Re: root.hints - apparmor access error with Bind from PPA

[Timothe Litt]

I'm not an apparmor user - but have you looked at the parent directory
permissions?  From what you posted, that would be the logical culprit.

In any case, unless you are using a private root zone, since named has
the root nameserver addresses built-in, the use of root.hint is
unnecessary.  (Even if one or two change addresses before the next
release, as does happen infrequently, once named starts it will ask the
network for the full set.  It only needs one - of the 13 - to bootstrap
itself.)

There is an argument for running your own root server with a copy of the
root zone - but most small operators don't.  Simplifying, it makes sense
if you are "far" from the global root servers, have regular outages that
leave a local region intact, or are very concerned about privacy.  (In
the latter case, qname minimization is likely a better choice.)

It seems that a lot of distributions configure a root.hint out of
habit.  It's actually a step backwards, since unless you have a process
to update root.hint, your copy is likely to end up being older than
named's built-ins...

It's been a while since I looked, but at that time, a 20ish year old
root.hint had only a couple of IPv4 addresses wrong.  (Didn't have many
IPv6.)  root.hint really IS stable - and so, therefore, are the named
built-ins.


Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 

On 03-Jun-21 22:45, 3coma3 wrote:
> Dear list:
>
> I've used the PPA at https://launchpad.net/~isc/+archive/ubuntu/bind to
> upgrade
> bind from 9.11.3+dfsg-1ubuntu1.15 (current version for
> bionic-{updates,security}) to 9.16.16-2+ubuntu18.04.1+isc+1
>
> (I was needing to use the validate-except clause and this new version
> supports it)
>
> After the upgrade, attempting to start the named service failed with
> this error:
> Jun  3 22:03:53 top named[19946]: could not configure root hints from
> '/usr/share/dns/root.hints': permission denied
>
> Right below that apparmor logs this:
>
> Jun  3 22:03:53 top kernel: [17981.067014] audit: type=1400
> audit(1622768633.158:559): apparmor="DENIED" operation="open"
> profile="/usr/sbin/named" name="/usr/share/dns/root.hints" pid=19946
> comm="isc-worker" requested_mask="r" denied_mask="r" fsuid=129 ouid=0
>
>
> What's puzzling is that the apparmor profile apparently allows the read
> @ line 36:
>
> find /etc/apparmor.d -type f | xargs grep -n '/usr/share/dns'
> /etc/apparmor.d/usr.sbin.named:36:  /usr/share/dns/root.* r,
>
> dpkg -S /etc/apparmor.d/usr.sbin.named
> bind9: /etc/apparmor.d/usr.sbin.named
>
> apt-cache policy bind9
> bind9:
>   Installed: 1:9.16.16-2+ubuntu18.04.1+isc+1
>   Candidate: 1:9.16.16-2+ubuntu18.04.1+isc+1
>   Version table:
>  *** 1:9.16.16-2+ubuntu18.04.1+isc+1 500
>     500 http://ppa.launchpad.net/isc/bind/ubuntu bionic/main amd64
> Packages
>     100 /var/lib/dpkg/status
>  1:9.11.3+dfsg-1ubuntu1.15 500
>     500 http://mirrors.us.kernel.org/ubuntu bionic-updates/main
> amd64 Packages
>     500 http://security.ubuntu.com/ubuntu bionic-security/main amd64
> Packages
>  1:9.11.3+dfsg-1ubuntu1 500
>     500 http://mirrors.us.kernel.org/ubuntu bionic/main amd64 Packages
>
>
> Although the error appears to not be related to file perms, here's for
> completeness:
>
> ls -la /usr/share/dns
> total 28
> drwxr-xr-x   2 root root    55 dic 13  2019 .
> drwxr-xr-x 457 root root 12288 jun  3 21:44 ..
> -rw-r--r--   1 root root   166 feb  1  2018 root.ds
> -rw-r--r--   1 root root  3315 feb  1  2018 root.hints
> -rw-r--r--   1 root root   864 feb  1  2018 root.key
>
>
> It helped me to find a previous report at
> https://lists.isc.org/pipermail/bind-users/2020-July/103454.html
>
> And then I ended up solving the problem as Brett did there, by copying
> /usr/share/dns to /etc/bind/dns and changing the zone definition.
>
> Still I am reporting this in case it's affecting someone else, and
> because maybe you guys have an idea as to what's going on with apparmor
> here? I'm not very knowledgeable in it and would appreciate any info /
> help to solve the root cause (and maybe learn something).
>
> Thanks in advance
>
>
> full log:
>
> Jun  3 22:03:53 top systemd[1]: Started BIND Domain Name Server.
> Jun  3 22:03:53 top named[19946]: starting BIND 9.16.16-Ubuntu (Stable
> Release) 
> Jun  3 22:03:53 top named[19946]: running on Linux x86_64
> 5.6.7-050607-generic #202004230933 SMP Thu Apr 23 09:35:28 UTC 2020
> Jun  3 22:03:53 top named[19946]: built with '--build=x86_64-linux-gnu'
> '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
> '--disable-silent-rules' '
> --libdir=/usr/lib/x86_64-linux-gnu'
> '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode'
> '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu'
> '--sysconfdir=/etc/bind' '--with-python=

Re: root.hints - apparmor access error with Bind from PPA

[G.W. Haywood via bind-users]

Hi there,

On Fri, 4 Jun 2021, 3coma3 wrote:


Jun 3 22:03:53 ... apparmor="DENIED" ... "/usr/share/dns/root.hints" ...


