Re: [Windows] [9.16.45] Missing IPv4 DNS prevents tools from working

2024-01-21 Thread Ted Mittelstaedt 

Yes, this bug can be fixed.

Just find a software developer and pay him some money.  Or fix it 
yourself, you have the code.


I suppose ISC does not want you to buy a paid support subscription to 
fix this one but maybe they do, you could try contacting them.


Oh, wait.  You must be wanting this fixed for FREE.   Gotcha!

Perhaps a review of what the point of Open Source software is might be 
in order?


Ted

On 1/8/2024 9:41 AM, Gentry Deng via bind-users wrote:

Hello there,


Due to an accident my local network is missing IPv4 DNS but has IPv6 
DNS so it has little impact on accessing the internet.


But I found that neither `dig `nor `nslookup` worked, and reported an 
error:



```

C:\Program Files\ISC BIND 9\bin\dig.exe: parse of C:\Program Files\ISC 
BIND 9\etc\resolv.conf failed


```


There is actually no "resolv.conf" there, they get the DNS from the 
system and if IPv4 DNS is missing it will throw an error. Creating 
"resolv.conf" manually also does not prevent the problem.


I noticed that version 9.16 is about to be EOL. I wonder if this BUG 
can be fixed before EOL? After all, this is the only version of BIND 9 
that still supports the Windows platform.



Best regards,

Gentry


--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hell breaks loose in the afternoon with format error from X.X.X.X#53 resolving ./NS: non-improving referral

2022-05-06 Thread Ted Mittelstaedt 




On 5/6/2022 12:45 AM, Reindl Harald wrote:



in the past our CISCO ISP router with "DNS ALG" even rewrote zone 
transfers and invented a zero TTL for each and every CNAME it saw




Probably doing that to retaliate for dynamic DNS providers abusing DNS 
and people abusing dynamic DNS providers for being cheapskates and 
saving a nickle on a real static IP.


You got caught in the crossfire of that particular war.

Ted
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hell breaks loose in the afternoon with format error from X.X.X.X#53 resolving ./NS: non-improving referral

2022-05-06 Thread Ted Mittelstaedt 



On 5/5/2022 11:19 PM, Bjørn Mork wrote:

Mark Andrews  writes:


How about configuring forwarder(s) if you have to operate a resolver in
such an environment?  Hoping that the answer from the intercepting
server isn't too different from what you'd expect from a forwarder.



In my environment, I'm operating 3 nameservers authoritative for a bunch 
of domains.  If it's crapping what I'm pulling in from outside it's 
probably crapping what I'm sending to the rest of the world.


However the real reason for me?  The real reason is  _I_ pay _them_ for 
connectivity.  Therefore _they_ give it to me the way _I_ want, not the 
way _they_ want.  I have the gold, and he who has the gold makes the rules.


As for the hotel scenario simple answer there.  Never stay at that hotel
again and inform them as to why.  Why do people insist on rewarding
poor service with money?

Ted
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Hell breaks loose in the afternoon with format error from X.X.X.X#53 resolving ./NS: non-improving referral

2022-05-05 Thread Ted Mittelstaedt 

Thought I would document this in case anyone else gets bit by it

I have several nameservers and other servers on a Comcast copper 
connection  (cable internet) in the office using a Technicolor Business 
Router CGA4131COM  modem.  This is Comcast's de-facto standard modem as 
of 2022 for business connections in the western half of the US (maybe 
countrywide)


I have a ticket with Comcast open on another issue that was escalated to
second tier.  Well some bozo in second tier finally gets around to 
working it and decides to login to the Technicolor and sees that the

firewall is turned off, and so decides to helpfully "fix" the problem
by turning it back on.

So there I am driving along, miles away, minding my own business then 
all the sudden unknown to me in the office all DNS lookups fail, 
mailservers on the circuit start spewing, and at the same time my cell 
phone rings with some tech from Comcast brightly chirping how she 
"fixed" the problem.


Of course as icing on the cake when I pull over to deal with it I'm in 
an area with so poor cell signal I can't even get an internet connection 
up from my laptop.


By the time I get back to the office, discover what was going on, call 
back into them, and have them reverse what was done the rest of the 
afternoon was scotched and I was pissed!


