Infrastructure Series: BIND9 Authoritative DNS Guide "Please See Me Edition"

oO.o · February 1, 2022, 8:35pm

Honorable mention to Unbound/NSD combo (which is the intended approach in stock OpenBSD and together gets green all across that table), but the DNSSEC automation in recent BIND versions dramatically reduces complexity of cycling keys and probably makes it the best option.

SgtAwesomesauce · February 1, 2022, 8:35pm

I’ve never really done this. Like, we’ve whiteboarded list of requirements and interactions, but never really sketched out the logic and flow control.

PhaseLockedLoop · February 1, 2022, 8:37pm

That’s my current recursive combo but I think in getting ready to go purely bind understanding it so well.

I’m just horrendously lazy to change what’s working rn if you feel me. Yeah NSD is good too. Need a bit of work. I think it can do well.

Oh my god you gotta try it on something simple. It catches soooo many bugs ahead of time and let’s you really think about how you are approaching the program. Often i find when I don’t do this it risks becoming very spaghetified

I kind of wish we had big mind mapping programs to help us optimize the process. that would be awesome but also exceptionally difficult to create

PhaseLockedLoop · March 28, 2022, 3:48am

PhaseLockedLoop:

Setting up SSH Fingerprint Records

These are ridiculously simple to generate.
ssh-keygen -r $FQDN
Then enter like below and you have defined all your finger prints for your server. Connecting from new machines via SSH will no longer say they cannot validate the hash. The DNSSEC records now validate it for you!

DONT forget to increment the serial number and to
rndc reload && rndc sign $FQDN && systemctl restart named
You will need to do this EVERYTIME

Ignoring NVIM throwing a fit for literally no reason, this is what it should look like:

Done correctly you can verify the TLSA output via
dig <MYTLD>.net sshfp +dnssec +multi
If you see the outputs you entered after propagation. Congratulations you have successfully registered the entries

@felixthecat was it you who was interested in setting up the SSHFP entries in the Lounge?

PhaseLockedLoop · April 22, 2022, 10:35am

There are times I trully hate revising records in bind because its actual error output is the worst ive seen. No usefulness

Solid amazing consistent server. Just diagnosing it feels like looking at 90s code

ThatGuyB · April 22, 2022, 11:57am

DJB was right.

PhaseLockedLoop · April 22, 2022, 11:57am

what?

ThatGuyB · April 23, 2022, 12:01am

DJB = Daniel J. Bernstein, the creator of DJB DNS. He was right about Bind sucking ass and that simple programs following the Unix philosophy are better.

Although I haven’t looked on how to get DJB DNS or Unbound to be authoritative and act as a non-recursive DNS.

Edit: I believe he was the inventor of DNSSEC, but I could be wrong.

PhaseLockedLoop · April 23, 2022, 12:05am

No he wasnt but

unfortunately the problem is bind is the most modern lightweight implementation that has a complete implementation of standards. Other DNS servers only come close. The closest one I think is powerDNS?

PhaseLockedLoop · April 23, 2022, 12:16am

I agree and simple doesnt need to mean it lacks features problem is these days that devs mix up the words simple and minimal

ThatGuyB · April 23, 2022, 12:19am

I tend to agree more than I disagree, but code must be kept minimal to some degree.

Also, do not confuse simple with easy (to use).

PhaseLockedLoop · April 23, 2022, 12:19am

thats true and Im not. I dont need it to be easy to use if you can well document its simplicity which is another major problem these days

seems there is no winning

PhaseLockedLoop · April 23, 2022, 12:25am

ive debated making a showcase of different DNS software and their configurations and documentation etc. I just dont know if thats something people would value.

ThatGuyB · April 23, 2022, 12:31am

I would, but it wouldn’t change me trying to avoid bind.

PhaseLockedLoop · April 23, 2022, 12:40am

It would be more of a shopping catalogue. A know what im getting into thread

PhaseLockedLoop · April 23, 2022, 12:46am

Biky he invented a curve

not the standard. Just found it

also what I mean by complete:

The chart shows it. Completeness is rare as much as BIND is hateable its the most complete solution

ThatGuyB · April 23, 2022, 1:30am

Lmao, what the heck even is “Simple DNS Plus?” And why does that have more features than MS DNS?

Also, I believe given its minimalist nature, djbdns can be extended using other programs and piping stuff into one another. At least that’s what I remember reading.

Although my first choice would likely be Unbound, only because NSD doesn’t have recursive capabilities and those are my only options basically, because I’ll likely be running OpenBSD.

PhaseLockedLoop · April 23, 2022, 1:36am

In my person opinion the projects need to be merged. However they do that is up to them but I would love to see the openbsd team do this

PowerDNS looks amazing though for what it is. Coded in C++ and you can choose the syntax you want for the zone files… as in BIND vs SQL

PhaseLockedLoop · April 23, 2022, 5:56am

I thought about what you said about DJB

You know he was right about Bind8 but a BIND9 was a rewrite from scatch. Last I checked it does not suffer from the security issues he spoke of?

Can you get me more sauces?

cowphrase · April 23, 2022, 2:04pm

Most of the hosted DNS systems I’ve seen in the wild are bind9 (small to medium enterprises). Often with web guis that generate the zone files for you, calling “named-checkzone” and “rndc reload zone” as needed. Though surprisingly many places just hand edit the zone files.

I’ve also seen PowerDNS a few times. Decently powerful, integration is easier (since its just mysql), but I’ve seen at least one integration that had issues due to bad programming.

Interesting side content, you can often see what version of bind someone is running, and the hostname of the server:

dig chaos txt version.bind @nameserver
dig chaos txt hostname.bind @nameserver