Named package missing in 2.3



  • I would love to upgrade my production cluster to 2.3, but I rely on the named package to provide DNS functionality.  I do not see either unbound or dnsmask providing full bind compatibility and would prefer not to offload this to another server for performance reasons.

    named was regularly updated, so i am surprised it is marked as no maintainer.



  • I don't know who was responsible for recent updates to the BIND package, though believe it has only had updates to the BIND version and minor changes for some time. This level of maintenance is much less involved than reimplementing the user interface in Bootstrap for pfSense 2.3.

    The BIND package had its uses. At one point I used it as a quick way to implement reverse DNS zones for IPv6 rather than configuring BIND on another server, though I continued to use unbound as a DNSSEC capable recursive DNS server. I suspect, though, that the BIND package had a limited range of real world usage scenarios, so wasn't that popular. Unbound is suitable for the vast majority of recursive DNS server scenarios, which is why it was moved from a package into the base system. Unbound is not designed to be an authoritative DNS server and is very difficult to use at all in that role. Meanwhile, those capable of configuring a zone file for the BIND package are likely to be capable of configuring BIND on any *BSD or Linux machine.

    In any event, best security practice suggests an authoritative DNS server should not be run on a firewall, especially if that DNS server contains DNSSEC private keys. Indeed, if the server contains DNSSEC private keys, the 'hidden master' arrangement is popular, with the server containing the keys only facing the public authoritative servers and not the Internet at large.



  • I'm glad to see the BIND package is now in pfSense again.  Thanks for adding it back.





  • @dpankros:

    It is?  It's not listed here: https://doc.pfsense.org/index.php/2.3_Removed_Packages

    The bind package picked up a new maintainer after the 2.3.x releases started flowing. It appeared on the removed package list because when 2.3 was first released, the bind package was not available.

    I think it's actually a service provider in Europe (voleatech) that has taken the time to re-create the package for the newer versions of pfSense.



  • Thats great news!  Thanks for letting me know.

    I see you need to login to make updates to the docs (understandable) but I don't see a way to register to make changes, like this, myself.  It would be great if the docs were updated to reflect the state of the packages, else the adoption rate of new version(s) will be lower than it needs to be due to people, like me, holding off on an upgrade due to lack of necessary, compatible packages.

    It's the classic love/hate relationship to wikis:  I love the info, but I hate that they are often not maintained and, thus, quickly out of date.


Log in to reply