bind and certbot with dns-challenge

Sun Mar 17 18:24:21 UTC 2019

Named has options at the global, view and zone levels.  The 9.11 ARM
shows allow-update
in the options and zone statements.  If it's broken in 9.13 - note that
it is a "Developement Release".
So bugs are expected, and you should raise an issue on bind9-bugs or on
gitlab
(https://gitlab.isc.org/isc-projects/bind9/issues).

You can work around your issue by using 'include "my-common-stuff.conf";'
to simplify your configuration.  This is a useful strategy for things
that don't fit
the three-level model.

If you have large zones, you can speed up load time with
masterfile-format raw or map;
see the "tuning" section of the ARM for more information. 

Parsing configuration data is unlikely to be the dominant factor in
startup, but I'm
sure that the developers would welcome a reproducible test case that
shows otherwise.

You should consider update-policy instead of allow-update; it provides
much better control
and better security.

> It is really very obvious that this is only done by
> ideologists, not technical oriented people.
Actually, I've found that the contributors to named are very technical,
practical people.
Sometimes they introduce bugs, or ideas that work in one context but not
another.
They're responsive to criticism & contributions.  But name-calling is
generally not an
effective way to get anyone to help you.

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 

On 17-Mar-19 10:35, Stephan von Krawczynski wrote:
> On Sun, 17 Mar 2019 12:40:35 +0100
> Reindl Harald <h.reindl at thelounge.net> wrote:
>
>> Am 17.03.19 um 12:13 schrieb Stephan von Krawczynski:
>>> So why is it, that there is no global way of defining default zone
>>> definitions which are only overriden by the actual zone definition?  
>> maybe because it brings a ton of troubles and whoever deals with more
>> than 5 zones has automatic config management in place anyways?
> If you don't want to follow the positive way (how about a nice additional
> feature), then please accept the negative way: someone broke the config
> semantics by implementing a zone based-only "allow update". This option worked
> globally before (too), so we can assume it is in fact broken now.
> Can someone please point me to the discussion about this incompatible change?
>
>>> Why is there no way to define a hosts-type-of-file with an URL-to-IP list?
>>> Do you really want people to define 50.000 zones to perform adblocking?  
>> no, just use the right tool for the task, this don't fit into the domain
>> concept of named and hence you have dnsmasq and rbldnsd to step into
>> that niche
> In todays' internet this is no niche any more. And the right tool means mostly
> "yet-another-host" because you then need at least a cascade of two, one for
> dnsmasq and one for bind/named. A lot of overhead for quite a simple task...
>
>>> Configs have to be reloaded every now and then, is there really no idea
>>> how to shorten things a bit?  
>> ??
> Shorter config = shorter load time. The semantic change of "allow update" alone
> leaves every setup with 1000 domains in a situation where 999 config statments
> more have to be read, interpreted and configured - just to end up in the same
> runtime setup. It is really very obvious that this is only done by
> ideologists, not technical oriented people.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190317/b1ac7564/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190317/b1ac7564/attachment.bin>