Paul Wouters: Re: [dnssec-deployment] DNS cache issue

Paul Vixie Paul_Vixie at
Sat Nov 24 00:09:16 UTC 2007

> On the one side you (= upstream) says that I have to remove that option but
> users like it. For now I'm not going to remove ends patch.

please socialize your users to the workaround posted here earlier today by
mark andrews:

	server ::/0 { edns no; };
	server { edns no; };

	It's not like there will be many server clauses anyway
	and you can actually add additional server clauses to
	use edns behind the firewall;

		server <internalnet>/mask { edns yes; };

> Allen's idea looks like good compromise for me. I'm going to add some
> log message to my patch that global option is going to be removed and
> when you do something with logging issue I will remove that patch.

please consider coding up allen's suggestion and contributing it "upstream".

> Main argument why I'm shipping 9.5 is that I think GSS-TSIG is pretty
> good mechanism and I don't want backport big patch from 9.5 to 9.4.

9.5 isn't code-froze yet, and everything about it, including the inner
workings of gss-tsig, is still subject to revision.  i think your users
would rather not see this code on their computers until it's been frozen

> I don't think current 9.5 is absolutely unstable. Yes, generally
> "a" character in release immediately fills anyone with dread but I
> think 9.5 is good. And from CVS it looks 9.5 comes to beta stage so it
> will be better and better :)

speaking for isc, we appreciate your confidence.  but if it was good enough
to ship, we'd've signalled that by calling it a "release" rather than an
"alpha".  gack, did you really ship a bind9 alpha for production use?

More information about the bind-workers mailing list