This isn't exactly an answer to your question but I don't think you
need root.hints any more - you can just delete it.

I'm currently using 9.11.26, and I haven't used root.hints for years.
The hints section (zone ".") in my named.conf is just commented out.

https://kb.isc.org/docs/aa-01309

HTH

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: root.hints - apparmor access error with Bind from PPA

[3coma3]

Hi Timothe,

On 4/6/21 10:13, Timothe Litt wrote:
>
> I'm not an apparmor user - but have you looked at the parent directory
> permissions?  From what you posted, that would be the logical culprit.
>
Your suggestion helped me indirectly to pinpoint the problem.

I added above line 36 the following (redundant) permissions:

/ r,
/usr r,
/usr/share r,
/usr/share/dns r,

Then reloaded the apparmor profiles, changed back the zone definition,
restarted bind and voila, it started correctly.

What's interesting is that after *undoing* the above permissions and
going back to the original apparmor profile, the permission problem
didn't return and things continued to work instead of failing again (big
question mark here).

I confirmed that the original permission is now in effect by removing it
and reloading the profile, and also by moving /usr/local/share/bind to
somewhere else - both changes caused Bind to fail.

My vague assumption here it's likely that some semantics (or bug) in the
apparmor profile parsing / addition into the kernel was causing the
specific permission to not be effective, until after I made changes that
caused new evaluations of the rules to take place.

So everything looks good now thanks to this simple experiment. There's
some optional research ahead regarding apparmor, if you ask me this is
very counter-intuitive behaviour to say the least.


> In any case, unless you are using a private root zone, since named has
> the root nameserver addresses built-in, the use of root.hint is
> unnecessary.  (Even if one or two change addresses before the next
> release, as does happen infrequently, once named starts it will ask
> the network for the full set.  It only needs one - of the 13 - to
> bootstrap itself.)
>
> There is an argument for running your own root server with a copy of
> the root zone - but most small operators don't.  Simplifying, it makes
> sense if you are "far" from the global root servers, have regular
> outages that leave a local region intact, or are very concerned about
> privacy.  (In the latter case, qname minimization is likely a better
> choice.)
>
> It seems that a lot of distributions configure a root.hint out of
> habit.  It's actually a step backwards, since unless you have a
> process to update root.hint, your copy is likely to end up being older
> than named's built-ins...
>
> It's been a while since I looked, but at that time, a 20ish year old
> root.hint had only a couple of IPv4 addresses wrong.  (Didn't have
> many IPv6.)  root.hint really IS stable - and so, therefore, are the
> named built-ins.
>
Thanks for the additional information on root hinting, makes much sense.
Funnily enough I'm now considering disabling the root hint - right after
having solved the original problem :-) .. a classic.

I wasn't aware either about qname minimization, I went on to read about
it and also found it very valuable information. I am indeed concerned
about privacy.

In all, you helped me to solve the issue AND I also learned about Bind,
so I'm very grateful. Brilliant indeed!

Kind regards


> Timothe Litt
> ACM Distinguished Engineer
> --
> This communication may not represent the ACM or my employer's views,
> if any, on the matters discussed. 
> On 03-Jun-21 22:45, 3coma3 wrote:
>> Dear list:
>>
>> I've used the PPA at https://launchpad.net/~isc/+archive/ubuntu/bind to
>> upgrade
>> bind from 9.11.3+dfsg-1ubuntu1.15 (current version for
>> bionic-{updates,security}) to 9.16.16-2+ubuntu18.04.1+isc+1
>>
>> (I was needing to use the validate-except clause and this new version
>> supports it)
>>
>> After the upgrade, attempting to start the named service failed with
>> this error:
>> Jun  3 22:03:53 top named[19946]: could not configure root hints from
>> '/usr/share/dns/root.hints': permission denied
>>
>> Right below that apparmor logs this:
>>
>> Jun  3 22:03:53 top kernel: [17981.067014] audit: type=1400
>> audit(1622768633.158:559): apparmor="DENIED" operation="open"
>> profile="/usr/sbin/named" name="/usr/share/dns/root.hints" pid=19946
>> comm="isc-worker" requested_mask="r" denied_mask="r" fsuid=129 ouid=0
>>
>>
>> What's puzzling is that the apparmor profile apparently allows the read
>> @ line 36:
>>
>> find /etc/apparmor.d -type f | xargs grep -n '/usr/share/dns'
>> /etc/apparmor.d/usr.sbin.named:36:  /usr/share/dns/root.* r,
>>
>> dpkg -S /etc/apparmor.d/usr.sbin.named
>> bind9: /etc/apparmor.d/usr.sbin.named
>>
>> apt-cache policy bind9
>> bind9:
>>   Installed: 1:9.16.16-2+ubuntu18.04.1+isc+1
>>   Candidate: 1:9.16.16-2+ubuntu18.04.1+isc+1
>>   Version table:
>>  *** 1:9.16.16-2+ubuntu18.04.1+isc+1 500
>>     500 http://ppa.launchpad.net/isc/bind/ubuntu bionic/main amd64
>> Packages
>>     100 /var/lib/dpkg/status
>>  1:9.11.3+dfsg-1ubuntu1.15 500
>>     500 http://mirrors.us.kernel.org/ubuntu bionic-updates/main
>> amd64 Packages
>>     500 http://security.ubuntu.com/ubuntu bionic-security/main amd64
>> Packages
>>  1

Re: root.hints - apparmor access error with Bind from PPA

[3coma3]

Hi G.W.,

On 4/6/21 12:33, G.W. Haywood via bind-users wrote:
> Hi there,
>
> On Fri, 4 Jun 2021, 3coma3 wrote:
>
>> Jun 3 22:03:53 ... apparmor="DENIED" ... "/usr/share/dns/root.hints" ...
>
> This isn't exactly an answer to your question but I don't think you
> need root.hints any more - you can just delete it.
>
> I'm currently using 9.11.26, and I haven't used root.hints for years.
> The hints section (zone ".") in my named.conf is just commented out.
>
> https://kb.isc.org/docs/aa-01309
>
> HTH

Your suggestion is in line with what was pointed out by Timothe, also
great explanation from the KB.

