Subject: Re: switching from bind8 to bind9
To: NetBSD Networking Technical Discussion List <tech-net@netbsd.org>
From: Andrew Brown <atatat@atatdot.net>
List: tech-net
Date: 11/18/2002 10:59:37
>> which, while still parsable, also seems like a rather gratuitous
>> change.
>
>It's a log entry, and essentially a debugging one, for goodness sake!

no, not just a debugging one.  there are other uses for it as well.

>The more humanly readable, and the more complete, the better IMVNSHO.

right, in your opinion.  i happen not to share that opinion, and i'd
much rather trawl the data with a small script, picking out the
"interesting" bits.

for example, on my authoritative name server (which doesn't recurse at
all), queries fall into two types: those i can answer, and those i
can't.  those i can answer are obviously for zones for for which i am
authoritative.

the queries i can't answer fall into two types: recursive queries, and
non-recursive queries.  these are the interesting ones.  the recursive
ones are mostly people who just need a boot in the head to make them
see straight, or they get ignored if i have no idea who it is.  this
can also show evidence of an attack.

the non-recursive queries to a non-recursive server are more
interesting.  sometimes this is a result of someone pointing zone or
domain at my server without telling me.  this usually warrants the
boot, but then i typically tweak my name server (depending on who it
is) and start serving the zone.  in the other case of a non-recursive
query to a non-recursive server that can't answer from the data it
has, is also probably evidence of an attack.

given the query volume, i'd rather not do this by hand or visually.

>> that's still a cycle of "try to start", "try to fix", "try to start",
>> that most people would not like to deal with.
>
>I can supply fixed templates for the config files, etc., if anyone wants
>to use them!  ;-)
>
>(FYI I include full templates for all the RFC 1918 reverse zones too)

like that's hard...  8-P

>> >Worse though is that some of those features are crucial for some uses.
>> >For example the "host-statistics" option allows the operator of a
>> >recursive caching nameserver to determine where any records in the cache
>> >were learned from (and when).
>> 
>> yeah.  like that.  is that gone, too?  i didn't have to remove that
>> one to get bind9 to start, but i'd be dismayed to learn that it didn't
>> do anything any more.
>
>"rndc dumpb" and be dismayed.

bleah.

>.... and if you read the logs on startup you'll see something like:
>
>Nov 16 20:35:39 myhost named[7274]: /etc/named.conf:23: option 'host-statistics' is not implemented

i see no such error message, but i also see that the data is missing.
i wonder where the error went...

>> >I consider the full "check-names" feature set quite critical for
>> >production use too.
>> 
>> i've never used that.
>
>never say never.  (you can't turn it off now for zone files, FYI, but I
>can't turn it on for responses and slave files -- we both lose :-)

right, so i have to make my zonefiles conformant (as i always have)
but i also get to forward the garbage that you send me, regardless of
how bad it looks (well...to a degree).  that sounds like the old tenet
of "be liberal in what you accept, but conservative in what you send".

>> templates that require people to fill in keys.  which most people
>> would rather not deal with.  considering, though, that the named
>> script in rc.d would have to be rewritten somewhat anyway, i suppose
>> an "automated build" of rndc.conf could be stuffed in at that point.
>
>Yes, templates can, almost by definition, be automatically filled out.
>I've just been too lazy to script it myself.

actually, since we have a /dev/random, the use of rndc-confgen isn't
all that bad.

>(hmmmm.... I wonder if the key has to be generated in the recommended
>way, or will any approximately format-conforming string of random
>characters serve as a shared key?)

i think it has to have *some* sort of internal order to the bits.

>> whereas i haven't really looked at the bind9 code (except insofar as i
>> noticed it was totally different; a fact that i fully expected), but i
>> haven't had much trouble being the bind8 source to my will.
>
>you must be a lot more lenient on the code you work with than I am.  :-)

no, i've just worked with a lot of different code bases.  i can tell
bad code when i see it, and the bind code doesn't strike me as all
that bad.

>> >I'm most interested in what might be done to update the resolver library
>> >code....  (especially since bugs in that code that were discovered and
>> >documented and fixed by some folks about five years ago weren't fixed in
>> >NetBSD until just the other day (yes I know I should have been keeping
>> >my eyes open for such things too))
>> 
>> off the top of my head, i suppose symbol renaming would be the easiest
>> way to go, so that the updated bind4 api/abi could be kept in place
>> for backwards compat reasons, but so that newer applications would get
>> the bind9 routines.  but that's just me.
>
>I don't think it's that simple, though others have looked at this a lot
>more closely than I have....

we'll see.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
werdna@squooshy.com       * "information is power -- share the wealth."