bind and certbot with dns-challenge

Grant Taylor gtaylor at tnetconsulting.net
Sun Mar 17 17:33:56 UTC 2019 

On 3/17/19 5:13 AM, Stephan von Krawczynski wrote:
> Hello all,

Hi,

> I am using "BIND 9.13.7 (Development Release) <id:6491691>" on arch 
> linux. Up to few days ago everything was fine using "certbot renew". I had 
> "allow-update" in nameds' global section, everything worked well. Updating 
> to the above version threw a config error that "allow-update" has no 
> global scope and is to be used in every single zone definition.

That sounds like a bug to me.  If it's not a bug, and is to be expected, 
I would expect the change in behavior to be documented somewhere.

> And this brought me here with one question: why is it that bind/named 
> does not evolve to a really useable nameserver for the most use-cases 
> _today_, but instead gets more unusable with every new release?

I can't say as I've experienced what you're referring to.  I still find 
BIND to be extremely flexible and feature rich for all of my DNS needs.

There are occasionally some off the typical DNS path things that I want 
to do that do require some pontification and careful implementation. 
But I've almost always been able to get BIND to do what I want.  Maybe 
once or twice I couldn't in the last ~20 years.

> I mean, sure you can use it perfectly, only not good if hosting hundreds 
> or thousands domains

Why can't you use BIND to host hundreds or thousands of domains?

> only this small change I just described lets your config file grow 
> massively

Config file size is independent of BIND's capability.

IMHO, this seems more like a dislike than an actual problem.

> only not good if you want to implement something like blacklists, 
> not good for an adblocker and so on.

Why is it not good?

What can you not do with BIND 9.13.7 that you could do with a previous 
version?

Also, /seriously/ take a good look into Response Policy Zones (RPZ). 
They make implementing blacklists a LOT easier.

I expect that Response Policy Service (RPS) to also make a similar, if 
not bigger, difference.  -  Granted, there is a documentation / OSS 
implementation gap that I'd like to see filled.

I also think that Dynamically Loadable Zones (DLZ) can also help here.

That's three different options that can be used with BIND.  I think all 
three can make it such that you don't need to define zones for each of 
the names that you want to filter.

> But all that would be dead easy to do, iff really wanted.

I'm not sure what "all that" actually is.  As such, I'll respond to the 
multiple things that I think it could be.

"global allow-update…"  -  This sounds like a bug or an unknown design 
change.

"host hundreds or thousands of domains"  -  I see no reason why BIND 
can't do that.

"config file growth"  -  So.  Look into "include" and / or "DLZ". 
Restructure your config such that it's easier to manage and don't use a 
flat file.

"blacklists"  -  I'm doing this with multiple DLZs and am extremely 
happy with it.  IMHO it works wonderfully.

I'm even taking a web page (listing bad hosts) that someone is serving 
(for public consumption) scraping it (with their consent) and turning it 
into an RPZ on one server.  Then I'm using standard zone transfers to 
have multiple recursive resolvers filter based on the contents of the 
Response Policy Zone.  IMHO it works great.

> So why is it, that there is no global way of defining default zone 
> definitions which are only overriden by the actual zone definition?

I think that's a fair question.  Perhaps it's worth a feature request.

I've not looked, but I wonder if some of this can be defined via views.

> Why is there no way to define a hosts-type-of-file with an URL-to-IP list?

I think that RPZ, RPS, and likely DLZ are much closer to doing that than 
you realize.

I counter with this.

Q:  Why can't Firefox on Linux read a Microsoft Word (.doc) file?
A:  Because it's not designed to do so.
A:  Nor is doing so even remotely in the scope of what it's designed to do.

> Do you really want people to define 50.000 zones to perform adblocking?

You don't need to do that.

Again, /seriously/ take a good look into Response Policy Zones (RPZ). 
They make implementing blacklists a LOT easier.

> Configs have to be reloaded every now and then, is there really no idea 
> how to shorten things a bit?

It's my understanding that parsing the config file(s) is not the problem 
/ delay.

It's my understanding that the delay in loading many zones is converting 
the text zone files to binary in memory representations.

It's also my understanding that there are options to speed this up based 
on master zone file format.  Specifically binary vs text.

> Don't get me wrong, bind is great (ok, collapsing during runtime since 
> last 2 updates, but ...).

It sounds like you're trying to administer BIND the say way that you 
would have 10 ~ 20 years ago.  Take a look at some of the more modern 
options.  Especially if you are wanting to do more modern things like 
blacklisting.

> Nevertheless there are some things that can be enhanced quite a bit.

I feel like there are some simple things that you can do to enhance your 
BIND administration quite a bit.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190317/a9ac2d71/attachment.bin>

More information about the bind-users mailing list