Re: Replacing BIND with unbound 9.1 code freeze?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/09/2012 19:46, Peter Jeremy wrote: Firstly, I should note that I'm not against removing bind from base. Thanks for clarifying. I'm merely saying that users are going to need some guidance during the transition. I've never argued against that. I think you misunderstood my flippant comment below. On 2012-Jul-09 13:52:15 -0700, Doug Barton do...@freebsd.org wrote: On 07/09/2012 13:47, Peter Jeremy wrote: On 2012-Jul-09 14:15:13 +0200, in freebsd-security, Andrej (Andy) Brodnik and...@brodnik.org wrote: Excuse my ignorance - but is there a how-to paper on transition from bind to unbound for SOHO? You don't need to transition if you don't want to. Just install BIND from the ports. IMHO, this is a copout. If the default response to anyone asking a question about transitioning is install bind then we might as well leave bind in the base system. 3 things to keep in mind in response. 1. We cannot keep BIND in the base system. 2. As above, I didn't say we shouldn't have a transition guide. I said we don't need one. That may not seem like an important distinction, but it is. :) 3. People really don't have to transition if they don't want to. All 3 of these are important points, but 1 and 3 are critical for people to understand if they are going to participate in this discussion. As I see it, FreeBSD systems fall roughly into 3 categories: 1) Client systems that need to lookup external DNS servers only. 2) SOHO systems that primarily do external lookups but need to be internally authoritative about their local network. 3) Systems that are primarily DNS servers. The third category is clearly a use ports case - there's no need for the base system to include all the tools necessary to build one of the root nameservers. The base system _must_ handle the first category - and I'll accept advice from dougb@ des@ that unbound is a good choice for this. The issues people seem to have with the change here are the user tools to interface with DNS - currently dig(1), host(1) and nslookup(1) - and des@ has now adequately covered this. I think your analysis above is basically correct. I think the majority of the remaining unease in this thread comes from people who administer systems in the second category. I (and I expect lots of other people) use bind for this solely because it is in the base system, not because it is the best tool for the job. Well that's yet another reason to take it out of the base so that people can analyze this critically. :) Seriously though, install BIND from ports is still a good answer to this use case. I'd argue that BIND 9.[89] is actually the best tool for the purpose you outlined, but there's no reason you couldn't use a combination of unbound and nsd. It would just be different than what people are used to. In particular, if unbound has no authoritative server capabilities, what suggestions are there for handling the private hosts in a SOHO environment? Stub and/or forward zones. The unbound docs have more information. But unfortunately no tutorial guides. https://unbound.net/documentation/index.html Having looked at the online copy of unbound.conf(5), it appears that unbound _does_ have some limited server capabilities - this wasn't clear in the original proposal. It's not immediately clear to me whether it's adequate for my purposes and, if it isn't, what I should use. You're still stuck on If it's in the base, it's the thing I have to use, so the fact that I don't know how to use it is causing me stress. Get over that, and realize that you can continue to use all the same stuff you already have, if you install BIND from ports. :) Doug - -- Change is hard. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (FreeBSD) iQEcBAEBCAAGBQJP+9XPAAoJEFzGhvEaGryENVkH/jWir7h8xI9CmdpMuXdMRZZT ulfoUs8KFt1BAwWvIQsXS1kwH+coe6i0rMd9ir9QCXgs9CqllJ8NhTcaY+OqxudA YcUWdzYIX6szfrgnocwxlZWIz2Xou63T3cRFdBQ9hzLDA7KzlJxgreTtLrEf3Fvg V1qv0ZigI3X50UtelOilROe/xqZLHwgOlUWpX6vuvYJhlw5s///Oe+13ZSQkqTa7 Roa9bz3r2PKaHSw3hTjKIuVDiCwJQMbx26IXmYf5SPIlJaBG28/LBGVFcxETMPPf c+fc1JYjDp2wZ1yBUmJ3gljtl7mGmGV40KF9WCie6dKrTSMgRGAvuTn+EMXD3rs= =RRzj -END PGP SIGNATURE- ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Replacing BIND with unbound 9.1 code freeze?)