It seems this is an extra precaution on the side of Debian, perhaps to
cover some obscure corner case of unreachable root servers? Otherwise I
cannot think of a good reason they include this. I've turned off the
root hint now.

Thanks for the help and info


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

No more support for windows

[Peter via bind-users]

When people find out2024 is the year bind is no longer supported for 
windows people aregoing to be upset this all seems to be done quietly 
nothing posted on the the isc.org site about this just how many people 
depend on bind for windows will be shocking.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

No more support for windows

[Peter via bind-users]

On 04/06/2021 6:05 pm, John Thurston wrote:


On 6/4/2021 8:48 AM, Peter via bind-users wrote:

When people find out2024 is the year bind is no longer supported for
windows people aregoing to be upset this all seems to be done quietly
nothing posted on the the isc.org site about this just how many people
depend on bind for windows will be shocking.


And griping about the decision on the mailing list is annoying.

If you want to alter the decision, bring something new to the 
discussion. Funding to pay for the windows development team? 
Logistical support for the project?


Anything constructive will be better received than repeating "I don't 
like your decision".


Yes John Thurston I said about a subscription here which I guess will 
not happen if they made up thier mind its likly no going to happen.


Deprecating BIND 9.18+ on Windows (or making it community improved and 
supported (isc.org) 




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: No more support for windows

[Ondřej Surý]

Do you understand how ironic is for you to complain about “subscription is not 
going to happen” while **every** email on the mailing list has this note in the 
footer:

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 4. 6. 2021, at 19:47, Peter via bind-users  
> wrote:
> 
> 
> On 04/06/2021 6:05 pm, John Thurston wrote:
>> 
>>> On 6/4/2021 8:48 AM, Peter via bind-users wrote: 
>>> When people find out2024 is the year bind is no longer supported for 
>>> windows people aregoing to be upset this all seems to be done quietly 
>>> nothing posted on the the isc.org site about this just how many people 
>>> depend on bind for windows will be shocking. 
>> 
>> And griping about the decision on the mailing list is annoying. 
>> 
>> If you want to alter the decision, bring something new to the discussion. 
>> Funding to pay for the windows development team? Logistical support for the 
>> project? 
>> 
>> Anything constructive will be better received than repeating "I don't like 
>> your decision". 
>> 
> Yes John Thurston I said about a subscription here which I guess will not 
> happen if they made up thier mind its likly no going to happen.  
> 
> Deprecating BIND 9.18+ on Windows (or making it community improved and 
> supported (isc.org)
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: No more support for windows

[Peter via bind-users]

Well its clearly not working so it needs to change just like DDNS is 
free but you can paid for a subscription thats easy to do or SSL is free 
for 90days but you have the option to pay easily for a year but that 
might not work for bind for windows so it needs to be a subscription to 
run it at least for windows so it can be supported. This would mean some 
type of activation that can't work on another system how thats done I 
don't know like what if the system its running on goes down and you have 
to put bind on another system how do you deal with that and so 
onmaybe if you do a year subscription of some amount you get 12 one 
time keys in a file that bind uses each month to valid your use and 
removes a key this list can be updated to add more keys as you extend 
the subscription so in the event the system dies you have some keys for 
a new system.


But I don't really see this happening would like to be proven wrong...

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: No more support for windows

[Peter Coghlan]

What I find ironic is that here:

https://gitlab.isc.org/isc-projects/bind9/-/blob/main/README.md

the very first line says:

"BIND (Berkeley Internet Name Domain) is a complete, highly portable
implementation of the Domain Name System (DNS) protocol."

If this were truly the case, BIND would work on Windows (or any other
platform that doesn't have a "u" in it's name) with minimal effort
and would not require specific funding to adapt it to any particular
platform.

Can we please have a realistic definition of what BIND is and what
it's objectives are?

I for one would be more likely to contribute to the development of
a non-platform-specific, portable BIND than a single-platform-specific
one.

On the other hand, if it has already been decided that BIND can only
realistically be implemented in the *u* arena and will rely on
facilities only available in this arena, then shouldn't this be stated
clearly instead of also declaring that it is highly portable?

Regards,
Peter Coghlan.

