> On 07/07/2012 14:16, Bjoern A. Zeeb wrote:
>> On 3. Jul 2012, at 12:39 , Dag-Erling Smørgrav wrote:
>>> Doug Barton <dougb@Free...> writes:
>>>> The correct solution to this problem is to remove BIND from the base
>>>> altogether, but I have no energy for all the whinging that would happen
>>>> if I tried (again) to do that.
>>> I don't think there will be as much whinging as you expect. Times have
>>> I'm willing to import and maintain unbound (BSD-licensed validating,
>>> recursive, and caching DNS resolver) if you remove BIND.
>> I'd object to it. Trading one for another without gaining anything does
>> not help us much.
> Au contraire. It solves the problem of BIND release cycles not matching
> up with ours. This is a very important problem to solve.
Right and unbound et al are better? Bind at least gives us long term
support releases these days. We just need to make sure we pick them
> I've already written at length as to what I think the dream solution is,
> but we don't have anyone willing to code that yet, and even if we did,
> there is no guarantee that we'd get the buy-in to make it happen. In
> addition to being a good first step, doing this for DNS will also help
> us shake out the exact issues you allude to below.
>> Don't get me wrong I have both running for years and even maintain patches
>> for unbound for 2 years now for functionality they do not provide, which
>> named happily gives me.
> Other than authoritative DNS, what features does unbound lack that you want?
DNS64 as a start. I don't care about the auth. support really with what is
in base; it is nice that it comes for free and it is nice, that I'll not
run into port 53 conflicts on single-IP systems .... but the only thing we
really need is a caching resolver.
>> If you want to do this, I would prefer a properly laid out action plan
>> as the import is by far the easiest but the integration into various
>> parts of the system is harder.
> BIND in the base today comes with a full-featured local resolver
> configuration, which I'm confident that Dag-Erling can do for unbound
> (and which I would be glad to assist with if needed). Other than that,
> what integration are you concerned about?
startup scripts; resolvconf, named.conf -> unbound.conf guides for our users,
and not solving the issue that we really want a DNSSEC enabled caching
resolver with libc APIs for applications to use DNSSEC in base that people
are working on. We will probably need a crpyto and most likely also an
external dnssec speaking resolver library for this in the future, but
which of the 7 it will be we don't know yet.
Bjoern A. Zeeb You have to have visions!
It does not matter how good you are. It matters what good you do!