On Tue, 10 Jul 2012 00:12:16 -0700 Doug Barton do...@freebsd.org wrote: On 07/09/2012 19:46, Peter Jeremy wrote: As I see it, FreeBSD systems fall roughly into 3 categories: 1) Client systems that need to lookup external DNS servers only. 2) SOHO systems that primarily do external lookups but need to be internally authoritative about their local network. 3) Systems that are primarily DNS servers. I think the majority of the remaining unease in this thread comes from people who administer systems in the second category. I (and I expect lots of other people) use bind for this solely because it is in the base system, not because it is the best tool for the job. Well that's yet another reason to take it out of the base so that people can analyze this critically. :) Seriously though, install BIND from ports is still a good answer to this use case. I'd argue that BIND 9.[89] is actually the best tool for the purpose you outlined, but there's no reason you couldn't use a combination of unbound and nsd. It would just be different than what people are used to. I suspect that dnsmasq is a lot better tool for that job than BIND, but see below. Unless you've got a really messy SOHO network, anyway. It's simpler to configure, and includes an integrated DHCP server so hosts that get their IP addresses via DHCP show show up in the dns server. I know bind and at least one DHCP server can be setup to do that, but I never could get it to work properly. dnsmasq did it the first time years ago, and I've never looked back. These days, I'm using it on a DDWRT router. I would have suggested it for the base system, but 1) it's still a bit more than case 1 needs, and 2) it's GPL'ed. mike -- Mike Meyer m...@mired.org http://www.mired.org/ Independent Software developer/SCM consultant, email for more information. O ascii ribbon campaign - stop html mail - www.asciiribbon.org ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Replacing BIND with unbound 9.1 code freeze?)
On 07/10/2012 00:28, Mike Meyer wrote: I suspect that dnsmasq is a lot better tool for that job than BIND I think better is in the eye of the beholder, particularly whether or not the O is either small or well-staffed enough to pre-enter hostnames into the zone files. That said, dnsmasq is a great tool, especially if you're relying on DDNS. OTOH, as anyone can see from the named.conf in the base, I believe rather strongly that a large'ish network should take responsibility for being authoritative for 1918 stuff (et al) so that they don't go out over the network. You can still do that with other solutions, but this is one area where the fact that BIND can do both is a feature. Doug -- Change is hard. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Replacing BIND with unbound 9.1 code freeze?)
Firstly, I should note that I'm not against removing bind from base. I'm merely saying that users are going to need some guidance during the transition. On 2012-Jul-09 13:52:15 -0700, Doug Barton do...@freebsd.org wrote: On 07/09/2012 13:47, Peter Jeremy wrote: On 2012-Jul-09 14:15:13 +0200, in freebsd-security, Andrej (Andy) Brodnik and...@brodnik.org wrote: Excuse my ignorance - but is there a how-to paper on transition from bind to unbound for SOHO? You don't need to transition if you don't want to. Just install BIND from the ports. IMHO, this is a copout. If the default response to anyone asking a question about transitioning is install bind then we might as well leave bind in the base system. As I see it, FreeBSD systems fall roughly into 3 categories: 1) Client systems that need to lookup external DNS servers only. 2) SOHO systems that primarily do external lookups but need to be internally authoritative about their local network. 3) Systems that are primarily DNS servers. The third category is clearly a use ports case - there's no need for the base system to include all the tools necessary to build one of the root nameservers. The base system _must_ handle the first category - and I'll accept advice from dougb@ des@ that unbound is a good choice for this. The issues people seem to have with the change here are the user tools to interface with DNS - currently dig(1), host(1) and nslookup(1) - and des@ has now adequately covered this. I think the majority of the remaining unease in this thread comes from people who administer systems in the second category. I (and I expect lots of other people) use bind for this solely because it is in the base system, not because it is the best tool for the job. In particular, if unbound has no authoritative server capabilities, what suggestions are there for handling the private hosts in a SOHO environment? Stub and/or forward zones. The unbound docs have more information. But unfortunately no tutorial guides. Having looked at the online copy of unbound.conf(5), it appears that unbound _does_ have some limited server capabilities - this wasn't clear in the original proposal. It's not immediately clear to me whether it's adequate for my purposes and, if it isn't, what I should use. This is an area where I expect there will be community input - potentially via the FreeBSD wiki. -- Peter Jeremy pgp6vbMlLvV6G.pgp Description: PGP signature
