Bug 237861

Summary: dns/bind914 Suggestion: enable dnstap in BIND by default
Product: Ports & Packages Reporter: Greg Rivers <gcr>
Component: Individual Port(s)Assignee: Mathieu Arnold <mat>
Status: Closed FIXED    
Severity: Affects Only Me CC: freebsd, rene
Priority: --- Flags: bugzilla: maintainer-feedback? (mat)
Version: Latest   
Hardware: Any   
OS: Any   

Description Greg Rivers 2019-05-12 23:45:52 UTC
I'd like to suggest that dnstap should be enabled by default going forward, starting with bind914. Doing so would be a no-op for people who don't use it, since it has to be specifically enabled in the configuration. dnstap is much lighter weight than traditional query logging, so it benefits large and small systems alike. I suspect there may be quite a few people like me who would appreciate the ability to use dnstap without building our own packages and maintaining our own repos.

This would add a dependency on devel/fstrm and devel/protobuf-c, but both packages are tiny, and protobuf-c is a dependency of a number of other common ports.
Comment 1 Rene Ladan freebsd_committer freebsd_triage 2020-04-30 11:03:58 UTC
Is this relevant for dns/bind916 too?
Comment 2 Greg Rivers 2020-04-30 15:19:25 UTC
(In reply to Rene Ladan from comment #1)
Yes, dnstap has been available in BIND since version 9.11. My suggestion is to enable dnstap by default in the port for the "stable" version of BIND starting with 9.14.

9.14 was the stable version when I opened this PR a year ago. 9.16 is the current stable version.
Comment 3 Leo Vandewoestijne 2020-07-01 14:19:11 UTC
Looking at the current dns/bind916 I think it's perfect now;
keep it simple & small unless you really want to have it.

Is having this in make.conf not a good enough solution for you?

dns_bind916_SET= DNSTAP

(if so than I guess this PR can be closed).
Comment 4 Greg Rivers 2020-07-02 02:35:39 UTC
(In reply to Leo Vandewoestijne from comment #3)
Of course I've been building BIND from the port with the dnstap option enabled. But it would be nice if I didn't have to.

This request is to change the default options for the port. I explained my rationale for this when I opened this PR. The default options for any port are not intended to minimize features, rather they are set to provide the features and capabilities that satisfy the most people. Doing so allows the most people to use the project pkg repo to install from binary packages instead of having to build custom versions from source.

My assertion is the having dnstap compiled by default will benefit the most people. dnstap is lighter weight and provides more information than standard query logging. dnstap must be explicitly enabled in the configuration, so people who don't know or care about it can ignore it. But it can't be enabled in the configuration unless named is compiled for it.

I see this the opposite way from what you suggested: people who specifically do not want dnstap can easily BIND from source with the dnstap option disabled. I think they are in the minority.

One more data point: ISC provide binary packages for BIND on Linux (<https://kb.isc.org/docs/isc-packages-for-bind-9>). All of ISC's packages are built with dnstap enabled.
Comment 5 Leo Vandewoestijne 2020-07-20 10:09:45 UTC
(In reply to Greg Rivers from comment #4)
> Doing so allows the most people to use the project pkg repo to install from binary packages
> instead of having to build custom versions from source.
>
Aha, OK, that's a valid argument - and those who don't could UNSET it.
Comment 6 Greg Rivers 2020-07-21 08:46:20 UTC
(In reply to Leo Vandewoestijne from comment #5)
Comment 7 Greg Rivers 2020-07-21 08:47:34 UTC
(In reply to Leo Vandewoestijne from comment #5)
Thanks for your consideration.
Comment 8 commit-hook freebsd_committer freebsd_triage 2020-08-26 13:32:45 UTC
A commit references this bug:

Author: mat
Date: Wed Aug 26 13:32:29 UTC 2020
New revision: 546283
URL: https://svnweb.freebsd.org/changeset/ports/546283

Log:
  Enabled DNSTAP by default.

  The ISC recommends having it by default (it is in the packages they
  distribute) and the footprint of the dependecies is very small.

  While there, cleanup plists.

  PR:		237861
  Reported by:	Greg Rivers

Changes:
  head/dns/bind-tools/pkg-plist
  head/dns/bind-tools/pkg-plist-devel
  head/dns/bind9-devel/Makefile
  head/dns/bind9-devel/pkg-plist
  head/dns/bind911/Makefile
  head/dns/bind916/Makefile
  head/dns/bind916/pkg-plist