Re: F37 proposal: BIND 9.18 (Self-Contained Change proposal)
On Sat, 2022-07-16 at 13:02 +0300, Alexander Bokovoy wrote: > We tested this extensively in FreeIPA upstream CI using a separate COPR > repo. Current FreeIPA versions in Fedora are ready and rawhide version of > bind-dyndb-ldap only needs a rebuild. > > I'm currently on a sick leave but Peter should be able to handle it with > his bind/bind-dyndb-ldap maintainer rights. Thanks, that's very reassuring! > > On Saturday, July 16, 2022, Adam Williamson > wrote: > > On Fri, 2022-07-15 at 17:30 -0400, Ben Cotton wrote: > > > > > > == Scope == > > > * Proposal owners: The update required update of bind-dyndb-ldap > > > package (part of Freeipa suite), but otherwise it is isolated change. > > > > That's a big 'but'. FreeIPA is a release-blocking part of Server, one > > of our Editions. We've seen issues before between bind upgrades and > > FreeIPA. I would like to see assurances that this is being planned > > together with FreeIPA folks and resources will be in place to ensure > > FreeIPA is fully tested and working when this is deployed. > > -- > > Adam Williamson > > Fedora QA > > IRC: adamw | Twitter: adamw_ha > > https://www.happyassassin.net > > > > ___ > > devel mailing list -- devel@lists.fedoraproject.org > > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > > > -- > ___ > server mailing list -- ser...@lists.fedoraproject.org > To unsubscribe send an email to server-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/ser...@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F37 proposal: BIND 9.18 (Self-Contained Change proposal)
We tested this extensively in FreeIPA upstream CI using a separate COPR repo. Current FreeIPA versions in Fedora are ready and rawhide version of bind-dyndb-ldap only needs a rebuild. I'm currently on a sick leave but Peter should be able to handle it with his bind/bind-dyndb-ldap maintainer rights. On Saturday, July 16, 2022, Adam Williamson wrote: > On Fri, 2022-07-15 at 17:30 -0400, Ben Cotton wrote: >> >> == Scope == >> * Proposal owners: The update required update of bind-dyndb-ldap >> package (part of Freeipa suite), but otherwise it is isolated change. > > That's a big 'but'. FreeIPA is a release-blocking part of Server, one > of our Editions. We've seen issues before between bind upgrades and > FreeIPA. I would like to see assurances that this is being planned > together with FreeIPA folks and resources will be in place to ensure > FreeIPA is fully tested and working when this is deployed. > -- > Adam Williamson > Fedora QA > IRC: adamw | Twitter: adamw_ha > https://www.happyassassin.net > > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure > -- -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F37 proposal: BIND 9.18 (Self-Contained Change proposal)
On Fri, 2022-07-15 at 17:30 -0400, Ben Cotton wrote: > > == Scope == > * Proposal owners: The update required update of bind-dyndb-ldap > package (part of Freeipa suite), but otherwise it is isolated change. That's a big 'but'. FreeIPA is a release-blocking part of Server, one of our Editions. We've seen issues before between bind upgrades and FreeIPA. I would like to see assurances that this is being planned together with FreeIPA folks and resources will be in place to ensure FreeIPA is fully tested and working when this is deployed. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
F37 proposal: BIND 9.18 (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Changes/BIND_9.18
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
(not provided)
== Owner ==
* Name: [[User:pemensik| Petr Menšík]]
* Email:
== Detailed Description ==
ISC BIND9 will be upgraded to new major release version 9.18.x. It
introduces new features and changes. It will also remove some packages
provided before.
== Benefit to Fedora ==
The most recent major release will be provided, with some notable features:
* Support to DNS over TLS and DNS over HTTPS servers. Both
authoritative and resolver modes.
* Reworked internal connection handling using libuv
* RNDC channel does not support unix sockets
[https://gitlab.isc.org/isc-projects/bind9/-/issues/1759]
* Zone transfers over
[https://datatracker.ietf.org/doc/html/rfc9103.html DNS over TLS] were
added, both incoming and outgoing.
* dig is now able to send queries using DNS over TLS
* dig is now able to send queries using DNS over HTTPS
== Scope ==
* Proposal owners: The update required update of bind-dyndb-ldap
package (part of Freeipa suite), but otherwise it is isolated change.
* Other developers: Any developers
* Change pull request:
[https://src.fedoraproject.org/rpms/bind/pull-request/13 bind PR#13]
* Release engineering:
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives:
== Upgrade/compatibility impact ==
Upgrade should be smooth from 9.16.x, without significant issues.
Incompatibility existed with bind-dyndb-ldap, but that were resolved.
=== PKCS11 removal ===
Native PKCS11 builds in separate '''bind-pkcs11''' package and
'''bind-pkcs11-utils''' will be not longer built. It used to read
directly pkcs11 plugins, but it will be supported only indirectly
using OpenSSL pkcs11 engine.
Following commands would be removed:
* pkcs11-keygen
* pkcs11-destroy
* pkcs11-list
* pkcs11-tokens
All their actions should be possible using ''pkcs11-tool'' from
''opensc'' package or ''p11tool'' from ''gnutls-utils'' package.
* dnssec-*-pkcs11 commands would be removed too, but they have simple
replacement using ''-E pkcs11'' parameter to their respective normal
dnssec-* tool.
