From Fedora Project Wiki

Revision as of 18:06, 25 July 2022 by Bcotton (talk | contribs) (Change submitted to FESCo)


BIND 9.18

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Owner


Current status

  • Targeted release: Fedora Linux 37
  • Last updated: 2022-07-25
  • devel thread
  • FESCo issue: #2840
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

ISC BIND9 will be upgraded to new major release version 9.18.x. It introduces new features and changes. It will also remove some packages provided before.

Feedback

Benefit to Fedora

The most recent major release will be provided, with some notable features:

  • Support to DNS over TLS and DNS over HTTPS servers. Both authoritative and resolver modes.
  • Reworked internal connection handling using libuv
  • RNDC channel does not support unix sockets [1]
  • Zone transfers over DNS over TLS were added, both incoming and outgoing.
  • dig is now able to send queries using DNS over TLS
  • dig is now able to send queries using DNS over HTTPS


Scope

  • Proposal owners:
  • The update required update of bind-dyndb-ldap package (part of Freeipa suite), but otherwise it is isolated change.
  • Other developers:

Any developers

  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

Upgrade should be smooth from 9.16.x, without significant issues. Incompatibility existed with bind-dyndb-ldap, but that were resolved.

PKCS11 removal

Native PKCS11 builds in separate bind-pkcs11 package and bind-pkcs11-utils will be not longer built. It used to read directly pkcs11 plugins, but it will be supported only indirectly using OpenSSL pkcs11 engine.

Following commands would be removed:

  • pkcs11-keygen
  • pkcs11-destroy
  • pkcs11-list
  • pkcs11-tokens

All their actions should be possible using pkcs11-tool from opensc package or p11tool from gnutls-utils package.

  • dnssec-*-pkcs11 commands would be removed too, but they have simple replacement using -E pkcs11 parameter to their respective normal dnssec-* tool.

Python isc module

The utilities dnssec-checkds, dnssec-coverage, and dnssec-keymgr have been removed from bind-dnssec-utils package. Also python3-bind python module is no longer supported by ISC upstream and therefore removed from a bind package. DNSSEC features formerly provided by these utilities are now integrated into named. See the dnssec-policy configuration option for more details.

Map file format

Support for the map zone file format (masterfile-format map;) has been removed. Use raw format instead, which has similar performance and less issues. Use named-compilezone -f map -F raw tool to convert the zone to raw format before the upgrade.

Removed options

Previously deprecated options were removed and are no longer accepted in /etc/named.conf. Their full list can be found on removed features release notes in Upstream.

How To Test

User Experience

  • Users will get simple tools to query also encrypted DNS servers.
  • Recent improvements packaged.
  • Simplified DNSSEC maintenance of both keys and signatures via dnssec-policy

Dependencies

bind-dyndb-ldap would be built together with bind package. It were upgraded to version 11.10 to support BIND 9.18 release.

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No


Documentation

- Upstream release notes

N/A (not a System Wide Change)

Release Notes