Concerns/warnings in upgrading from 9.9 to 9.11?

Jay Ford jnford at uiowa.net
Tue Jan 9 18:59:01 UTC 2018 

On Tue, 9 Jan 2018, Oscar Ricardo Silva wrote:
> I currently run 9.9.9-P4 on recursive caching servers and with the 
> announcement that 9.9 and 9.10 are approaching end of maintenance, I've 
> decided it's time to move to 9.11.
>
> Are there any issues, warnings, concerns in upgrading? Changes that need to 
> be made to named.conf? I know there are new features but I'm more concerned 
> about an in-place upgrade with no change to the current build process or 
> configuration.

I've not actually run 9.11 in full deployment because we couldn't tolerate
the number of names which were rendered unresolvable due to the more
strenuous EDNS checking introduced in 9.11 (apparently as part of the COOKIE
features).  The problem is in the other broken servers rather than in BIND,
but the practical effect that names couldn't be resolved prompted us to stay
with 9.10 so far.  The use of the relatively recent "send-cookie no;" option
seems to work around that problem, providing a way for us to run 9.11 here.
However, at this point I'm planning to skip 9.11 & go with 9.12 when it gets
released for real (assuming my testing continues to yield favorable results).

Some of the good things in BIND 9.11 (some introduced in 9.10 & some in 9.11)
are:
    o  IPv6 is enabled by default, including listening
    o  response rate-limited (RRL) is built-in by default; that doesn't apply
       to purely recursive servers, but it's very nice
    o  the "in-view" method allowing a zone to be shared among views
    o  DNSTAP
    o  general DNSSEC improvements

The main things I'm after in 9.12 are:
    o  named-handled rotation of DNSTAP output files;  based on my testing
       that's broken for multi-threaded use in 9.12.0rc1 because the
       rolling of the file(s) seems to be done simultaneously by multiple
       threads with no coordination, but I hope to see it fixed in the real
       9.12 release
    o  configuration of the COOKIE secret, required for anycast servers;
       that's broken in 9.11 but seems to work correctly in 9.12

________________________________________________________________________
Jay Ford, Network Engineering, University of Iowa

More information about the bind-users mailing list