Nearest sort-of explanation I could find was much handwaving and 
speculation in the following:


https://serverfault.com/questions/489010/bind-formerr-errors-in-syslog

Anyway, it seems clear that the Technicolor's firewall, when enabled,
transparently DOES intercept DNS queries to answer them out of a cache
on the router, which has the effect of completely scotching the ability
of a nameserver to do recursive queries.  My syslog logs were filling up
and rolling over in less than 2 hours with thousands of these referral
errors.

The serverfault seems to think that this kind of thing is due to 
possible bugs in bind but the moment the modem was reconfigured to turn

off the firewall the log entries stopped.

I'm not keen on further experimentation on this, I just wanted to post 
it in case someone else is dealing with inexplicable errors and pulling 
their hair out.


Ted
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind: Standard Ports And Non Standard Ports

2022-02-11 Thread Ted Mittelstaedt 
I have Comcast Business with 2 name servers behind it and 50 or so 
domain names hosted on them.  No problems at all.  Never heard of

Security Edge.

We could have a discussion on your setup and compare notes but your
problems have nothing to do with port 53 filtering in the Comcast
network, IMHO.

Ted

On 2/11/2022 7:20 AM, Tim Daneliuk via bind-users wrote:


After some months of poking around, we are now certain that our 
so-called "Business"

service from Comcast is compromising our DNS servers because of their
execrable "Security Edge" garbage.  (They are willing to remove this 
'service'

only if we are willing to incur a higher monthly recurring fee.)

Our master is in the wild and works fine, but the slave is behind the 
compromised

Comcast pipe.  The effect of having Security Edge in place is that the
slave cannot get updates from the master and is also unable to resolve
anything outside our own zone.   Comcast is apparently hijacking all port
53 requests and doing unspeakable things with them.

Is there a way to have these servers work as usual, listening to resolution
request on port 53, but have the slave update AND forward requests to the
master over a non-standard port, so as to work around the Comcast madness?

TIA,
Tim

P.S. My guess is that this so-call "security" service is no such thing, 
or at
  least its not the only thing.  They are probably harvesting DNS 
lookups

  to sell as marketing data, or at least that would be my first guess.

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is there a community product maintaining Windows support?

2022-02-11 Thread Ted Mittelstaedt 

I just became a maintainer on the apcupsd project.

I don't know if bind for windows is built like apcupsd is, by using 
mingw32 but unfortunately there's problems with the mingw32 project 
these days, it's gone through a lot of transitions.


Getting a working build environment for apcupsd at least, requires
using pretty old versions of mingw.

No doubt I'm going to be jumped on for saying so but I know for
apcupsd I've got a -lot- of work to do to get it up to speed.

There are some people out there who have built their own mingw32/mingw64
binaries that are separate from the ones "officially" distributed which
might be an avenue.  My guess the ISC developer who was spearheading
this port moved on to other things and ISC can't find someone who
wants to get involved in this and I can understand why.

There is an interesting article on this problem here:

https://increment.com/open-source/the-rise-of-few-maintainer-projects/

I would ask you this Jakob - would you trust a windows binary of
bind that you compiled?

I've got years of history participating on the apcupsd project.  When
I start submitting changes to it, the users of it have that trust 
automatically from that history.  They won't worry if they download a
binary from sourceforge that I built that it's going to gun their 
system.  I'm a public figure in OSS besides that - people may like me

or think I'm an asshole - but they know I'm a real person who has a
rep. to maintain.  I've got a business, federal and state tax ID's,
a published phone number, multiple domain names I've owned for years.  I 
can't run and hide.


You can probably review the bind mailing list and dig out less than
100 names of people who have been on it, regularly posting, for the last
decade.

If none of those people step up to create a fork - then the windows port 
 is effectively going to be dead I'm afraid.  Nobody is going to trust 
"some dude" with zero history who sets up on github and forks bind and 
posts a windows binary for downloading just because he says it's gold.

Would you?  Trust a production system to that?

OSS got it's start by making the CODE available, NOT BINARIES.  Users
like you were expected to be completely happy with the fact that the 
code was even there at all and it compiled.   You do your own building.

Not knowing how to run a compiler is no excuse.  The Internet has tons
of tutorials on it.

You want a bind for windows - build it yourself.  That's the can-do 
attitude that OSS started with.  I remember the first time I ever 
downloaded an real OSS code and built it myself.  It was rzsz - zmodem

code for windows.  Back in the BBS days, really.  That's the only way
you got that binary.  It was a total gas and I was hooked.  Don't deny
yourself the same pleasure.