> 
> Do you understand how ironic is for you to complain about “subscription is
> not going to happen” while **every** email on the mailing list has this
> note in the footer:
> 
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
> 
> --
> Ondřej Surý — ISC (He/Him)
> 
> My working hours and your working hours may be different. Please do not feel 
> obligated to reply outside your normal working hours.
> 
>> On 4. 6. 2021, at 19:47, Peter via bind-users  
>> wrote:
>> 
>> 
>> On 04/06/2021 6:05 pm, John Thurston wrote:
>>> 
 On 6/4/2021 8:48 AM, Peter via bind-users wrote: 
 When people find out2024 is the year bind is no longer supported for 
 windows people aregoing to be upset this all seems to be done quietly 
 nothing posted on the the isc.org site about this just how many people 
 depend on bind for windows will be shocking. 
>>> 
>>> And griping about the decision on the mailing list is annoying. 
>>> 
>>> If you want to alter the decision, bring something new to the discussion. 
>>> Funding to pay for the windows development team? Logistical support for the 
>>> project? 
>>> 
>>> Anything constructive will be better received than repeating "I don't like 
>>> your decision". 
>>> 
>> Yes John Thurston I said about a subscription here which I guess will not 
>> happen if they made up thier mind its likly no going to happen.  
>> 
>> Deprecating BIND 9.18+ on Windows (or making it community improved and 
>> supported (isc.org)
>> 
>> 
>> 
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>> 
>> ISC funds the development of this software with paid support subscriptions. 
>> Contact us at https://www.isc.org/contact/ for more information.
>> 
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: No more support for windows

[Ondřej Surý]

Peter,

do you seriously think that this word play is going to help the BIND 9
support for Windows? So, I am asking you, what’s your serious
proposal what should we do?

I’ve had asked if people are willing to invest time, effort or money
into keeping the Windows support alive. I would rather accept an
external contributor with a commitment rather than just a fat cheque,
because Windows support isn’t really something we are putting our
heart in.

The ISC is working on improving BIND 9 day and night (in fact, it’s
almost 11pm here), and we are spread thin, and we have to prioritise.
And if I had to answer the question whether I and my team should
spend time improving BIND 9 just for everybody or invest the precious
time into fixing yet another incompatibility between POSIX/SUSv2 and
Windows world, I think the answer would be always: Let’s improve
things for majority of our users. It’s just simple as that.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

> On 4. 6. 2021, at 20:37, Peter Coghlan  wrote:
> 
> What I find ironic is that here:
> 
> https://gitlab.isc.org/isc-projects/bind9/-/blob/main/README.md
> 
> the very first line says:
> 
> "BIND (Berkeley Internet Name Domain) is a complete, highly portable
> implementation of the Domain Name System (DNS) protocol."
> 
> If this were truly the case, BIND would work on Windows (or any other
> platform that doesn't have a "u" in it's name) with minimal effort
> and would not require specific funding to adapt it to any particular
> platform.
> 
> Can we please have a realistic definition of what BIND is and what
> it's objectives are?
> 
> I for one would be more likely to contribute to the development of
> a non-platform-specific, portable BIND than a single-platform-specific
> one.
> 
> On the other hand, if it has already been decided that BIND can only
> realistically be implemented in the *u* arena and will rely on
> facilities only available in this arena, then shouldn't this be stated
> clearly instead of also declaring that it is highly portable?
> 
> Regards,
> Peter Coghlan.
> 
>> 
>> Do you understand how ironic is for you to complain about “subscription is
>> not going to happen” while **every** email on the mailing list has this
>> note in the footer:
>> 
>> ISC funds the development of this software with paid support subscriptions.
>> Contact us at https://www.isc.org/contact/ for more information.
>> 
>> --
>> Ondřej Surý — ISC (He/Him)
>> 
>> My working hours and your working hours may be different. Please do not feel 
>> obligated to reply outside your normal working hours.
>> 
>>> On 4. 6. 2021, at 19:47, Peter via bind-users  
>>> wrote:
>>> 
>>> 
>>> On 04/06/2021 6:05 pm, John Thurston wrote:
 
> On 6/4/2021 8:48 AM, Peter via bind-users wrote: 
> When people find out2024 is the year bind is no longer supported for 
> windows people aregoing to be upset this all seems to be done quietly 
> nothing posted on the the isc.org site about this just how many people 
> depend on bind for windows will be shocking. 
 
 And griping about the decision on the mailing list is annoying. 
 
 If you want to alter the decision, bring something new to the discussion. 
 Funding to pay for the windows development team? Logistical support for 
 the project? 
 
 Anything constructive will be better received than repeating "I don't like 
 your decision". 
 
>>> Yes John Thurston I said about a subscription here which I guess will not 
>>> happen if they made up thier mind its likly no going to happen.  
>>> 
>>> Deprecating BIND 9.18+ on Windows (or making it community improved and 
>>> supported (isc.org)
>>> 
>>> 
>>> 
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>>> unsubscribe from this list
>>> 
>>> ISC funds the development of this software with paid support subscriptions. 
>>> Contact us at https://www.isc.org/contact/ for more information.
>>> 
>>> 
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: No more support for windows

[Gregory Sloop]

This feels a lot like responding to trolls, but I'll instead assume that you're 
asking (or making a point) in good faith.

So, we'll stipulate that - you're actually interested in truth and knowledge.

So, it's easily compiled on Mac, Unix, FreeBSD, Linux, SunOS, RaspPi, etc.
And it compiles on a huge range of hardware, CPU's etc.

I'd consider that highly portable.

You're welcome to disagree, but then someone else will complain it's not 
available in Amiga, Atari and under Dos and complain it isn't "portable" 
because there's no dos version.

So how many platforms do you have to support, to call it portable? 
(I've always thought of "portable" code, in this context especially, as code 
that is kept open so it will fairly easily compile on any *nix/posix platform 
without too much drama. And I think that's a pretty universal understanding for 
*nix style code.)

So, it seems you are tilting at windmills, complaining about Windows only.

Yes, the fundamentals of Windows are *VERY* different than any 
Linux/Unix/Solaris etc based platform. As such, making it work across all those 
platforms is really quite a lot of work. 
(Making it work fine, even on the future supported platforms (*nix) isn't 
trivial - obviously adding Windows to the mix is far, far more!)

