Re: getting a later-version of BIND on various linux OS's

2020-11-08 Thread Rob McEwen

oops - sorry - I totally missed THIS page:
https://packages.debian.org/sid/amd64/bind9/download
...so it seems that there is a way. Still, I'm getting weird errors about:

E: The repository 'http://ftp.debian.org/debian sig Release' does not 
have a Release file.
N: Updating from such a repository can't be done securely, and is 
therefore disabled by default.


...but I'll work through those and ask a follow-up if I get stuck. Sorry 
for the noise - I can't believe I missed that extra page.


Rob McEwen

On 11/9/2020 2:18 AM, Rob McEwen wrote:


Several weeks ago, Mark Andrews gave me an excellent suggestion about 
a particular BIND feature, but it is a somewhat recent feature that 
started to exist on a version of BIND that isn't yet distributed in 
the default/main BIND distributions for many of the most common 
linux-based operating systems. I think the particular feature that was 
mentioned - came into existence around BIND 9.13? Unfortunately, many 
of the major linux operating systems haven't reached 9.13 yet. So, for 
example, I'm currently trying to upgrade a Debian server to a more 
recent version of BIND - 9.16 - and I saw the following pages:


https://packages.debian.org/sid/bind9

https://www.isc.org/blogs/bind-9-packages/

But I can't seem to find any simple way to do this - or maybe I missed 
something on that page? - from what I've seen, for Debian, it requires 
that the BIND source code (and various dependencies) be downloaded, 
and then BIND has to be compiled. Or so it seems. I tried that, but 
kept running into errors  - something about "Libressl not found" - 
even though I really did already have the SSL package installed that 
it said it needed. It was a downward-spiral mess I couldn't seem to 
resolve.


So here is the question - is there an */easier/simpler/* way to get 
the most common linux operating systems (Debian, Ubuntu, CentOs, etc) 
- to a later version of BIND - beyond what auto-installs when you 
issue a command like "apt-get install bind9" - but /without/ having to 
download and compile the source code?


--
Rob McEwen, invaluement
  


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


getting a later-version of BIND on various linux OS's

2020-11-08 Thread Rob McEwen
Several weeks ago, Mark Andrews gave me an excellent suggestion about a 
particular BIND feature, but it is a somewhat recent feature that 
started to exist on a version of BIND that isn't yet distributed in the 
default/main BIND distributions for many of the most common linux-based 
operating systems. I think the particular feature that was mentioned - 
came into existence around BIND 9.13? Unfortunately, many of the major 
linux operating systems haven't reached 9.13 yet. So, for example, I'm 
currently trying to upgrade a Debian server to a more recent version of 
BIND - 9.16 - and I saw the following pages:


https://packages.debian.org/sid/bind9

https://www.isc.org/blogs/bind-9-packages/

But I can't seem to find any simple way to do this - or maybe I missed 
something on that page? - from what I've seen, for Debian, it requires 
that the BIND source code (and various dependencies) be downloaded, and 
then BIND has to be compiled. Or so it seems. I tried that, but kept 
running into errors  - something about "Libressl not found" - even 
though I really did already have the SSL package installed that it said 
it needed. It was a downward-spiral mess I couldn't seem to resolve.


So here is the question - is there an */easier/simpler/* way to get the 
most common linux operating systems (Debian, Ubuntu, CentOs, etc) - to a 
later version of BIND - beyond what auto-installs when you issue a 
command like "apt-get install bind9" - but /without/ having to download 
and compile the source code?


--
Rob McEwen, invaluement
 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: [External] Re: How can I launch a private Internet DNS server?

2020-11-08 Thread Timothe Litt
On 07-Nov-20 14:06, Tom J. Marcoen wrote:
> Having at least two name servers is not a requirement by the RFC
> standards but which TLD allows for only one NS server to be given when
> hou register a domain?
>
> On Sat, 7 Nov 2020 at 16:53, Kevin A. McGrail  > wrote:
>
> On 11/7/2020 10:15 AM, Reindl Harald wrote:
>>
>> https://tools.ietf.org/html/rfc1537
>> Common DNS Data File Configuration Errors
>>
>> 6. Missing secondary servers
>>
>> > It is required that there be a least 2 nameservers
>> > for a domain.
>>
>> -
>>
>> that above is common knowledge virtually forever and the
>> difference of "must" and "should" in IETF wordings is also very
>> clear 
>
> While I agree this is common knowledge as a best practice, this
> rfc is a memo NOT a standard from my reading:
>
>   This memo provides information for the Internet community.  It does
>not specify an Internet standard.  Distribution of this memo is
>unlimited.
>
> Regards,
> KAM
>
>

I'm amazed that this thread has persisted for so long on this list of
knowledgeable people.

RFC1034 , one of the two
foundational RFCs for the DNS:

P.18 in section 4.1 (NAME SERVERS => Introduction):

A given zone will be available from several name servers to insure its
availability in spite of host or communication link failure.  By
administrative fiat, we require every zone to be available on at least
two servers, and many zones have more redundancy than that.

