Re: Problem upgrading to 9.18 - important feature being removed
On 2/27/24 19:35, Michael Richardson wrote: Matthijs Mekking wrote: > As the main developer of dnssec-policy, I would like to confirm that > what has been said by Michael and Nick are correct. Cool. > - When migrating to dnssec-policy, make sure the configuration matches > your existing keys. Is there a way to validate the policy against what's in a specific zone/directory? Effectively, "do your key management stuff --just-kidding --verbose"? There is nothing like that today. > - Most issues that were shared on this list have to do with migrating > to dnssec-policy. Agreed: and it bit me, and I am still a bit shell shocked. > - If you feel like the DS is stuck in 'rumoured' state you might need > to run 'rndc dnssec -checkds seen' on the key. okay, good to know this. . o O ( Umbrella Academy ) > - It is not recommended to switch to dnssec-policy if you are currently > in a rollover. > I acknowledge that migration takes some care and I wish the process was > easier. We have some ideas to make it less error prone, but I haven't > found the time to work on that. Are there open issues? So far this were only ideas and not turned into gitlab issues, but things that I have been considering is a check to see if migration is complete (that would prevent any other policy changes), a named-checkconf option to see if the dnssec-policy configuration matches the existing key-directory. Carsten created an issue for dry-running a migration: https://gitlab.isc.org/isc-projects/bind9/-/issues/4606 -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Deprecated DSCP support
Hi, I am working on a product in Nokia, and we currently use BIND provided by Rocky Linux 8 with security patches. Recently the requirement came that we should upgrade to at least 9.16. During the testing of this version we realized that a feature we used, DSCP, has stopped working. Reading about the topic, we found the article about it non-operational in 9.16, and removal in 9.18. We also saw the email on this mailing list, stating that "so far, nobody has noticed" it is missing. Well, we noticed it just now, and I would like to state that our product and most probably other telecom equipments using BIND would miss it greatly. As I read in that mail, there was an alternative plan which would re-implement this functionality. If it is feasible, please consider doing it. The alternative options, e.g. setting it via iptables cannot work in our use-case. Best regards, Balazs Hinel -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deprecated DSCP support
We may want to help fixing DSCP features, but I personally do not know any usage, where this feature would be used and what for exactly. Recent bind9 uses libuv to back its network core, instead of custom networking core maintained by ISC. But I haven't found any trace of DSCP support at libuv docs [1]. I haven't found a way to set at least type of service on UDP [2]. I think that would be the first place to support DSCP values for connections or sockets. Then, once libuv can use it, its support could be added back into named. It would help though if you were more verbose about why iptables cannot replace it and what is use-case, when it is useful. Without simple alternatives present. If you would describe it, it might motivate more people to work on DSCP support. I haven't seen important reason, why it needs to be done by the daemon itself. Perhaps we can find alternative way to set DSCP tags for you, if you are more verbose about how you use it? Regards, Petr 1. https://docs.libuv.org/en/v1.x/search.html?q=dscp&check_keywords=yes&area=default 2. https://docs.libuv.org/en/v1.x/udp.html On 28. 02. 24 13:50, Balazs Hinel (Nokia) via bind-users wrote: Hi, I am working on a product in Nokia, and we currently use BIND provided by Rocky Linux 8 with security patches. Recently the requirement came that we should upgrade to at least 9.16. During the testing of this version we realized that a feature we used, DSCP, has stopped working. Reading about the topic, we found the article about it non-operational in 9.16, and removal in 9.18. We also saw the email on this mailing list, stating that "so far, nobody has noticed" it is missing. Well, we noticed it just now, and I would like to state that our product and most probably other telecom equipments using BIND would miss it greatly. As I read in that mail, there was an alternative plan which would re-implement this functionality. If it is feasible, please consider doing it. The alternative options, e.g. setting it via iptables cannot work in our use-case. Best regards, Balazs Hinel -- Petr Menšík Software Engineer, RHEL Red Hat, http://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Upgrade
We are working intensively at Red Hat to finally fix that version. A huge thanks goes to ISC, which kindy provided complex backport into 9.11 version, which they do not support for a long time. It was discovered those changes require also changes to bind-dyndb-ldap used in freeipa and also may break dhcp without rebuilds. Because we use bind rebuild also for dhcp, which were fixed already. It should be fixed soon finally. We are sorry this is taking us so long, but those changes are not trivial to make. Especially without additional regressions. If you can use bind9.16 package instead, that would be fixed earlier. Regards, Petr On 15. 02. 24 13:53, Semra Türkkal Nazlımoğlu wrote: Hello, Our bind version seems below. How can we upgrade bind version? And if we upgrade bind version, is there any problem? [root@ns2 ~]# named -v BIND 9.11.36-RedHat-9.11.36-11.el8_9 (Extended Support Version) Thanks Semra -- Petr Menšík Software Engineer, RHEL Red Hat,http://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
