RE: RHEL5 BIND in PROD
For new deployments, I would likely choose RHEL6 over RHEL5; unless you have a compelling reason to run RHEL5. RHEL6 includes BIND 9.7.0. You mention that you would like to keep your DNS boxes appliance like. If this is the case, rolling out source code and compiling on each box may not be the best solution for you. If you decide to compile your own BIND, I would look at rolling RPM's for them to make deployment and upgrades easier. Also, keep in mind that while RHEL BIND versions will never be cutting-edge/brand-new, security patches are backported into them. Hope this helps. Josh -Original Message- From: bind-users-bounces+jbaird=follett@lists.isc.org [mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf Of Mike Diggins Sent: Tuesday, March 15, 2011 9:45 AM To: bind-us...@isc.org Subject: RHEL5 BIND in PROD I'm about to transition my name servers from Solaris 10 to RedHat Linux 5.6. I'm debating whether to compile BIND directly from source as I usually do or use one of the RHEL packages, likely the newly released 9.7.0-6.P2. I would like to make our DNS a little more appliance based to ease some of the support burden. I'm also concerned with stability over new features. I'm interested to know what others are doing. -Mike ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: RHEL5 BIND in PROD
If these are new servers that are only for BIND I'd suggest going with RHEL6 rather than 5.6 - RHEL releases have very long life cycle. When I get a spare moment I intend to update our servers to RHEL6. We use the RHEL5 BIND package for the reasons you give. However, the way RedHat does things is they go with a base release from upstream (e.g. 9.3 is default for RHEL5.x) then backport security and bug fixes from later base releases into that. This causes confusion because people will post here that they're using 9.3 which makes it look like they aren't paying attention to later updates and all. If you like the latest greatest you could build your own but as I once said to the folks at RedHat: If I have a dedicated server that only runs BIND and I have to build my own why should I pay for a subscription based Linux?. As you note they now have (as a bug request) a later version of the base release available in RHEL 5.x but that isn't the one you'll get updates for with yum. I've suggested to RedHat that they do as they did with Java where they made different base releases (e.g. Java 1.4.2, Java 1.6.0) and provide updates for whichever (or both) you choose to use. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Mike Diggins Sent: Tuesday, March 15, 2011 9:45 AM To: bind-us...@isc.org Subject: RHEL5 BIND in PROD I'm about to transition my name servers from Solaris 10 to RedHat Linux 5.6. I'm debating whether to compile BIND directly from source as I usually do or use one of the RHEL packages, likely the newly released 9.7.0-6.P2. I would like to make our DNS a little more appliance based to ease some of the support burden. I'm also concerned with stability over new features. I'm interested to know what others are doing. -Mike ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RHEL5 BIND in PROD
So, how many servers are you talking about? After having tried to use the distribution supplied packages (for multiple distributions) my opinion is that building from source is the right answer for BIND. The distributions lag more than I'm comfortable with, and BIND builds cleanly from source with mo muss, no fuss For a small number of devices (4 or 5ish) building from source on each box is not *too* hard. For anything more than that, you should be using some sort of system management / configuration thing -- personally I'm partial to Puppet. Trust me, the 2 or 3 days that you will burn getting it all setup and recipes written will more than pay for itself... Being able to bump the version number on a single node, confirm it works, then change the version on the default node and have all your boxes scurry off any upgrade themselves is wickedly fun Installing a new box used to be a multi day event, with much scampering around, package installing, kvetching abut the fact that emacs, bc, tcpdump, traceroute, etc are not installed by default, backup system configuration, kerberos key-diddling, ssh key poking, etc. Now it is: PXE boot / kickstart a base image. Enroll box in puppet: apt-get install puppet; puppet agent --waitforcert 60 --test; on serversudo puppet cert --sign newbox.example.com have coffee, read XKCD for 20 minutes (I read slow!) Profit! W On Mar 15, 2011, at 6:45 AM, Mike Diggins wrote: I'm about to transition my name servers from Solaris 10 to RedHat Linux 5.6. I'm debating whether to compile BIND directly from source as I usually do or use one of the RHEL packages, likely the newly released 9.7.0-6.P2. I would like to make our DNS a little more appliance based to ease some of the support burden. I'm also concerned with stability over new features. I'm interested to know what others are doing. -Mike ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RHEL5 BIND in PROD
I recompile the source rpm fedora core 14 bind 9.7.3 to EL4 and EL5 with koji see my blog for explanations http://fakessh.eu/2011/03/10/bind-9-7-3-sur-centos-5-5-depuis-rpm-source-fecora-14/ Le mardi 15 mars 2011 à 09:45 -0400, Mike Diggins a écrit : I'm about to transition my name servers from Solaris 10 to RedHat Linux 5.6. I'm debating whether to compile BIND directly from source as I usually do or use one of the RHEL packages, likely the newly released 9.7.0-6.P2. I would like to make our DNS a little more appliance based to ease some of the support burden. I'm also concerned with stability over new features. I'm interested to know what others are doing. -Mike ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RHEL5 BIND in PROD
fakessh @ writes: I recompile the source rpm fedora core 14 bind 9.7.3 to EL4 and EL5 with koji see my blog for explanations http://fakessh.eu/2011/03/10/bind-9-7-3-sur-centos-5-5-depuis-rpm-source-fecora-14/ Yep, that works fine, and even on RHEL3. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RHEL5 BIND in PROD
On Tue, 15 Mar 2011, Warren Kumari wrote: After having tried to use the distribution supplied packages (for multiple distributions) my opinion is that building from source is the right answer for BIND. The distributions lag more than I'm comfortable with, and BIND builds cleanly from source with mo muss, no fuss disclaimer: I'm a passive co-maintainer of bind in rhel/fedora (with Adam doing all the work) If you just want a newer version of bind on RHEL, then I strongly recommend grabbing the existing source rpm, downloading the new bind source, and recompiling using the spec file as much as possible, eg: yumdownloader --source bind yum install rpm-build rpm -hiv bind*src.rpm cd ~/rpmbuild/SOURCES wget ftp://ftp.isc.org/../bind-9.8.x.tar.gz [edit ~/rpmbuild/SPECS/bind.spec and update the version to the latest bind source) rpmbuild -ba ~/rpmbuild/SPECS/bind.spec rpm -Uhv ~/rpmbuild/RPMS/x86_64/bind-9.8.x-1*rpm You might need to disable a patch that got merged upstream, or a patch that has not been converted yet to the new upstream source if your build fails to compile. This will ensure compatibility with RHEL, for instance with initscripts, SElinux, etc. Alternatively, you can look into the development tree for RHEL, called Fedora. Fedora is on a 6 month release cycle and releases updates more often. But take note that you're exchanging stability and testing for a more rapid new version deployment. Paul ps. You can catch me tomorrow at the ICANN DNSSEC panel where I will talk about DNSSEC and Fedora/RHEL. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users