And, it seems like no-one has stepped up to commit the $$$ needed to keep that 
support going.
Even a cheap dev probably charges $100+ an hour. How many hours/dollars do you 
think, in aggregate, is committed to keeping Windows support? It's not going to 
be like buying a $3 app for your phone - since the market for Windows users is 
far smaller.

And, I suspect, if we reach the end of the road for Windows support, and 
there's a half million users out there that want BIND supported on Windows, and 
they'll all pledge a buck a year, than I'd expect that Windows support will 
roll right out.

But if instead there's 100 people willing to pledge even $100 a year, well I'd 
guess that's not likely to pay for it.

ISC manages to pay the people who write code and do support through support 
contracts. Do you have one of those?

So the last option is; 
You, or someone else to simply give away their time for free. 
You up for that?
If you're not, or you don't have that skill set, then complaining bitterly 
seems a little hypocritical.

ISC already releases a huge set of software that you almost certainly use every 
single day (DHCP server and clients, along with BIND) and they aren't charging 
you a dime for that use. They're not charging your ISP either, or a ton of 
other people. So, IMO, they've really done a ton of free work for the community 
already. 

But it seems like you think it's not enough.

Sigh. 
What. Can. I. Say.
ISC does a lot of really good work.
IMO, this kind of a complaint is really misplaced.

And to be clear, I won't engage in a bunch of back-and-forth arguing this 
position. You're welcome to agree or not.
But *I* think you're obviously wrong, and I want everyone at ISC who does all 
that good work, developing great software that they let us use for free that I 
really appreciate their work.

-Greg



PC> What I find ironic is that here:

PC> https://gitlab.isc.org/isc-projects/bind9/-/blob/main/README.md

PC> the very first line says:

PC> "BIND (Berkeley Internet Name Domain) is a complete, highly portable
PC> implementation of the Domain Name System (DNS) protocol."

PC> If this were truly the case, BIND would work on Windows (or any other
PC> platform that doesn't have a "u" in it's name) with minimal effort
PC> and would not require specific funding to adapt it to any particular
PC> platform.

PC> Can we please have a realistic definition of what BIND is and what
PC> it's objectives are?

PC> I for one would be more likely to contribute to the development of
PC> a non-platform-specific, portable BIND than a single-platform-specific
PC> one.

PC> On the other hand, if it has already been decided that BIND can only
PC> realistically be implemented in the *u* arena and will rely on
PC> facilities only available in this arena, then shouldn't this be stated
PC> clearly instead of also declaring that it is highly portable?

PC> Regards,
PC> Peter Coghlan.


>> Do you understand how ironic is for you to complain about “subscription is
>> not going to happen” while **every** email on the mailing list has this
>> note in the footer:

>> ISC funds the development of this software with paid support subscriptions.
>> Contact us at https://www.isc.org/contact/ for more information.

>> --
>> Ondřej Surý — ISC (He/Him)

>> My working hours and your working hours may be different. Please do not feel 
>> obligated to reply outside your normal working hours.

>>> On 4. 6. 2021, at 19:47, Peter via bind-users  
>>> wrote:

>>> 
>>> On 04/06/2021 6:05 pm, John Thurston wrote:

> On 6/4/2021 8:48 AM, Peter via bind-users wrote: 
> When people find out2024 is the year bind is no longer supported for 
> windows people aregoing to be upset

Re: No more support for windows

[Eric Germann via bind-users]

Call me naive, but I’m trying to figure out what the corner case is to use BIND 
on Windows.

For an internal network Windows Server already has a name server that 
integrates with AD and everything else needed to run a Windows network.  
Support for DDNS is a lot easier, it has tons of SRV records needed for service 
location, etc.  It seems it would be a lot easier to use that for a Windows 
network than shoehorn everything in to BIND.

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann 
 
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash } 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







