bind and certbot with dns-challenge

Alan Clegg aclegg at isc.org
Sun Mar 17 18:51:58 UTC 2019 

On 3/17/19 7:13 AM, Stephan von Krawczynski wrote:
> Hello all,
> 
> I am using "BIND 9.13.7 (Development Release) <id:6491691>" on arch linux. Up
> to few days ago everything was fine using "certbot renew". I had
> "allow-update" in nameds' global section, everything worked well. Updating to
> the above version threw a config error that "allow-update" has no global scope
> and is to be used in every single zone definition.

And you may have found a bug.  I'm checking internally at this time.

> And this brought me here with one question: why is it that bind/named does not
> evolve to a really useable nameserver for the most use-cases _today_, but
> instead gets more unusable with every new release?

Please provide input.  BIND is open source and is available for requests
etc. via gitlab.  We don't INTENTIONALLY make it "more unusable with
each release, but without your input we may be doing things that seem
good from the implementation side, but not from the operations side.

Provide input!  You'll help shape the world!

> I mean, sure you can use it perfectly, only not good if hosting hundreds or
> thousands domains - only this small change I just described lets your config
> file grow massively -, only not good if you want to implement something like
> blacklists, not good for an adblocker and so on.

I'm not sure how this relates.  Please feel free to follow up here (on
in Gitlab) with a bit more including "this configuration worked great
and is operationally what we need, but you broke it.  We do take
constructive criticism (and we also have thick skins, having been at it
as long as we have).

> But all that would be dead easy to do, iff really wanted.
> So why is it, that there is no global way of defining default zone
> definitions which are only overriden by the actual zone definition?

Some options just don't make sense at the global level.  Those are only
available at the view or zone level.

> Why is there no way to define a hosts-type-of-file with an URL-to-IP list?

Because DNS data only deals with DNS data and not URLs?   Again, give an
example of what you want, it will be considered and may actually appear
as a feature in future releases.  (this one, I doubt, however).

> Do you really want people to define 50.000 zones to perform adblocking?
> Configs have to be reloaded every now and then, is there really no idea how to
> shorten things a bit?

RPZ works at a global level.  Again, not sure what this question means.

> Don't get me wrong, bind is great (ok, collapsing during runtime since last 2
> updates, but ...).

Did you report these "collapses"?  This is the type of thing that tends
to happen when your distribution runs "Development Release" code.

> Nevertheless there are some things that can be enhanced quite a bit.

Tell us!  Help us!  Together we can be stronger!

Alan Clegg, ISC

More information about the bind-users mailing list