Bug 237861 - dns/bind914 Suggestion: enable dnstap in BIND by default
Summary: dns/bind914 Suggestion: enable dnstap in BIND by default
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Mathieu Arnold
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-12 23:45 UTC by Greg Rivers
Modified: 2020-07-02 02:35 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (mat)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Greg Rivers 2019-05-12 23:45:52 UTC
I'd like to suggest that dnstap should be enabled by default going forward, starting with bind914. Doing so would be a no-op for people who don't use it, since it has to be specifically enabled in the configuration. dnstap is much lighter weight than traditional query logging, so it benefits large and small systems alike. I suspect there may be quite a few people like me who would appreciate the ability to use dnstap without building our own packages and maintaining our own repos.

This would add a dependency on devel/fstrm and devel/protobuf-c, but both packages are tiny, and protobuf-c is a dependency of a number of other common ports.
Comment 1 Rene Ladan freebsd_committer 2020-04-30 11:03:58 UTC
Is this relevant for dns/bind916 too?
Comment 2 Greg Rivers 2020-04-30 15:19:25 UTC
(In reply to Rene Ladan from comment #1)
Yes, dnstap has been available in BIND since version 9.11. My suggestion is to enable dnstap by default in the port for the "stable" version of BIND starting with 9.14.

9.14 was the stable version when I opened this PR a year ago. 9.16 is the current stable version.
Comment 3 Leo Vandewoestijne 2020-07-01 14:19:11 UTC
Looking at the current dns/bind916 I think it's perfect now;
keep it simple & small unless you really want to have it.

Is having this in make.conf not a good enough solution for you?

dns_bind916_SET= DNSTAP

(if so than I guess this PR can be closed).
Comment 4 Greg Rivers 2020-07-02 02:35:39 UTC
(In reply to Leo Vandewoestijne from comment #3)
Of course I've been building BIND from the port with the dnstap option enabled. But it would be nice if I didn't have to.

This request is to change the default options for the port. I explained my rationale for this when I opened this PR. The default options for any port are not intended to minimize features, rather they are set to provide the features and capabilities that satisfy the most people. Doing so allows the most people to use the project pkg repo to install from binary packages instead of having to build custom versions from source.

My assertion is the having dnstap compiled by default will benefit the most people. dnstap is lighter weight and provides more information than standard query logging. dnstap must be explicitly enabled in the configuration, so people who don't know or care about it can ignore it. But it can't be enabled in the configuration unless named is compiled for it.

I see this the opposite way from what you suggested: people who specifically do not want dnstap can easily BIND from source with the dnstap option disabled. I think they are in the minority.

One more data point: ISC provide binary packages for BIND on Linux (<https://kb.isc.org/docs/isc-packages-for-bind-9>). All of ISC's packages are built with dnstap enabled.