OpenBSD Journal

BIND 8 EOL: OpenBSD Makes It Easy

Contributed by dwc on from the in-a-BIND dept.

Darren Spruell writes:

ISC announced End of Life status for BIND 8 on 27 August, 2007. While most OpenBSD users will not find this news noteworthy, there are undoubtedly many users who may work for organizations that are running BIND 8 in their environment. End of life status for this critical application should result in immediate consideration by those running it to investigate upgrade paths to BIND 9. This should provide an extremely easy opportunity for presenting OpenBSD as a platform to migrate to for hosting new BIND 9 rollouts.

Core service

OpenBSD ships with a BIND 9 build in the core OS distribution, meaning that no additional packages are required to host a fully featured nameserver. OpenBSD's implementation can be used easily for either a caching resolver or an authoritative content server for a domain. OpenBSD's BIND 9 also works on IPv6 networks out of the box.

Secure implementation

OpenBSD maintains BIND 9 in-tree and implements a number of best practice security measures. The code has been audited and updated by the project, using safer string functions. named(8) runs in a chroot and under privilege seperation by default. DNS query IDs are reliably randomized. The OpenBSD project's focus on proactive security enables it to provide a resilient platform for hosting critical DNS services. As a recent example, OpenBSD users were not affected by the DNS cache poisoning weakness in BIND (CVE-2007-2926) thanks to foresight and attention by the developers years ago.

Easy to use

Running a caching resolver on OpenBSD is as simple as echo named_flags="" >> /etc/rc.conf.local and running an authoritative server for a DNS zone is only minimally more complicated. The full suite of DNS/BIND utilities ship with the operating system, including utilities such as named-checkconf(8), named-checkzone(8) and dig(1) for troubleshooting configurations.

If you're looking for an easy win to introduce OpenBSD into your environment (or increase its footprint if you have already), this EOL notice is the perfect opportunity. Take the chance to suggest it and outline a case for its use. Even if you are not able to sell leadership on OpenBSD, use it as an opportunity to upgrade your aged and exposed BIND infrastructure to a new release. While it's certainly possible that some users may want to suggest alternate DNS implementations such as djbdns, migrating configurations and zone files to BIND 9 is usually an easier sell.

(Comments are closed)


Comments
  1. By Anonymous Coward (165.228.157.146) on

    I testify that OpenBSD makes for the easiest DNS server build I've ever come across. I can have a new secondary up and running from scratch in under an hour without any streamlining, just put in the disk and configure the named.conf.

    Comments
    1. By Ray Percival (sng) on http://undeadly.org/cgi?action=search&sort=time&query=sng

      > I testify that OpenBSD makes for the easiest DNS server build I've ever come across. I can have a new secondary up and running from scratch in under an hour without any streamlining, just put in the disk and configure the named.conf.

      Installing over the network and with the sets that I built based on my backups I can build a one in just under 12 minutes.

      Yeah, dick waving. But it's "OpenBSD rules" dick waving. So all fun and good natured.

      Comments
      1. By Anonymous Coward (59.167.1.174) on

        > > I testify that OpenBSD makes for the easiest DNS server build I've ever come across. I can have a new secondary up and running from scratch in under an hour without any streamlining, just put in the disk and configure the named.conf.
        >
        > Installing over the network and with the sets that I built based on my backups I can build a one in just under 12 minutes.
        >
        > Yeah, dick waving. But it's "OpenBSD rules" dick waving. So all fun and good natured.

        What about patches and physical installation? Recovering from a prebuilt system hardly compares to "from scratch".

        Comments
        1. By Anonymous Coward (87.79.240.5) on

          > > > I testify that OpenBSD makes for the easiest DNS server build I've ever come across. I can have a new secondary up and running from scratch in under an hour without any streamlining, just put in the disk and configure the named.conf.
          > >
          > > Installing over the network and with the sets that I built based on my backups I can build a one in just under 12 minutes.
          > >
          > > Yeah, dick waving. But it's "OpenBSD rules" dick waving. So all fun and good natured.
          >
          > What about patches and physical installation? Recovering from a prebuilt system hardly compares to "from scratch".

          siteXX.tgz?

          Comments
          1. By Anonymous Coward (59.167.1.174) on

            > > > > I testify that OpenBSD makes for the easiest DNS server build I've ever come across. I can have a new secondary up and running from scratch in under an hour without any streamlining, just put in the disk and configure the named.conf.
            > > >
            > > > Installing over the network and with the sets that I built based on my backups I can build a one in just under 12 minutes.
            > > >
            > > > Yeah, dick waving. But it's "OpenBSD rules" dick waving. So all fun and good natured.
            > >
            > > What about patches and physical installation? Recovering from a prebuilt system hardly compares to "from scratch".
            >
            > siteXX.tgz?

            Why would you bother keeping a site file for a secondary DNS server? It's only two files to edit, besides, how often do you need to build a secondary DNS?

        2. By Ray Percival (sng) on http://undeadly.org/cgi?action=search&sort=time&query=sng

          > > > I testify that OpenBSD makes for the easiest DNS server build I've ever come across. I can have a new secondary up and running from scratch in under an hour without any streamlining, just put in the disk and configure the named.conf.
          > >
          > > Installing over the network and with the sets that I built based on my backups I can build a one in just under 12 minutes.
          > >
          > > Yeah, dick waving. But it's "OpenBSD rules" dick waving. So all fun and good natured.
          >
          > What about patches and physical installation? Recovering from a prebuilt system hardly compares to "from scratch".

          Installing from my release server. And, yes, I ignored hardware.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]