Caching Nameserver and BIND RPM Compatibility

Mark Andrews marka at isc.org
Sat Jul 12 00:41:53 UTC 2014 

Not every *important* fix is a *security* fix.

OS vendor that just backport security fixes are doing their customers
a disservice.  We issue -P's because security issues require timely
fixes.  We expect OS maintainers to actually include our maintainence
fixes in their maintainence releases.

BIND 9.10 (and 9.11 when it is released) will run with BIND 8's
configuration files modulo a couple of issues documented issues
jumping from 8 to 9.  BIND 8 was developed nearly 20 years ago.
There really isn't a good reason for OS maintainers to not upgrade
when a version goes eol or when a maintanence release is done.
Backwards compatibility is important to us.  BIND 9.10 will run a
BIND 9.0 configuration.

Yes, there is a slight risk of new bugs being introduced but that
needs to be weighed against the risk of running with known older
bugs.  Almost all bug fixes we make need to be back ported to all
supported versions.

Mark

In message <CFE58FD1.4CD81%michoski at cisco.com>, "Mike Hoskins (michoski)" writes:
> -----Original Message-----
> From: Asai <asai at globalchangemusic.org>
> Date: Friday, July 11, 2014 at 12:56 PM
> To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
> Subject: Caching Nameserver and BIND RPM Compatibility
> 
> >Greetings,
> >
> >We're setting up caching-nameserver on an existing BIND instance. The
> >version of BIND is 9.7. Is there a specific compatible version of
> >caching-nameserver RPM that's compatible with 9.7?  The latest one
> >available in the yum repos on this particular server (CentOS 5.8) is
> >9.3.6-20.P1.el5_8.6
> 
> In general I don't think you have to be too concerned about compatibility.
>  One exception I know of is the default zone format change when moving to
> the latest BIND versions:
> 
> https://lists.isc.org/pipermail/bind-users/2012-May/087554.html
> 
> I'm sure others will call out points I've missed.
> 
> Assuming you just use upstream vendor repos to update, the latest
> caching-nameserver should have relevant fixes backported by now and will
> be based on the same major release in terms of functionality (how
> RedHat/CentOS generally do things)...
> 
> I'd still suggest moving to the latest BIND version.  The config is
> straight-forward, you have many templates from the 'Net as well as a
> reference in the caching-nameserver files, and you can generate your own
> RPMs easily if this is large-scale and building from source doesn't make
> sense.
> 
> http://www.cymru.com/Documents/secure-bind-template.html
> 
> http://www.five-ten-sg.com/mapper/bind
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list