> On Jun 4, 2021, at 4:58 PM, Gregory Sloop  wrote:
> 
> This feels a lot like responding to trolls, but I'll instead assume that 
> you're asking (or making a point) in good faith.
> 
> So, we'll stipulate that - you're actually interested in truth and knowledge.
> 
> So, it's easily compiled on Mac, Unix, FreeBSD, Linux, SunOS, RaspPi, etc.
> And it compiles on a huge range of hardware, CPU's etc.
> 
> I'd consider that highly portable.
> 
> You're welcome to disagree, but then someone else will complain it's not 
> available in Amiga, Atari and under Dos and complain it isn't "portable" 
> because there's no dos version.
> 
> So how many platforms do you have to support, to call it portable?
> (I've always thought of "portable" code, in this context especially, as code 
> that is kept open so it will fairly easily compile on any *nix/posix platform 
> without too much drama. And I think that's a pretty universal understanding 
> for *nix style code.)
> 
> So, it seems you are tilting at windmills, complaining about Windows only.
> 
> Yes, the fundamentals of Windows are *VERY* different than any 
> Linux/Unix/Solaris etc based platform. As such, making it work across all 
> those platforms is really quite a lot of work.
> (Making it work fine, even on the future supported platforms (*nix) isn't 
> trivial - obviously adding Windows to the mix is far, far more!)
> 
> And, it seems like no-one has stepped up to commit the $$$ needed to keep 
> that support going.
> Even a cheap dev probably charges $100+ an hour. How many hours/dollars do 
> you think, in aggregate, is committed to keeping Windows support? It's not 
> going to be like buying a $3 app for your phone - since the market for 
> Windows users is far smaller.
> 
> And, I suspect, if we reach the end of the road for Windows support, and 
> there's a half million users out there that want BIND supported on Windows, 
> and they'll all pledge a buck a year, than I'd expect that Windows support 
> will roll right out.
> 
> But if instead there's 100 people willing to pledge even $100 a year, well 
> I'd guess that's not likely to pay for it.
> 
> ISC manages to pay the people who write code and do support through support 
> contracts. Do you have one of those?
> 
> So the last option is;
> You, or someone else to simply give away their time for free.
> You up for that?
> If you're not, or you don't have that skill set, then complaining bitterly 
> seems a little hypocritical.
> 
> ISC already releases a huge set of software that you almost certainly use 
> every single day (DHCP server and clients, along with BIND) and they aren't 
> charging you a dime for that use. They're not charging your ISP either, or a 
> ton of other people. So, IMO, they've really done a ton of free work for the 
> community already.
> 
> But it seems like you think it's not enough.
> 
> Sigh.
> What. Can. I. Say.
> ISC does a lot of really good work.
> IMO, this kind of a complaint is really misplaced.
> 
> And to be clear, I won't engage in a bunch of back-and-forth arguing this 
> position. You're welcome to agree or not.
> But *I* think you're obviously wrong, and I want everyone at ISC who does all 
> that good work, developing great software that they let us use for free that 
> I really appreciate their work.
> 
> -Greg
> 
> 
> 
> PC> What I find ironic is that here:
> 
> PC> https://gitlab.isc.org/isc-projects/bind9/-/blob/main/README.md 
> 
> 
> PC> the very first line says:
> 
> PC> "BIND (Berkeley Internet Name Domain) is a complete, highly portable
> PC> implementation of the Domain Name System (DNS) protocol."
> 
> PC> If this were truly the case, BIND would work on Windows (or any other
> PC> platform that doesn't have a "u" in it's name) with minimal effort
> PC> and would not require specific funding to adapt it to any particular
> PC> platform.
> 
> PC> Can we please have a realistic definition of what BIND is and what
> PC> it's objectives are?
> 
> PC> I for one would be more likely to contribute to the development of
> PC> a non-platform-specific, portable BIND than a single-platform-specific
> PC> one.
> 
> PC> On the ot

Re: No more support for windows

[Ondřej Surý]

What I’ve heard is that the geoip/maxmindb is the deal breaker,
but on general level, I concur that MS-DNS is a good choice for
Windows Server deployments.

I am a big fan of picking the right tool for the job.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

> On 4. 6. 2021, at 23:31, Eric Germann via bind-users 
>  wrote:
> 
> Call me naive, but I’m trying to figure out what the corner case is to use 
> BIND on Windows.
> 
> For an internal network Windows Server already has a name server that 
> integrates with AD and everything else needed to run a Windows network.  
> Support for DDNS is a lot easier, it has tons of SRV records needed for 
> service location, etc.  It seems it would be a lot easier to use that for a 
> Windows network than shoehorn everything in to BIND.
> 
> ---
> Eric Germann
> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
> LinkedIn: https://www.linkedin.com/in/ericgermann 
> Twitter: @ekgermann
> Telegram || Signal || Phone +1 {dash} 419 {dash } 513 {dash} 0712
> 
> GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1
> 
> 
> 
> 
> 
> 
> 
>> On Jun 4, 2021, at 4:58 PM, Gregory Sloop  wrote:
>> 
>> This feels a lot like responding to trolls, but I'll instead assume that 
>> you're asking (or making a point) in good faith.
>> 
>> So, we'll stipulate that - you're actually interested in truth and knowledge.
>> 
>> So, it's easily compiled on Mac, Unix, FreeBSD, Linux, SunOS, RaspPi, etc.
>> And it compiles on a huge range of hardware, CPU's etc.
>> 
>> I'd consider that highly portable.
>> 
>> You're welcome to disagree, but then someone else will complain it's not 
>> available in Amiga, Atari and under Dos and complain it isn't "portable" 
>> because there's no dos version.
>> 
>> So how many platforms do you have to support, to call it portable?
>> (I've always thought of "portable" code, in this context especially, as code 
>> that is kept open so it will fairly easily compile on any *nix/posix 
>> platform without too much drama. And I think that's a pretty universal 
>> understanding for *nix style code.)
>> 
>> So, it seems you are tilting at windmills, complaining about Windows only.
>> 
>> Yes, the fundamentals of Windows are *VERY* different than any 
>> Linux/Unix/Solaris etc based platform. As such, making it work across all 
>> those platforms is really quite a lot of work.
>> (Making it work fine, even on the future supported platforms (*nix) isn't 
>> trivial - obviously adding Windows to the mix is far, far more!)
>> 
>> And, it seems like no-one has stepped up to commit the $$$ needed to keep 
>> that support going.
>> Even a cheap dev probably charges $100+ an hour. How many hours/dollars do 
>> you think, in aggregate, is committed to keeping Windows support? It's not 
>> going to be like buying a $3 app for your phone - since the market for 
>> Windows users is far smaller.
>> 
>> And, I suspect, if we reach the end of the road for Windows support, and 
>> there's a half million users out there that want BIND supported on Windows, 
>> and they'll all pledge a buck a year, than I'd expect that Windows support 
>> will roll right out.
>> 
>> But if instead there's 100 people willing to pledge even $100 a year, well 
>> I'd guess that's not likely to pay for it.
>> 
>> ISC manages to pay the people who write code and do support through support 
>> contracts. Do you have one of those?
>> 
>> So the last option is;
>> You, or someone else to simply give away their time for free.
>> You up for that?
>> If you're not, or you don't have that skill set, then complaining bitterly 
>> seems a little hypocritical.
>> 
>> ISC already releases a huge set of software that you almost certainly use 
>> every single day (DHCP server and clients, along with BIND) and they aren't 
>> charging you a dime for that use. They're not charging your ISP either, or a 
>> ton of other people. So, IMO, they've really done a ton of free work for the 
>> community already.
>> 
>> But it seems like you think it's not enough.
>> 
>> Sigh.
>> What. Can. I. Say.
>> ISC does a lot of really good work.
>> IMO, this kind of a complaint is really misplaced.
>> 
>> And to be clear, I won't engage in a bunch of back-and-forth arguing this 
>> position. You're welcome to agree or not.
>> But *I* think you're obviously wrong, and I want everyone at ISC who does 
>> all that good work, developing great software that they let us use for free 
>> that I really appreciate their work.
>> 
>> -Greg
>> 
>> 
>> 
>> PC> What I find ironic is that here:
>> 
>> PC> https://gitlab.isc.org/isc-projects/bind9/-/blob/main/README.md
>> 
>> PC> the very first line says:
>> 
>> PC> "BIND (Berkeley Internet Name Domain) is a complete, highly portable
>> PC> implementation of the Domain Name System (DNS) protocol."
>> 
>> PC> If this were truly the case, BIND would work on Windows (or any other
>> PC> platform that doesn't have a "u" in it's name) with minimal effort
>> PC> and would not req

