Plan to remove ISC custom SPEGNO from BIND

Victoria Risk vicky at
Wed Mar 31 17:14:12 UTC 2021

Hey there BIND Users-

We have removed the ISC custom SPEGNO implementation from the development branch (9.17.x). We intend to also remove it from BIND 9.16 and 9.11. This is very old and fragile code and it is provides extra risk for everyone, while being useful for (we think) almost nobody.

- First what it is: SPNEGO <> is some black magic which helps to negotiate how a client authenticates to a server (basically find intersection of sets of supported mechanisms on both sides) ( <>

- Normally it is provided by libraries installed in the operating system, but for historical reasons BIND carries its own copy of that library. (back when there were more operating systems that didn’t have this support)

- Support for BIND was introduced in 2006, and in the same year support for the same was introduced into MIT Kerberos 1.5 <>. ( <>)

- Systems with the MIT Kerberos library (which is open-source) newer than 15 years can use that system library version, and ignore whatever BIND ships.

- The MIT Kerberos version has been patched many times over the years while the ISC implementation has not been well maintained.

We wouldn’t normally remove something from an old stable extended support version (9.11) but since this code seems to be obsolete and risky, we plan to do so. If anyone can think of a good reason not to, please let us know asap. SW Engineering’s fingers are quivering over the delete key.

Thank you!

Vicky Risk
Product Manager

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list