On 3/17/19 2:37 PM, Alan Clegg wrote:
It turns out that this series of changes, taken as a whole, removed allow-update as a global option.
That sounds like either an unintended consequence -or- a change in anticipated ~> expected behavior by some people.
The question now becomes: Is there a need for the ability to apply allow-update across all zones in your configuration?
I use allow-update at the global options level.
Smaller operators should be able to add the allow-update per zone very easily, and large operators should (probably) be doing things at a much more granular level.
Can I add allow-update per zone? Yes. Will I be annoyed at needing to add the allow-update to each zone? Yes.Even if the allow-update wasn't intended to function at the global options level, the point remains that it has done so and the current expected behavior is that it will continue to do so.
So, if there is an official change to the contrary of the unofficial behavior, I think that it needs to be VERY CLEARLY communicated.
I'm sure that there will be internal discussion here at ISC regarding this topic over the next week.
Good. I look forward to hearing what the general consensus is.If the consensus is that the new behavior is desired, I would hope ~> expect for a survey of the BIND user community like I've seen in the past about removing / significantly altering functionality.
We are hoping to release 9.14.0 soon and this would be an "allowed" change (at a .0 release). If we don't make this change in 9.14.0, it won't be allowed in an official production release until 9.16.0 due to the "no changes to the configuration file except at .0 releases" rule.
Hum. I'd hate to think that do to misfortune of timing, we'd be stuck with this unexpected / inconsistent with prior version behavior until 9.16.0 came out.
At this moment, I (personally) believe that the change is fixing a bug, as "allow-update" was not planned and is not a good idea at the global option level. I believe that it should be allowed only in zone stanzas.
Opinions aside, the fact is that it has worked as a global option historically and this is a non-trivial change in behavior.
I might not like such a change. But I'm okay accepting such a change if they are properly communicated. (See above comment about survey.)
If you have thoughts/opinions, please let us know!
See inline above.I know that my few small BIND instances are a pitance compared to many. But I would be quite annoyed to learn that my long stable config suddenly no longer worked after updating BIND. Especially if I didn't know why my config no longer worked or what I needed to do to fix it. This could be even worse if the failure is not detected quickly and instead lingers for a few days / weeks before the lack of an update ended up breaking DNS resolution in a production environment.
I share this as a joke and don't mean to ruffle any feathers. https://memegenerator.net/img/instances/84240115/bug-fixed-ops-problem-now.jpg -- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
