pfSense Gold Subscription

Author Topic: named package missing in 2.3  (Read 108 times)

0 Members and 1 Guest are viewing this topic.

Offline andrew.leigh

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
named package missing in 2.3
« on: April 23, 2016, 11:01:34 am »
I would love to upgrade my production cluster to 2.3, but I rely on the named package to provide DNS functionality.  I do not see either unbound or dnsmask providing full bind compatibility and would prefer not to offload this to another server for performance reasons.

named was regularly updated, so i am surprised it is marked as no maintainer.


Offline David_W

  • Sr. Member
  • ****
  • Posts: 385
  • Karma: +73/-0
    • Twitter
    • View Profile
Re: named package missing in 2.3
« Reply #1 on: April 23, 2016, 12:33:36 pm »
I don't know who was responsible for recent updates to the BIND package, though believe it has only had updates to the BIND version and minor changes for some time. This level of maintenance is much less involved than reimplementing the user interface in Bootstrap for pfSense 2.3.

The BIND package had its uses. At one point I used it as a quick way to implement reverse DNS zones for IPv6 rather than configuring BIND on another server, though I continued to use unbound as a DNSSEC capable recursive DNS server. I suspect, though, that the BIND package had a limited range of real world usage scenarios, so wasn't that popular. Unbound is suitable for the vast majority of recursive DNS server scenarios, which is why it was moved from a package into the base system. Unbound is not designed to be an authoritative DNS server and is very difficult to use at all in that role. Meanwhile, those capable of configuring a zone file for the BIND package are likely to be capable of configuring BIND on any *BSD or Linux machine.

In any event, best security practice suggests an authoritative DNS server should not be run on a firewall, especially if that DNS server contains DNSSEC private keys. Indeed, if the server contains DNSSEC private keys, the 'hidden master' arrangement is popular, with the server containing the keys only facing the public authoritative servers and not the Internet at large.