Ted


On 2/11/2022 8:24 AM, Jakob Bohm via bind-users wrote:
As ISC has apparently announced that it will no longer maintain the code 
for running bind on Windows operating systems, and that this is now up 
to the community, is there a community group that has stepped up to the 
task?



Enjoy

Jakob

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can't use Bind DLZ through LDAPS SSL

2021-02-12 Thread Ted Mittelstaedt 
That should be impossible.  Bind DLZ is compiled to use the same 
openldap libraries that your openldap server is using.  If you configure 
the query URL as ldapi then the same thing is being sent to
the libraries that ldapsearch is sending.  That is why you do not have 
to do anything special other than change the query string to ldap: or 
ldapi: or ldaps: in the dlz config.


Are you using the examples on 
http://bind-dlz.dourceforge.net/ldap-_driver.html?


is dlz possibly dynamically linked and can't find the openldap libraries?

Ted


On 2/12/2021 4:09 AM, Dario García Díaz-Miguel wrote:

Hi Ted,

The values related with the issue configured on the slapd configuration are on 
my original message:



- olcSecurity: ssf=256
- olcLocalSSF: 256
- olcRequires: authc
- olcDisallow: bind_anon
- olcTLSVerifyClient: try



Exactly, using LDAPI with my olcLocalSSF configuration is not using SSL and 
that's required due to some implementations.
The problem is that BIND DLZ is NOT using LDAPI nor LDAPS and I don't know how 
to configure it.

Ldapsearch -H ldapi:/// -D "cn=Administrator,dc=example,dc=com" -W -->  works
Ldapsearch -H ldaps://machine1.example.com -D "cn=Administrator,dc=example,dc=com" 
-W -->  works
Ldapsearch -H ldap://machine1.example.com -D "cn=Administrator,dc=example,dc=com" 
-W -->  does not work
Ldapsearch -H ldap://machine1.example.com -D "cn=Administrator,dc=example,dc=com" 
-W -Z  -->  works

This is the expected behavior and not related at all with my original question.

I just asked how should we configure BIND DLZ to use LDAPS (636) or LDAPI 
instead of LDAP(389), since DLZ queries does not support port specifications.

Thank you so much.
Kind Regards.


-Mensaje original-
If the programs are both on the same machine and you are using ldapi
with oldlocalSSF then you are NOT using SSL.

For starters on this machine if you simply run a LDAP query with
the command line tools against the OpenLDAP server does it work?
Like ldapsearch -LLL -H ldapi://blardy blardy blar

What is in your slapd.lidf?  Usually there should be a
olcSecurity: ssf=something and this should match the
value you are using in the olclocalSSF   The command line ldap program
should pump out an error message if this mechanism is broken.

If you are not familiar with stunnel you should have looked up what it
was before responding.  It's not going to be applicable here and I
would not have suggested it if I had known both programs were on the
same machine.

Ted


Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com











De: Dario García Díaz-Miguel
Enviado el: viernes, 12 de febrero de 2021 12:15
Para: bind-users@lists.isc.org
CC: skmf_support
Asunto: RE: Can't use Bind DLZ through LDAPS SSL

Hi Ted,

Thank you for your answer.
Both servers (OpenLDAP and BIND DLZ) are on the same machine.

LDAPI:/// socket has been configured to not require SSL with olcLocalSSF

If BIND DLZ is not supporting LDAPS, does it support any way to bind against 
LDAP using LDAPI?

I've tried to use the ldapi:/// as well as the ldaps:// on the queries and it 
does not work.
I also has tried adding the port to the hostnames on the connection parameters 
from named.conf and it also does not work.

About stunnel, I'm not sure since I'm not familiar with it and including a new 
software would suppose an approval request explaining good enough reasons to 
use it.

Thank you so much.
Regards.


Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com











-Mensaje original-----
Date: Fri, 12 Feb 2021 01:29:17 -0800
From: Ted Mittelstaedt
To: bind-users@lists.isc.org
Subject: Re: Can't use Bind DLZ through LDAPS SSL
Message-ID:<60264a6d.1090...@ipinc.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Instead of beating your head against DLZ can't you simply put the DLZ query 
into stunnel and connect to the openldap server that way?