Re: No more support for windows

[alcol alcol]

Really is not as u say
first of all you have to take in mind DMZ and other complex config

As last (as I used it) , I used Linux DIST for Authorative and internet facing 
resolver with TLD and as resolver
and two internal windows with BIND on Windows Server and WINS

If you use Active Directory , is used to know is in use MS DNS (so trash).
If you don't use Active Directory or you are inside a DMZ and a complex 
enviroment, can be allowed to havi WINS too a Windows Server with BIND AND NOT 
ACTIVE DIRECTORY (an ldap redesigned).


Best Regards
Alberto Colosi
ICT Security


From: bind-users  on behalf of Eric Germann 
via bind-users 
Sent: Friday, June 4, 2021 11:31 PM
To: Greg Sloop 
Cc: bind-users@lists.isc.org 
Subject: Re: No more support for windows

Call me naive, but I’m trying to figure out what the corner case is to use BIND 
on Windows.

For an internal network Windows Server already has a name server that 
integrates with AD and everything else needed to run a Windows network.  
Support for DDNS is a lot easier, it has tons of SRV records needed for service 
location, etc.  It seems it would be a lot easier to use that for a Windows 
network than shoehorn everything in to BIND.

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash } 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







On Jun 4, 2021, at 4:58 PM, Gregory Sloop 
mailto:gr...@sloop.net>> wrote:

This feels a lot like responding to trolls, but I'll instead assume that you're 
asking (or making a point) in good faith.

So, we'll stipulate that - you're actually interested in truth and knowledge.

So, it's easily compiled on Mac, Unix, FreeBSD, Linux, SunOS, RaspPi, etc.
And it compiles on a huge range of hardware, CPU's etc.

I'd consider that highly portable.

You're welcome to disagree, but then someone else will complain it's not 
available in Amiga, Atari and under Dos and complain it isn't "portable" 
because there's no dos version.

So how many platforms do you have to support, to call it portable?
(I've always thought of "portable" code, in this context especially, as code 
that is kept open so it will fairly easily compile on any *nix/posix platform 
without too much drama. And I think that's a pretty universal understanding for 
*nix style code.)

So, it seems you are tilting at windmills, complaining about Windows only.

Yes, the fundamentals of Windows are *VERY* different than any 
Linux/Unix/Solaris etc based platform. As such, making it work across all those 
platforms is really quite a lot of work.
(Making it work fine, even on the future supported platforms (*nix) isn't 
trivial - obviously adding Windows to the mix is far, far more!)

And, it seems like no-one has stepped up to commit the $$$ needed to keep that 
support going.
Even a cheap dev probably charges $100+ an hour. How many hours/dollars do you 
think, in aggregate, is committed to keeping Windows support? It's not going to 
be like buying a $3 app for your phone - since the market for Windows users is 
far smaller.

And, I suspect, if we reach the end of the road for Windows support, and 
there's a half million users out there that want BIND supported on Windows, and 
they'll all pledge a buck a year, than I'd expect that Windows support will 
roll right out.

But if instead there's 100 people willing to pledge even $100 a year, well I'd 
guess that's not likely to pay for it.

ISC manages to pay the people who write code and do support through support 
contracts. Do you have one of those?

So the last option is;
You, or someone else to simply give away their time for free.
You up for that?
If you're not, or you don't have that skill set, then complaining bitterly 
seems a little hypocritical.

ISC already releases a huge set of software that you almost certainly use every 
single day (DHCP server and clients, along with BIND) and they aren't charging 
you a dime for that use. They're not charging your ISP either, or a ton of 
other people. So, IMO, they've really done a ton of free work for the community 
already.

But it seems like you think it's not enough.

Sigh.
What. Can. I. Say.
ISC does a lot of really good work.
IMO, this kind of a complaint is really misplaced.

And to be clear, I won't engage in a bunch of back-and-forth arguing this 
position. You're welcome to agree or not.
But *I* think you're obviously wrong, and I want everyone at ISC who does all 
that good work, developing great software that they let us use for free that I 
really appreciate their work.

