BIND 8.3.0 RC2 is now available for public testing

Mark_Andrews at isc.org Mark_Andrews at isc.org
Fri Jan 18 03:50:27 UTC 2002


> Mark.Andrews at isc.org wrote:
> >> Most of the bug fixes post 8.2.3 are in areas that many of us just don't
> >> use. There's lots of fixes to IXFR and DNSSEC stuff, and int support
> >> programs, which many servers don't use at all.
> >
> >	Just because *you* don't make use of them doesn't mean they
> >	are not important to those that do.  There are also a lot of
> >	bugs that potentially impact just about everyone.
> 
> Oh, absolutely.  My points here are that different folks use BIND
> differently.  If I don't use DNSSEC, I don't need to worry (much) about
> bugs in it.  

	Well you most probably didn't use TSIG either.  But the bug
	in the TSIG code was the critical one that turned 8.2.3
	from a feature release to a security release.
 
> Secondly, upgrading in itself is risky.  There is a risk that something that
> worked with one version won't with a new version.  That happened to me
> between 8.2.2-P5 and 8.2.3.  

	Agreed, there is already that risk with any upgrade.  However
	for people that actually followed the documentation 8.2.2-P5
	to 8.2.3 was basically painless.  Those that had problems
	generally had failed to follow the documentation.

> Given that, one needs to be able to evaluate which bugs are sufficiently
> dangerous to make the upgrade sufficiently less risky than staying put.

	8.2.4 and 8.2.5 were basically bug fix releases.  One generally
	removes more bugs than one adds when you concentrates on only on
	bug fixes.  If there is a 8.2.6 or 8.3.1 they will be bug fix only
	releases.

> >> We'd also like
> >> it for something less than the five digit US$ price I've been quoted for
> >> Nominum's minimum support contract.
> >
> >	What does this have to do with ISC or with why one should
> >	upgrade?
> 
> Once apon a time there was a set of support contracts available listed
> on the web site, some of them at quite reasonable prices.  Now it just
> says "go talk to Nominum".  Well, we did, and they *only* offer very
> comprehensive support, for an equally comprehensive price.  I don't need
> that level of support; I do want accurate and timely information about
> vulnerabilities that affect the systems I maintain so I can make an
> informed decision as to whether the riskier course of action is to
> upgrade or to stay with an installed version.  
> 
> While I'm not afraid to dig through code occasionally, it would be
> helpful if there was a better channel for information about changes
> available -- not necessarily for free, but for less than the cost of a
> support contract providing 7x24 response to any basic query.  
> 
> As things stand, my choices from the vendor are either a 7x24 30 minute
> response support contract, or very general upgrade announcements
> requiring considerable effort to interpret for a specific case, and a
> high risk of missing something important.  I'm looking for some middle
> ground here.
> 
> -- don
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org


More information about the bind-users mailing list