In case the font is too small, the key phrase is:

"we require every zone to be available on at least two servers"

That's "REQUIRE" at least TWO SERVERS.

https://tools.ietf.org/html/rfc1537 documents common misconfigurations -
that is, cases of non-conformance to the RFCs that the author
encountered circa 1993.  It was superseded in 1993 by RFC 1912
, where section 2.8 starts with
"You are required to have at least two nameservers for every domain". 
Neither document supersedes RFC1034; rather they attempt to help with
interpreting it.

https://www.iana.org/help/nameserver-requirements  consolidates
information from several RFCs, since the DNS has evolved over time.  It
is not an RFC, but a convenient summary.  It primarily documents the
tests performed by IANA when it processes a delegation change to the
root, .INT, and .ARPA zones.  These tests validate conformance to the
RFCs.  As the introduction says, "These tests do not measure against
best practices or comprehensively measure protocol conformance. They are
a practical set of baseline requirements that catch common
misconfiguration errors that impact stable operations of the DNS."

Bottom line: two servers per zone are required by the DNS architecture. 
It's not folklore.  It's not optional.

It is true that the DNS is robust enough to function with a number of
misconfigurations (including just one server for a zone, since in
practice this is almost indistinguishable from transient conditions.)

Nonetheless, the goal of the DNS architecture (and most of its
operators) is to have a stable and robust name service. 
Misconfigurations, such as those documented in rfc1527, make the DNS
unstable and fragile.  The architecture tends to contain the effects of
many misconfigurations, but that doesn't make them wise.

As I noted earlier: "DNS appears deceptively simple at first blush. 
Setting up a serviceable infrastructure requires an investment of
thought and on-going maintenance.  You will not be happy if you skimp on
that investment, since broken DNS is externally visible - and frequently
catastrophic."

I'll finish with a 1987 quote from Leslie Lamport on distributed
systems, which the DNS most certainly is:

"A distributed system is one in which the failure of a computer you
didn't even know existed can render your own computer  unusable."

Can the quibbling stop now?

Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: How can I launch a private Internet DNS server?

2020-11-08 Thread Reindl Harald

first: there *is* a requirement of a secondary nameserver
https://www.iana.org/help/nameserver-requirements

Am 07.11.20 um 14:21 schrieb alcol alcol:
you can't run a sec. srv. from your own. You need some action from 
ADMIN-C or TECH-C


yeah, someone needs to tell the registry the nameservers that's it, 
nobody expect something work out of the blue



otherwise it will not work at all x RFC SOA refresh 24H


no idea what that means, but it makes no sense


In all case a sec. srv. on the same net


no *not* on the same net

thelounge.net.  86400   IN  NS  ns1.thelounge.net.
thelounge.net.  86400   IN  NS  ns2.thelounge.net.

ns1 = 85.124.176.242
ns2 = 91.118.73.16

in fact ns2 is the master, ns1 is the salve for historical reasons, both 
hosting some hundret domains, both operated at my own for 12 years now


in fact both are even on the same *redundant* cluster
and the whole backends and automation is homegrown



*From:* bind-users  on behalf of Kevin 
A. McGrail 

I just wanted to comment that there is no "requirement" to run a
secondary DNS server.  It's certainly best practice and should be
considered.  However, the goal of having two DNS servers is to promote
redundancy if DNS fails but other services you need have not

this is *not* true at all

https://www.iana.org/help/nameserver-requirements

Requirements for Name Servers

These tests are performed for the set of NS records and any associated 
IP addresses for those name servers. For each individual hostname, tests 
are performed against each IP address and protocol pair.

Minimum number of name servers

There must be at least two NS records listed in a delegation, and the 
hosts must not resolve to the same IP address.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: How can I launch a private Internet DNS server?

2020-11-08 Thread Reindl Harald




Am 05.11.20 um 20:04 schrieb Michael De Roover:

On Thu, 2020-11-05 at 11:27 -0600, Chuck Aurora wrote:

On 2020-11-05 07:36, Bob Harold wrote:

You appear to have confused 'secondary' authoritative servers with
a
second 'resolver'.
Authoritative servers - listed in the NS records - are used by
other
DNS servers, not by end users, and they will get used equally with
the
slaves, if your parent zone has the right NS records also.  Those
are
good to outsource the secondaries.


It should perhaps be pointed out here that the DNS protocol has no
means to distinguish among different types of NS host.  (Yes, there
is
the SOA MNAME, but that is not used by resolvers.)  One NS is as good
as any other NS.


These (SOA and behavior for resolvers) probably describe where I got
confused, thanks for the explanations!


for many years our SOA was the slave :-)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: [External] Re: How can I launch a private Internet DNS server?

2020-11-08 Thread Reindl Harald




Am 07.11.20 um 15:36 schrieb Kevin A. McGrail:

On 11/7/2020 9:04 AM, Reindl Harald wrote:

first: there *is* a requirement of a secondary nameserver
https://www.iana.org/help/nameserver-requirements


Does that requirement apply to the use-case? Based on the first
sentence, "These are the technicals tests we perform for delegation
changes in the zones we manage (root zone, .INT, .ARPA).", I would guess
it's not applicable.


"Technical requirements for authoritative name servers" includes that 
usecase too no mattaer wthat "technical tests are applied"


-

https://tools.ietf.org/html/rfc1537
Common DNS Data File Configuration Errors

6. Missing secondary servers

> It is required that there be a least 2 nameservers
> for a domain.

-

that above is common knowledge virtually forever and the difference of 
"must" and "should" in IETF wordings is also very clear

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users