From Fedora Project Wiki
m (Add trackers)
 
(18 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->


= Change BIND 9.18 =
= BIND 9.18 =


== Summary ==
== Summary ==
Line 20: Line 20:


== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF37]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 38: Line 38:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* FESCo issue: <will be assigned by the Wrangler>
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/QCTN7NBN3WFOKNI4VQGAZWI7DBJEJZUC/ devel thread]
* Tracker bug: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/2840 #2840]
* Release notes tracker: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2114330 #2114330]
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/869 #869]


== Detailed Description ==
== Detailed Description ==
Line 92: Line 93:
* Proposal owners:
* Proposal owners:
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
The update required update of bind-dyndb-ldap package (part of Freeipa suite), but otherwise it is isolated change.
* The update required update of bind-dyndb-ldap package (part of Freeipa suite), but otherwise it is isolated change.


* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
Any developers
Any developers
* Change pull request: [https://src.fedoraproject.org/rpms/bind/pull-request/13 bind PR#13]


* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Line 118: Line 121:
Upgrade should be smooth from 9.16.x, without significant issues. Incompatibility existed with bind-dyndb-ldap, but that were resolved.
Upgrade should be smooth from 9.16.x, without significant issues. Incompatibility existed with bind-dyndb-ldap, but that were resolved.


== PKCS11 removal ==
=== PKCS11 removal ===


Native PKCS11 builds in separate '''bind-pkcs11''' package and '''bind-pkcs11-utils''' will be not longer built. It used to read directly pkcs11 plugins, but it will be supported only indirectly using OpenSSL pkcs11 engine.
Native PKCS11 builds in separate '''bind-pkcs11''' package and '''bind-pkcs11-utils''' will be not longer built. It used to read directly pkcs11 plugins, but it will be supported only indirectly using OpenSSL pkcs11 engine.
Line 124: Line 127:
Following commands would be removed:
Following commands would be removed:


- pkcs11-keygen
* pkcs11-keygen
- pkcs11-destroy
* pkcs11-destroy
- pkcs11-list
* pkcs11-list
- pkcs11-tokens
* pkcs11-tokens


All their actions should be possible using ''pkcs11-tool'' from ''opensc'' package or ''p11tool'' from ''gnutls-utils'' package.
All their actions should be possible using ''pkcs11-tool'' from ''opensc'' package or ''p11tool'' from ''gnutls-utils'' package.


- dnssec-*-pkcs11 commands would be removed too, but they have simple replacement using ''-E pkcs11'' parameter to their respective normal dnssec-* tool.
* dnssec-*-pkcs11 commands would be removed too, but they have simple replacement using ''-E pkcs11'' parameter to their respective normal dnssec-* tool.
 
=== Python isc module ===
 
The utilities ''dnssec-checkds'', ''dnssec-coverage'', and ''dnssec-keymgr'' have been removed from '''bind-dnssec-utils''' package. Also '''python3-bind''' python module is no longer supported by ISC upstream and therefore removed from a bind package. DNSSEC features formerly provided by these utilities are now integrated into named. See the [https://bind9.readthedocs.io/en/v9_18_4/reference.html#dnssec-policy-grammar dnssec-policy configuration option] for more details.


== Python isc module ==
=== Map file format ===


The utilities dnssec-checkds, dnssec-coverage, and dnssec-keymgr have been removed from '''bind-dnssec-utils''' package. Also '''python3-bind''' python module is no longer supported by ISC. DNSSEC features formerly provided by these utilities are now integrated into named. See the dnssec-policy configuration option for more details.
Support for the ''map'' zone file format (''masterfile-format map;'') has been removed. Use ''raw'' format instead, which has similar performance and less issues. Use ''named-compilezone -f map -F raw'' tool to convert the zone to ''raw'' format '''before''' the upgrade.


== Map file format ==
=== Removed options ===


Support for the ''map'' zone file format (''masterfile-format map;'') has been removed. Use ''raw'' format instead, which has similar performance and less issues.
Previously deprecated options were removed and are no longer accepted in ''/etc/named.conf''. Their full list can be found on [https://bind9.readthedocs.io/en/v9_18_4/notes.html#removed-features removed features] release notes in Upstream.


== How To Test ==
== How To Test ==
Line 170: Line 177:
  - Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system.
  - Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system.
-->
-->
* Users will get simple tools to query also encrypted DNS servers.
* Recent improvements packaged.
* Simplified DNSSEC maintenance of both keys and signatures via ''dnssec-policy''


== Dependencies ==
== Dependencies ==

Latest revision as of 16:37, 2 August 2022


BIND 9.18

Summary

Owner


Current status

Detailed Description

ISC BIND9 will be upgraded to new major release version 9.18.x. It introduces new features and changes. It will also remove some packages provided before.

Feedback

Benefit to Fedora

The most recent major release will be provided, with some notable features:

  • Support to DNS over TLS and DNS over HTTPS servers. Both authoritative and resolver modes.
  • Reworked internal connection handling using libuv
  • RNDC channel does not support unix sockets [1]
  • Zone transfers over DNS over TLS were added, both incoming and outgoing.
  • dig is now able to send queries using DNS over TLS
  • dig is now able to send queries using DNS over HTTPS


Scope

  • Proposal owners:
  • The update required update of bind-dyndb-ldap package (part of Freeipa suite), but otherwise it is isolated change.
  • Other developers:

Any developers

  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

Upgrade should be smooth from 9.16.x, without significant issues. Incompatibility existed with bind-dyndb-ldap, but that were resolved.

PKCS11 removal

Native PKCS11 builds in separate bind-pkcs11 package and bind-pkcs11-utils will be not longer built. It used to read directly pkcs11 plugins, but it will be supported only indirectly using OpenSSL pkcs11 engine.

Following commands would be removed:

  • pkcs11-keygen
  • pkcs11-destroy
  • pkcs11-list
  • pkcs11-tokens

All their actions should be possible using pkcs11-tool from opensc package or p11tool from gnutls-utils package.

  • dnssec-*-pkcs11 commands would be removed too, but they have simple replacement using -E pkcs11 parameter to their respective normal dnssec-* tool.

Python isc module

The utilities dnssec-checkds, dnssec-coverage, and dnssec-keymgr have been removed from bind-dnssec-utils package. Also python3-bind python module is no longer supported by ISC upstream and therefore removed from a bind package. DNSSEC features formerly provided by these utilities are now integrated into named. See the dnssec-policy configuration option for more details.

Map file format

Support for the map zone file format (masterfile-format map;) has been removed. Use raw format instead, which has similar performance and less issues. Use named-compilezone -f map -F raw tool to convert the zone to raw format before the upgrade.

Removed options

Previously deprecated options were removed and are no longer accepted in /etc/named.conf. Their full list can be found on removed features release notes in Upstream.

How To Test

User Experience

  • Users will get simple tools to query also encrypted DNS servers.
  • Recent improvements packaged.
  • Simplified DNSSEC maintenance of both keys and signatures via dnssec-policy

Dependencies

bind-dyndb-ldap would be built together with bind package. It were upgraded to version 11.10 to support BIND 9.18 release.

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No


Documentation

- Upstream release notes

N/A (not a System Wide Change)

Release Notes