We have removed the ISC custom SPEGNO implementation from the development branch (9.17.x). We intend to also remove it from BIND 9.16 and 9.11. This is very old and fragile code and it is provides extra risk for everyone, while being useful for (we think) almost nobody.
- First what it is: SPNEGOis some black magic which helps to negotiate how a client authenticates to a server (basically find intersection of sets of supported mechanisms on both sides) (https://en.wikipedia.org/wiki/SPNEGO
- Normally it is provided by libraries installed in the operating system, but for historical reasons BIND carries its own copy of that library. (back when there were more operating systems that didn’t have this support)
- Systems with the MIT Kerberos library (which is open-source) newer than 15 years can use that system library version, and ignore whatever BIND ships.
- The MIT Kerberos version has been patched many times over the years while the ISC implementation has not been well maintained.
We wouldn’t normally remove something from an old stable extended support version (9.11) but since this code seems to be obsolete and risky, we plan to do so. If anyone can think of a good reason not to, please let us know asap. SW Engineering’s fingers are quivering over the delete key.