Ted

On 2/11/2021 10:39 PM, Dario Garc?a D?az-Miguel wrote:

Hi there,

I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid 
that I could not have any responses from the BIND DLZ mail list and, since this seems to 
be an "official" plugin and it's compiled on the bind9 package from the SuSE15 
SP2 repository I will try to ask it over here.
I've deployed an OpenLDAP using the security options recommended by my 
cybersecurity team:

- olcSecurity: ssf=256
- olcLocalSSF: 256
- olcRequires: authc
- olcDisallow: bind_anon
- olcTLSVerifyClient: try

So essentially right now is required to use certificates and LDAPS in order to 
bind to the OpenLDAP server. Otherwise a Confidential error will appear since 
TLS SSL Handshake is not possible. Well

Re: Can't use Bind DLZ through LDAPS SSL

2021-02-12 Thread Ted Mittelstaedt 

If the programs are both on the same machine and you are using ldapi
with oldlocalSSF then you are NOT using SSL.

For starters on this machine if you simply run a LDAP query with
the command line tools against the OpenLDAP server does it work?
Like ldapsearch -LLL -H ldapi://blardy blardy blar

What is in your slapd.lidf?  Usually there should be a
olcSecurity: ssf=something and this should match the
value you are using in the olclocalSSF   The command line ldap program
should pump out an error message if this mechanism is broken.

If you are not familiar with stunnel you should have looked up what it 
was before responding.  It's not going to be applicable here and I

would not have suggested it if I had known both programs were on the
same machine.

Ted

On 2/12/2021 3:15 AM, Dario García Díaz-Miguel wrote:

Hi Ted,

Thank you for your answer.
Both servers (OpenLDAP and BIND DLZ) are on the same machine.

LDAPI:/// socket has been configured to not require SSL with olcLocalSSF

If BIND DLZ is not supporting LDAPS, does it support any way to bind against 
LDAP using LDAPI?

I've tried to use the ldapi:/// as well as the ldaps:// on the queries and it 
does not work.
I also has tried adding the port to the hostnames on the connection parameters 
from named.conf and it also does not work.

About stunnel, I'm not sure since I'm not familiar with it and including a new 
software would suppose an approval request explaining good enough reasons to 
use it.

Thank you so much.
Regards.


Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com











-Mensaje original-
Date: Fri, 12 Feb 2021 01:29:17 -0800
From: Ted Mittelstaedt
To: bind-users@lists.isc.org
Subject: Re: Can't use Bind DLZ through LDAPS SSL
Message-ID:<60264a6d.1090...@ipinc.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Instead of beating your head against DLZ can't you simply put the DLZ
query into stunnel and connect to the openldap server that way?

Ted

On 2/11/2021 10:39 PM, Dario Garc?a D?az-Miguel wrote:

Hi there,

I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid 
that I could not have any responses from the BIND DLZ mail list and, since this seems to 
be an "official" plugin and it's compiled on the bind9 package from the SuSE15 
SP2 repository I will try to ask it over here.
I've deployed an OpenLDAP using the security options recommended by my 
cybersecurity team:

- olcSecurity: ssf=256
- olcLocalSSF: 256
- olcRequires: authc
- olcDisallow: bind_anon
- olcTLSVerifyClient: try

So essentially right now is required to use certificates and LDAPS in order to 
bind to the OpenLDAP server. Otherwise a Confidential error will appear since 
TLS SSL Handshake is not possible. Well, this is the expected behavior.
All the software of the environment works flawlessly using the SSL Certificates 
through LDAPS SSL except Bind DLZ. I could not find the way to configure it to 
use SSL.

The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release) 
from the SUSE 15 SP2 repository.

Could anybody help me?

Thank you so much.
Regards.



Dario Garcia
D?az-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
Espa?a
+34 918 07 21 00
+34 918 07 21 99
http://www.gmv.com


P Please consider the environment before printing this e-mail.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can't use Bind DLZ through LDAPS SSL

2021-02-12 Thread Ted Mittelstaedt 
Instead of beating your head against DLZ can't you simply put the DLZ 
query into stunnel and connect to the openldap server that way?


Ted

On 2/11/2021 10:39 PM, Dario García Díaz-Miguel wrote:

Hi there,

I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid 
that I could not have any responses from the BIND DLZ mail list and, since this seems to 
be an "official" plugin and it's compiled on the bind9 package from the SuSE15 
SP2 repository I will try to ask it over here.
I've deployed an OpenLDAP using the security options recommended by my 
cybersecurity team:

- olcSecurity: ssf=256
- olcLocalSSF: 256
- olcRequires: authc
- olcDisallow: bind_anon
- olcTLSVerifyClient: try

So essentially right now is required to use certificates and LDAPS in order to 
bind to the OpenLDAP server. Otherwise a Confidential error will appear since 
TLS SSL Handshake is not possible. Well, this is the expected behavior.
All the software of the environment works flawlessly using the SSL Certificates 
through LDAPS SSL except Bind DLZ. I could not find the way to configure it to 
use SSL.

