On 07/03/2012 06:36, Mark Felder wrote: > On Tue, 03 Jul 2012 07:39:34 -0500, Dag-Erling Smørgrav <d...@des.no> wrote: > >> >> I don't think there will be as much whinging as you expect. Times have >> changed. > > Agreed; if we need DNS in base (really, why?) then unbound+nsd are prime > candidates, but they're healthily maintained in ports...soo... no real > advantage.
We should not put nsd in the base. There is no need for an authoritative server in the base, the only reason BIND is there is that it is also a resolver, and, of course, hysterical raisins. The dream scenario is one we've discussed in the past: 1. Promote certain ports to "system" status, with more stringent requirements for both the ports, and the maintainers. 2. Re-tool the installer to give the users choice of which (if any) of the key system components get installed. Obvious choices for this category are the perennial favorites of DNS (resolver) and mail, reasonable arguments can be made for others of course. Whether we do the above or not, ldns/drill should be imported into the base so that we have at least one command line DNS resolution tool. A good "junior hacker" project would be to make a host(1) clone using ldns. If users want the regular bind tools, ports/dns/bind-tools already exists. Given it's unlikely that actually making the installer more modular will happen before 10-RELEASE, importing unbound is the next best alternative. And regarding the "it's a young project" issue, I've followed their development closely, I know the people involved, and I've used it for some projects. I have zero hesitation. And for those who are unclear on the problem we're trying to solve, a quick recap. As things have evolved over time the BIND release cycles and ours have diverged. Since we don't update the version of BIND in the base for POLA reasons, for FreeBSD 6, and now 7, this has led to a situation where our oldest release has an unsupported version of BIND. Clearly this is unacceptable. Oh, and to anticipate the traditional "zomg! don't turn freebsd into linux!!!11!!!" response: First, just because linux does something doesn't make it wrong, and Second, we can definitely add a *little* more modularity (which the users have been asking for as long as I can remember) without "turning into linux." And finally, to address the "why have a resolver on the system at all?" question, one word: DNSSEC. At this time there is no good solution to the problem of the local host system being able to validate a DNSSEC response. The only viable solution _at this time_ is to have a local, validating resolver. (Of course, other solutions are being worked on, but they aren't here yet.) This will become much more important over time as DNSSEC adoption increases, and more things begin to use it (like DANE). Doug -- This .signature sanitized for your protection _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"