bind and certbot with dns-challenge
Grant Taylor
gtaylor at tnetconsulting.net
Sun Mar 17 17:40:51 UTC 2019
On 3/17/19 8:35 AM, Stephan von Krawczynski wrote:
> In todays' internet this is no niche any more.
Oh, there most certainly are niches today. I think there are more today
than there were before.
> And the right tool means mostly "yet-another-host" because you then need
> at least a cascade of two, one for dnsmasq and one for bind/named. A
> lot of overhead for quite a simple task...
No, you don't need another host.
· You can do things on different ports and / or IPs on the same host.
· You can use different BIND features to do exactly what you want in a
single daemon. (See my previous email about RPZ / RPS / DLZ.)
> Shorter config = shorter load time. The semantic change of "allow
> update" alone leaves every setup with 1000 domains in a situation where
> 999 config statments more have to be read, interpreted and configured -
> just to end up in the same runtime setup.
See my previous email about load time.
TL;DR: The config isn't the problem. The zones are the problem.
> It is really very obvious that this is only done by ideologists, not
> technical oriented people.
I disagree.
I've seen similar breaking changes in other products for (usually) well
published / documented reasons. Often times it's related to blocking
new more important features and / or problems maintaining legacy code
and / or security implications.
None of that is ideology. That's program maintenance.
That being said, I don't know what is the case in the (broken) global
allow-updates issue that you're talking about.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190317/b6d0f3a1/attachment-0001.bin>
More information about the bind-users
mailing list