-Greg



PC> What I find ironic is that here:

PC> 
https://gitlab.isc.org/isc-projects/bind9/-/blob/main/README.md

PC> the very first line says:

PC> "BIND (Berkeley Internet Name Domain) is a complete, h

Re: No more support for windows

[alcol alcol]

REALLY, it is




From: bind-users  on behalf of Ondřej Surý 

Sent: Friday, June 4, 2021 11:39 PM
To: Eric Germann 
Cc: bind-users@lists.isc.org 
Subject: Re: No more support for windows

What I’ve heard is that the geoip/maxmindb is the deal breaker,
but on general level, I concur that MS-DNS is a good choice for
Windows Server deployments.

I am a big fan of picking the right tool for the job.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

> On 4. 6. 2021, at 23:31, Eric Germann via bind-users 
>  wrote:
>
> Call me naive, but I’m trying to figure out what the corner case is to use 
> BIND on Windows.
>
> For an internal network Windows Server already has a name server that 
> integrates with AD and everything else needed to run a Windows network.  
> Support for DDNS is a lot easier, it has tons of SRV records needed for 
> service location, etc.  It seems it would be a lot easier to use that for a 
> Windows network than shoehorn everything in to BIND.
>
> ---
> Eric Germann
> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
> LinkedIn: https://www.linkedin.com/in/ericgermann
> Twitter: @ekgermann
> Telegram || Signal || Phone +1 {dash} 419 {dash } 513 {dash} 0712
>
> GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1
>
>
>
>
>
>
>
>> On Jun 4, 2021, at 4:58 PM, Gregory Sloop  wrote:
>>
>> This feels a lot like responding to trolls, but I'll instead assume that 
>> you're asking (or making a point) in good faith.
>>
>> So, we'll stipulate that - you're actually interested in truth and knowledge.
>>
>> So, it's easily compiled on Mac, Unix, FreeBSD, Linux, SunOS, RaspPi, etc.
>> And it compiles on a huge range of hardware, CPU's etc.
>>
>> I'd consider that highly portable.
>>
>> You're welcome to disagree, but then someone else will complain it's not 
>> available in Amiga, Atari and under Dos and complain it isn't "portable" 
>> because there's no dos version.
>>
>> So how many platforms do you have to support, to call it portable?
>> (I've always thought of "portable" code, in this context especially, as code 
>> that is kept open so it will fairly easily compile on any *nix/posix 
>> platform without too much drama. And I think that's a pretty universal 
>> understanding for *nix style code.)
>>
>> So, it seems you are tilting at windmills, complaining about Windows only.
>>
>> Yes, the fundamentals of Windows are *VERY* different than any 
>> Linux/Unix/Solaris etc based platform. As such, making it work across all 
>> those platforms is really quite a lot of work.
>> (Making it work fine, even on the future supported platforms (*nix) isn't 
>> trivial - obviously adding Windows to the mix is far, far more!)
>>
>> And, it seems like no-one has stepped up to commit the $$$ needed to keep 
>> that support going.
>> Even a cheap dev probably charges $100+ an hour. How many hours/dollars do 
>> you think, in aggregate, is committed to keeping Windows support? It's not 
>> going to be like buying a $3 app for your phone - since the market for 
>> Windows users is far smaller.
>>
>> And, I suspect, if we reach the end of the road for Windows support, and 
>> there's a half million users out there that want BIND supported on Windows, 
>> and they'll all pledge a buck a year, than I'd expect that Windows support 
>> will roll right out.
>>
>> But if instead there's 100 people willing to pledge even $100 a year, well 
>> I'd guess that's not likely to pay for it.
>>
>> ISC manages to pay the people who write code and do support through support 
>> contracts. Do you have one of those?
>>
>> So the last option is;
>> You, or someone else to simply give away their time for free.
>> You up for that?
>> If you're not, or you don't have that skill set, then complaining bitterly 
>> seems a little hypocritical.
>>
>> ISC already releases a huge set of software that you almost certainly use 
>> every single day (DHCP server and clients, along with BIND) and they aren't 
>> charging you a dime for that use. They're not charging your ISP either, or a 
>> ton of other people. So, IMO, they've really done a ton of free work for the 
>> community already.
>>
>> But it seems like you think it's not enough.
>>
>> Sigh.
>> What. Can. I. Say.
>> ISC does a lot of really good work.
>> IMO, this kind of a complaint is really misplaced.
>>
>> And to be clear, I won't engage in a bunch of back-and-forth arguing this 
>> position. You're welcome to agree or not.
>> But *I* think you're obviously wrong, and I want everyone at ISC who does 
>> all that good work, developing great software that they let us use for free 
>> that I really appreciate their work.
>>
>> -Greg
>>
>>
>>
>> PC> What I find ironic is that here:
>>
>> PC> https://gitlab.isc.org/isc-projects/bind9/-/blob/main/README.md
>>
>> PC> the very first line says:
>>
>> PC> "BIND (Berkeley Internet Name Domain) is a complete, highly portable
>> PC> implementation of the Domain Name System (DNS) proto

named reload and HTTPS certs

[Eric Germann via bind-users]

There’s been some great discussion lately on enabling DoH with LetsEncrypt 
certs.

My question is this:  If I renew the cert while named is running and do a 
reload on it, is that enough to pick up the new certs or do I need to 
stop/start the named process?

Basically, does reload only reload the zones or the entire config and 
subordinate files?

Thanks

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1









signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users