=== Python isc module ===
The utilities ''dnssec-checkds'', ''dnssec-coverage'', and
''dnssec-keymgr'' have been removed from '''bind-dnssec-utils'''
package. Also '''python3-bind''' python module is no longer supported
by ISC upstream and therefore removed from a bind package. DNSSEC
features formerly provided by these utilities are now integrated into
named. See the
[https://bind9.readthedocs.io/en/v9_18_4/reference.html#dnssec-policy-grammar
dnssec-policy configuration option] for more details.
=== Map file format ===
Support for the ''map'' zone file format (''masterfile-format map;'')
has been removed. Use ''raw'' format instead, which has similar
performance and less issues.
=== Removed options ===
Previously deprecated options were removed and are no longer accepted
in ''/etc/named.conf''. Their full list can be found on
[https://bind9.readthedocs.io/en/v9_18_4/notes.html#removed-features
removed features] release notes in Upstream.
== How To Test ==
(not supplied)
== User Experience ==
* Users will get simple tools to query also encrypted DNS servers.
* Recent improvements packaged.
* Simplified DNSSEC maintenance of both keys and signatures via
''dnssec-policy''
== Dependencies ==
bind-dyndb-ldap would be built together with bind package. It were
upgraded to version 11.10 to support BIND 9.18 release.
== Contingency Plan ==
* Contingency mechanism: (What to do? Who will do it?) N/A (not a
System Wide Change)
* Contingency deadline: N/A (not a System Wide Change)
* Blocks release? N/A (not a System Wide Change), Yes/No
== Documentation ==
N/A (not a System Wide Change)
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
___
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
F37 proposal: BIND 9.18 (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Changes/BIND_9.18
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
(not provided)
== Owner ==
* Name: [[User:pemensik| Petr Menšík]]
* Email:
== Detailed Description ==
ISC BIND9 will be upgraded to new major release version 9.18.x. It
introduces new features and changes. It will also remove some packages
provided before.
== Benefit to Fedora ==
The most recent major release will be provided, with some notable features:
* Support to DNS over TLS and DNS over HTTPS servers. Both
authoritative and resolver modes.
* Reworked internal connection handling using libuv
* RNDC channel does not support unix sockets
[https://gitlab.isc.org/isc-projects/bind9/-/issues/1759]
* Zone transfers over
[https://datatracker.ietf.org/doc/html/rfc9103.html DNS over TLS] were
added, both incoming and outgoing.
* dig is now able to send queries using DNS over TLS
* dig is now able to send queries using DNS over HTTPS
== Scope ==
* Proposal owners: The update required update of bind-dyndb-ldap
package (part of Freeipa suite), but otherwise it is isolated change.
* Other developers: Any developers
* Change pull request:
[https://src.fedoraproject.org/rpms/bind/pull-request/13 bind PR#13]
* Release engineering:
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives:
== Upgrade/compatibility impact ==
Upgrade should be smooth from 9.16.x, without significant issues.
Incompatibility existed with bind-dyndb-ldap, but that were resolved.
=== PKCS11 removal ===
Native PKCS11 builds in separate '''bind-pkcs11''' package and
'''bind-pkcs11-utils''' will be not longer built. It used to read
directly pkcs11 plugins, but it will be supported only indirectly
using OpenSSL pkcs11 engine.
Following commands would be removed:
* pkcs11-keygen
* pkcs11-destroy
* pkcs11-list
* pkcs11-tokens
All their actions should be possible using ''pkcs11-tool'' from
''opensc'' package or ''p11tool'' from ''gnutls-utils'' package.
* dnssec-*-pkcs11 commands would be removed too, but they have simple
replacement using ''-E pkcs11'' parameter to their respective normal
dnssec-* tool.
=== Python isc module ===
The utilities ''dnssec-checkds'', ''dnssec-coverage'', and
''dnssec-keymgr'' have been removed from '''bind-dnssec-utils'''
package. Also '''python3-bind''' python module is no longer supported
by ISC upstream and therefore removed from a bind package. DNSSEC
features formerly provided by these utilities are now integrated into
named. See the
[https://bind9.readthedocs.io/en/v9_18_4/reference.html#dnssec-policy-grammar
dnssec-policy configuration option] for more details.
=== Map file format ===
Support for the ''map'' zone file format (''masterfile-format map;'')
has been removed. Use ''raw'' format instead, which has similar
performance and less issues.
=== Removed options ===
Previously deprecated options were removed and are no longer accepted
in ''/etc/named.conf''. Their full list can be found on
[https://bind9.readthedocs.io/en/v9_18_4/notes.html#removed-features
removed features] release notes in Upstream.
== How To Test ==
(not supplied)
== User Experience ==
* Users will get simple tools to query also encrypted DNS servers.
* Recent improvements packaged.
* Simplified DNSSEC maintenance of both keys and signatures via
''dnssec-policy''
== Dependencies ==
bind-dyndb-ldap would be built together with bind package. It were
upgraded to version 11.10 to support BIND 9.18 release.
== Contingency Plan ==
* Contingency mechanism: (What to do? Who will do it?) N/A (not a
System Wide Change)
* Contingency deadline: N/A (not a System Wide Change)
* Blocks release? N/A (not a System Wide Change), Yes/No
== Documentation ==
N/A (not a System Wide Change)
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
