Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1
dougb at dougbarton.us
Tue Dec 15 19:59:49 UTC 2009
Chris Thompson wrote:
> (Evan Hunt)
>> Adding SHA-2 to 9.6.x would violate our policy of making major
>> functional changes only in major releases, so I don't expect we'll
>> do that. Given the odd circumstances you mentioned, I won't say for
>> certain that we won't--but I doubt it.
>> 9.7.0 is going to be final in a little over a month, which is fortunate
> (But it's not too obvious to me that adding support for a new signing
> algorithm should necessarily be considered a "major functional change".)
Yes, I remembered Evan's statement from a while back, and didn't
respond at the time because I wanted to think about it some more.
Having thought about it, I agree with you that in my mind it's not a
"major functional change," and I strongly believe that adding support
for it in 9.6 is the right thing to do.
To expand on that a little more (and to slightly agree with Stephane)
it's already been necessary for anyone who wants to _validate_ to have
migrated to 9.6 for some time now. 9.6 has proven to be a good
release, and everyone that I've recommended upgrading to it has been
thoroughly satisfied. Therefore (within the "validator" demographic)
we've got a pretty good installed base for whom a minor version
upgrade would not be a problem, and will likely happen when 9.6.2 is
released in any case. Expecting that installed base to upgrade to an
unproven .0 release with a lot of new features (read, untried code
paths) is not realistic. And it should go without saying that this is
with all due respect to the fine people who actually write BIND code.
I know they work hard to get it right, but I also know we're _all_ human.
OTOH for those that want to _sign_ their zones I'm have been telling
people for a while now that they need to start working with 9.7. I
even created a FreeBSD port for the RC version (which I have not done
for previous RCs) to help accelerate that process.
BIND 9.6.2 is in the "b1" phase atm, which means that there is plenty
of time to get SHA2 in there and get the release out before a signed
root goes live. I encourage the folks at ISC to do so, and if you
agree I encourage you to make your voice heard.
Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/
More information about the bind-users