The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release) 
from the SUSE 15 SP2 repository.

Could anybody help me?

Thank you so much.
Regards.



Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com









P Please consider the environment before printing this e-mail.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?

2020-07-23 Thread Ted Mittelstaedt 




On 7/23/2020 7:44 AM, charlie derr wrote:


While it would still *technically* be security by obscurity, it would
seem to me that there's some value to this approach because access to
the compiled binary wouldn't necessarily be easy to obtain (especially
if the sysadmin provisioning the system takes extra efforts to *not*
share it with anyone).  Or am i missing something?



I don't think there is much value because getting access isn't only done 
by buffer overflows and such on compiled programs.  If you can find one 
then sure you might be able to get root access if the program you break 
into is running at root.  But you can do an awful lot of damage by 
merely having unprivileged access.  All you need is authentication 
credentials and regular users are horrible about keeping

their credentials private.

In fact the only place I can see a whole lot of value to is the 
manufacturers of cell phones since companies like Verizon lock the boot

loaders as they do not wish owners of their phones to root them and
get rid of annoying Verizon advertising and other suchlike.   Rooting
those devices is mainly done by breaking into security holes on the phone.

Ted
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?

2020-07-22 Thread Ted Mittelstaedt 




On 7/22/2020 9:59 PM, Michael De Roover wrote:


On 7/23/20 6:28 AM, Ted Mittelstaedt wrote:

Linux is 10 times worse because they aren't even including the c
compiler or development tools
anymore.

Every distribution I've laid my hands on so far has GCC packages and
most development packages affixed with either -dev or -devel (most of
the time).

But many "systemadmins" out there think they are Unix admins
yet are afraid to compile programs.  They will go to the FreeBSD port or
the Linux precompiled apt-get stuff.  The reason is more and more
non-technical people are getting their hands on this stuff.


I don't disagree with this but I also think there's more to it than
that. For me personally I avoid compiling from source when I can get
away with it - not because I can't run make - but simply because binary
packages are convenient. Having a package manager take care of updates
in the whole system is convenient. Having distribution maintainers that
say "okay we are going to go stable, bleeding edge or whatever with the
whole project" is useful when they can spend the time looking at the
upstream projects, and choose the most fitting software versions and
such to suit that goal. And when there's billions of machines running
very similar architectures, there is an argument to be made that making
every single one of them compile everything from source is rather
pointless. Why should every machine in existence be tasked with
CPU-intensive compilation workloads when a handful of dedicated
compilation servers can do exactly that, and a million times better?



Well for starters there is no way for ME to validate that the compiled
software you built for me isn't busy running your Doom network server
behind my back.  (do people still even run Doom servers?)

You are making an argument that is a desktop argument.  That is, the
argument goes Those That Know Better Will Do It For You.

Also, I have had at least 5 Open Source programs over the years that
I found Really Useful to have that the authors decided they wanted to
"take commercial" or they had other religious conversions that made them
decide to go on a rampage and issue take down notices everywhere they 
could find their source.  One of those for example was when 
Nasty-Company-Who-Shall-Not-Be-Graced-With-A-Mention decided to start 
charging

for software that created .gif files and the graphics community went
on a ballistic rampage jihad and destroyed every scrap of .gif code it 
could find so as to force users to migrate to .png.  I did not wish to 
migrate to .png so I was very glad that I had saved all the old code, 
safe from the fires of the religious zealots.


Lastly, the way I look at it is when I field a new server, if it cannot
recompile it's OS, kernel, make world, and all of it's applications from
source, then it's a piece of excrement that I do not want in service.

It is also a fact that I have had pre-production servers blow up on 
"make worlds"  In a few cases this was bad ram, in one case the server 
was returned to the manufacturer under warranty.  These are machines 
that did not display any issues before the OS load.  Do not ask me why 
it was possible to install all the binaries for the OS and have it boot

with no problems yet blow chunks/blue screen/abend/take a dive into the
toilet/whatever your preferred term for crashing and burning is.

I don't generally run FreeBSD or Linux as a desktop OS, BTW so that
does affect my view of things.

So yes, there is definitely an argument in favor of compiling the
stuff at least on a server.

Ted
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?

