https://fedoraproject.org/wiki/Changes/BIND_9.18
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
== Summary == (not provided)
== Owner == * Name: [[User:pemensik| Petr Menšík]] * Email: pemensik@redhat.com
== Detailed Description == ISC BIND9 will be upgraded to new major release version 9.18.x. It introduces new features and changes. It will also remove some packages provided before.
== Benefit to Fedora == The most recent major release will be provided, with some notable features:
* Support to DNS over TLS and DNS over HTTPS servers. Both authoritative and resolver modes. * Reworked internal connection handling using libuv * RNDC channel does not support unix sockets [https://gitlab.isc.org/isc-projects/bind9/-/issues/1759] * Zone transfers over [https://datatracker.ietf.org/doc/html/rfc9103.html DNS over TLS] were added, both incoming and outgoing. * dig is now able to send queries using DNS over TLS * dig is now able to send queries using DNS over HTTPS
== Scope == * Proposal owners: The update required update of bind-dyndb-ldap package (part of Freeipa suite), but otherwise it is isolated change.
* Other developers: Any developers * Change pull request: [https://src.fedoraproject.org/rpms/bind/pull-request/13 bind PR#13]
* Release engineering: * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives:
== Upgrade/compatibility impact == Upgrade should be smooth from 9.16.x, without significant issues. Incompatibility existed with bind-dyndb-ldap, but that were resolved.
=== PKCS11 removal ===
Native PKCS11 builds in separate '''bind-pkcs11''' package and '''bind-pkcs11-utils''' will be not longer built. It used to read directly pkcs11 plugins, but it will be supported only indirectly using OpenSSL pkcs11 engine.
Following commands would be removed:
* pkcs11-keygen * pkcs11-destroy * pkcs11-list * pkcs11-tokens
All their actions should be possible using ''pkcs11-tool'' from ''opensc'' package or ''p11tool'' from ''gnutls-utils'' package.
* dnssec-*-pkcs11 commands would be removed too, but they have simple replacement using ''-E pkcs11'' parameter to their respective normal dnssec-* tool.
=== Python isc module ===
The utilities ''dnssec-checkds'', ''dnssec-coverage'', and ''dnssec-keymgr'' have been removed from '''bind-dnssec-utils''' package. Also '''python3-bind''' python module is no longer supported by ISC upstream and therefore removed from a bind package. DNSSEC features formerly provided by these utilities are now integrated into named. See the [https://bind9.readthedocs.io/en/v9_18_4/reference.html#dnssec-policy-grammar dnssec-policy configuration option] for more details.
=== Map file format ===
Support for the ''map'' zone file format (''masterfile-format map;'') has been removed. Use ''raw'' format instead, which has similar performance and less issues.
=== Removed options ===
Previously deprecated options were removed and are no longer accepted in ''/etc/named.conf''. Their full list can be found on [https://bind9.readthedocs.io/en/v9_18_4/notes.html#removed-features removed features] release notes in Upstream.
== How To Test == (not supplied)
== User Experience == * Users will get simple tools to query also encrypted DNS servers. * Recent improvements packaged. * Simplified DNSSEC maintenance of both keys and signatures via ''dnssec-policy''
== Dependencies == bind-dyndb-ldap would be built together with bind package. It were upgraded to version 11.10 to support BIND 9.18 release.
== Contingency Plan == * Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change) * Contingency deadline: N/A (not a System Wide Change) * Blocks release? N/A (not a System Wide Change), Yes/No
== Documentation == N/A (not a System Wide Change)
On Fri, 2022-07-15 at 17:30 -0400, Ben Cotton wrote:
== Scope ==
- Proposal owners: The update required update of bind-dyndb-ldap
package (part of Freeipa suite), but otherwise it is isolated change.
That's a big 'but'. FreeIPA is a release-blocking part of Server, one of our Editions. We've seen issues before between bind upgrades and FreeIPA. I would like to see assurances that this is being planned together with FreeIPA folks and resources will be in place to ensure FreeIPA is fully tested and working when this is deployed.
We tested this extensively in FreeIPA upstream CI using a separate COPR repo. Current FreeIPA versions in Fedora are ready and rawhide version of bind-dyndb-ldap only needs a rebuild.
I'm currently on a sick leave but Peter should be able to handle it with his bind/bind-dyndb-ldap maintainer rights.
On Saturday, July 16, 2022, Adam Williamson adamwill@fedoraproject.org wrote:
On Fri, 2022-07-15 at 17:30 -0400, Ben Cotton wrote:
== Scope ==
- Proposal owners: The update required update of bind-dyndb-ldap
package (part of Freeipa suite), but otherwise it is isolated change.
That's a big 'but'. FreeIPA is a release-blocking part of Server, one of our Editions. We've seen issues before between bind upgrades and FreeIPA. I would like to see assurances that this is being planned together with FreeIPA folks and resources will be in place to ensure FreeIPA is fully tested and working when this is deployed. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net
devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
On Sat, 2022-07-16 at 13:02 +0300, Alexander Bokovoy wrote:
We tested this extensively in FreeIPA upstream CI using a separate COPR repo. Current FreeIPA versions in Fedora are ready and rawhide version of bind-dyndb-ldap only needs a rebuild.
I'm currently on a sick leave but Peter should be able to handle it with his bind/bind-dyndb-ldap maintainer rights.
Thanks, that's very reassuring!
On Saturday, July 16, 2022, Adam Williamson adamwill@fedoraproject.org wrote:
On Fri, 2022-07-15 at 17:30 -0400, Ben Cotton wrote:
== Scope ==
- Proposal owners: The update required update of bind-dyndb-ldap
package (part of Freeipa suite), but otherwise it is isolated change.
That's a big 'but'. FreeIPA is a release-blocking part of Server, one of our Editions. We've seen issues before between bind upgrades and FreeIPA. I would like to see assurances that this is being planned together with FreeIPA folks and resources will be in place to ensure FreeIPA is fully tested and working when this is deployed. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net
devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
-- _______________________________________________ server mailing list -- server@lists.fedoraproject.org To unsubscribe send an email to server-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/server@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-
Adam Williamson -
Alexander Bokovoy -
Ben Cotton