Hi,
in line with out deprecation policy, I am notifying the mailing list about our
preliminary
intent to deprecate the definition of the source ports and rely on the
operating system
to provide reasonable ephemeral port range for outgoing UDP and TCP connections.
Specifying outgoing ports is a bad practice, it's already discouraged, it's
prone to errors
(it's not only specifying single port, but specifying not enough ports removes
a layer
of protection) and is already full of caveats like:
.. note:: The address specified in the :any:`query-source` option is used
for both
UDP and TCP queries, but the port applies only to UDP queries. TCP
queries always use a random unprivileged port.
.. warning:: Specifying a single port is discouraged, as it removes a layer
of
protection against spoofing errors.
.. warning:: The configured :term:`port` must not be the same as the
listening port.
The deprecation will include:
* specifying **port** in following statements:
- `query-source`
- `query-source-v6`
- `transfer-source`
- `transfer-source-v6`
- `notify-source`
- `notify-source-v6`
- `parental-source`
- `parental-source-v6`
* following statements as whole:
- `use-v4-udp-ports`
- `use-v6-udp-ports`
- `avoid-v4-udp-ports`
- `avoid-v6-udp-ports`
These options will be marked as deprecated in BIND 9.20[1][2] and removed in
BIND 9.22[3].
1. BIND 9.20 will be released early 2024
2. Most probably we will also enable the warning in BIND 9.18 to notify users
that skip versions.
3. BIND 9.22 will be release in early 2026
Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
