Minimal changes from official ISC releases. Includes DNSTAP||copr.fedorainfracloud.org: BIND 9 Extended Support Version (ESV), BIND 9 Stable version, BIND 9 Development version|
Debian – Ondřej Surý, Director of DNS Engineering at ISC, has joined the official Debian BIND 9 package maintainers’ team.
ISC Support Subscribers also get:
CentOS 6 & 7 – packages with upcoming security patches incorporated will be available during the Advance Notification period to ISC support customers.
We plan to provide a CentOS version of the BIND-S subscription edition for support customers. It will not be available to the general public.
The advantages of using an ISC package are:
- The BIND 9 code is up to date. This may be particularly important when updating after a security vulnerability is announced, although some OS packagers issue updated packages immediately when we announce a CVE.
- The BIND 9 version number will match the versions we are publishing, so it will be easier to tell what you are running. (Some distributions change the version number in their packages.)
- We will include the required libraries to support DNSTAP, which is a popular BIND 9 feature. This is not available currently in the standard RedHat packages.
- The ISC packages will be supportable by ISC – some of the OS packages include other code that we cannot support.
The disadvantages of switching to an ISC package include:
- The configuration may be different from the package you have been using. You will have to validate that the ISC package works for you.
- There may be distribution-specific fixes that you rely on that we can’t or won’t include.
- If you choose a binary with DNSTAP support, you will have some additional security exposure from the extra non-ISC code included. We cannot provide advance notification of security events for non-ISC code.
We need your feedback
- Our CentOS package applied minimal, conservative configuration options (with the exception of DNSTAP). The configuration will be quite a bit different from the official RHEL and CentOS packages, but of course the BIND 9 version is up-to-date.
- The Ubuntu and Fedora packages use the same name as the existing Debian package, and are based on the existing Debian package – so they include non-ISC patches. These packages offer minimal changes from the packages you are used to, but with updated BIND 9 versions.
These are obviously two very different approaches: do you prefer the “reset” we are doing with CentOS, or the “easy migration path” we are following with Debian, Ubuntu, and Fedora?
Please share your comments on the firstname.lastname@example.org mailing list. To report a bug, please open an issue on our BIND 9 GitLab instance at https://gitlab.isc.org/isc-projects/bind9.