OpenBSD Journal

Bind 9 in -current

Contributed by jose on from the big-changes dept.

Rick Wash contributes:
"Bind 9.2.2rc1 was just imported into -current. This is a major upgrade from the Bind 4.9.* that was previously there. Now it is possible to use OpenBSD for all the new bind features such as dynamic DNS. "

Jakob, who appears to be leading the import effort, has spent some time auditing BIND 9.2, and has reportedly fixed many errors (many of which he appears to be checking in right now). Those of you who need to use OpenBSD as a DNS server will probably want to wait a bit before this import settles down, builds and runs perfectly, and has been audited a bit more. However, it will add many nice shiny features, including a partial DNSSEC implementation, full IPv6 support, a threaded architecture, and a lightweight resolver for caching only operations.

(Comments are closed)

  1. By Anonymous Coward () on

    Sweeeeeeet! One of the first things I do after I installed OpenBSD is grab the package for bind 9 and go through the bind9-enable stuff. Now I can feel a bit safer knowing someone has gone through the code enough where it can be put in the default install (although not enabled by default, that would be just silly). Thank you!

  2. By Anonymous Coward () on

    Any thoughts as to whether or not one could get his code to compile under 3.2 stable? I'd love to create a "patched" version of the bind-9 port to use. If not, hopefully ISC will incorporate his fixes.

  3. By RC () on

    Any ideas why they chose Bind9 over... say... MaraDNS? Which just happens to be several orders of magnitudes smaller, has a security record at least as good as Bind9, and has other security features built in.

  4. By deekayen () on

    Well crap. I just installed -current yesturday and configured 4.9.

  5. By Anonymous Coward () on

    I can hardly wait for the next snapshot with this change. I have been putting off upgrading some dns servers, now this will give it a good test.

    Now to help make it rock solid for 3.3, thank you Jakob!

  6. By coyote () on

    I wasn't sure if I'd ever see this day come!

    Last night I happened to be poking around on one of the DNS servers I manage and noticed how nicely BIND 9 has been running from ports.

    Three different heavily loaded servers (3.1 -stable):

    $ ps aux | grep ^named
    named 2320 1.1 62.6 102684 81812 ?? SNs 17Jul02 3860:21.72 named -t /var/named -u named

    $ ps aux | grep ^named
    named 11015 0.0 15.5 38876 40428 ?? SNs 10Jul02 547:53.14 named -t /var/named -u named

    $ ps aux | grep ^named
    named 7148 0.9 66.8 85556 87212 ?? SNs 23Jul02 3800:21.21 named -t /var/named -u named

  7. By Anonymous Coward () on

    So why is RC1 being imported and not the final release?

    Surely this is just more work when it comes time to do the _release_ version...

  8. By Jakob () on

    Please also note that we have disabled a lot of those fancy features such as DNSSEC (since it is not ready yet), multi-threading (stability) and lwresd (noone uses it). On the other hand we've added stuff such as default chroot, default setuid and support for a device-less chroot.

  9. By Pascal Lalonde () on

    I know that there is a policy file for named (for bind-4.9) shipped with 3.2 under /etc/systrace. I was wondering if there will be one for Bind9 as well. I don't know if this is a tough task to create. I created policy files for CUPS on my test server, yet I'm not sure about their correctness, and it took me quite a while to fine-tune it. So maybe it is too time consuming to do, but if not, it would be a nice thing to have.
    Systrace is a powerful tool in my opinion, but not easy to use. I guess the maintainer more than anyone else knows what system calls named is supposed to use :)

    This is not a feature request. It is just an idea thrown in the air, just in case someone likes it and wants to do something with it.

  10. By W () on

    I'll stick with djbdns. I basically configure it and leave it alone. It's not as feature rich as BIND, but when I don't need those features, djbdns is my best friend.

  11. By waldo () on

    so i'm a little slow, but my $0.02:
    i /like/ bind4. it's clean, and seems rather more secure than bind9. oh well. here's hoping a code audit happens soon.

Latest Articles


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]