Plan to remove ISC custom SPEGNO from BIND

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Plan to remove ISC custom SPEGNO from BIND

Vicky Risk
Administrator
Hey there BIND Users-

We have removed the ISC custom SPEGNO implementation from the development branch (9.17.x). We intend to also remove it from BIND 9.16 and 9.11. This is very old and fragile code and it is provides extra risk for everyone, while being useful for (we think) almost nobody.

- First what it is: SPNEGO is some black magic which helps to negotiate how a client authenticates to a server (basically find intersection of sets of supported mechanisms on both sides) (https://en.wikipedia.org/wiki/SPNEGO

- Normally it is provided by libraries installed in the operating system, but for historical reasons BIND carries its own copy of that library. (back when there were more operating systems that didn’t have this support)

- Support for BIND was introduced in 2006, and in the same year support for the same was introduced into MIT Kerberos 1.5. (https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.html)

- Systems with the MIT Kerberos library (which is open-source) newer than 15 years can use that system library version, and ignore whatever BIND ships.

- The MIT Kerberos version has been patched many times over the years while the ISC implementation has not been well maintained.

We wouldn’t normally remove something from an old stable extended support version (9.11) but since this code seems to be obsolete and risky, we plan to do so. If anyone can think of a good reason not to, please let us know asap. SW Engineering’s fingers are quivering over the delete key.

Thank you!

Vicky
-------------
Vicky Risk
Product Manager


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Vicky Risk
Product Manager,
Internet Systems Consortium