2020-07-22 Thread Ted Mittelstaedt 



On 7/20/2020 4:05 PM, Mark Andrews wrote:





Distributions also need to look at their own practices.  They ask us
to supply long term support but do not actually integrate the
maintenance releases but instead cherry-pick just the security fixes.
Maintenance is not just security fixes.  That means that we keep
seeing bug reports that need to be diagnosed about bugs we have fixed
years ago.   That really isn’t a good use of peoples time.  Not ours,
not the distributions maintainers nor the users time.  Is there
little wonder that we stop producing bug fixes releases for old
version when the distributions don’t use them?



Those kinds of bug reports need to be kicked back to the user with a
"refer to distro maintainer"

But truthfully you are proving my point.  The simple fact is that bind
will compile WITHOUT using a FreeBSD port.  Linux is 10 times worse 
because they aren't even including the c compiler or development tools

anymore.  But many "systemadmins" out there think they are Unix admins
yet are afraid to compile programs.  They will go to the FreeBSD port or
the Linux precompiled apt-get stuff.  The reason is more and more
non-technical people are getting their hands on this stuff.

This is a bit like the development of the automobile.  When the Model T
came out it came with a toolbox and a big book that allowed the owner to
completely troubleshoot and fix anything that went wrong with the car.
But gradually as more and more people bought cars you had more people
who didn't know squat about cars buying them.  So Ford stopped shipping
the manual and made it an extra cost item.

Nowadays Ford and Chevy don't even sell a manual at all anymore. 
Instead you have to get an alldata subscription to get access to the
service manual.  And if you stop paying the subscription you have no 
more manual.  But a running shop is always going to be paying a 
subscription so it's not a problem for them.  For the DIYers they
can get a 3 day alldatadiy subscription then spend 3 hours printing 
every page of the manual but maybe 1 out of 10,000 car buyers ever

does this.

Microsoft ran into this problem and had to split windows into a server
and desktop version.  Right after that happened "windows admins" who
knew the desktop only were fine.  But today all the MS server 
applications have to be controlled via the command line via powershell, 
plus the server version of the OS is 4 times more expensive and both

these things tend to chase away the people who aren't system admin
types who are willing to get down and dirty and technical.

Linux did this as well although the "server versions" of the 
distributions are horrendously lacking.  FreeBSD really

should do this but they don't likely have enough people working on the
distro.  So they make it so that the non-tech types can use it
and expect that the admin types know better.

None of these solutions are really solutions.  The real solution would
be for the users to get more educated.  But the majority of people don't
really care about an OS they just use it as a platform to run the 
software that they do care about.  Thus creating the means for gigantic

DDoS networks since none of them bother patching their OSes.

BIND chose the path of servicing the needs of the people who knew what
they were doing.  Unbound went the other direction and chose the path
of servicing the non-technical users.  There's more non-techs than 
educated people so

sooner or later paths are going to diverge.  It always makes me laugh to
read these flame wars from the non-techs who think that just because 
their simple-and-not-configurable programs work for them on the

desktop that they should work on the server and the world should switch
to them.  Whaah Whaah Whaah the real world is complicated, simplify it
for me or I'm gonna have a tantrum.  We have one of those dunsels in the
White House in the USA right now.

The BIND developers should
forget about the non-techs and continue servicing the people who know 
what they are doing and laugh also.


Ted
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AW: Debian/Ubuntu: Why was the service renamed from bind9 to named?

2020-07-20 Thread Ted Mittelstaedt 




On 7/20/2020 11:23 AM, Michael De Roover wrote:

If that is true, I hereby lost all faith in humanity.. well whatever
faith I had left. This has been going on for like half a decade now.



Nobody ever went broke catering to the human desire for ease
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AW: Debian/Ubuntu: Why was the service renamed from bind9 to named?

2020-07-20 Thread Ted Mittelstaedt 




On 7/17/2020 11:35 AM, John W. Blue wrote:

Speaking about things to be annoyed over ..

I am still ticked that FreeBSD dropped BIND from the distribution for something 
called unwinding or whatever it is.



I'm not happy that happened either but the simple fact is that if BIND 
would quit dropping support so fast for it's older versions that never 
would have happened.  The fundamental problem was that BIND dropped 
support for it's older versions before the distros dropped support for 
their distros.  This is happening with a lot of other software packages.


When FreeBSD was used mostly for servers it wasn't a problem.  But more
and more people are using it for desktop use where they want to 
basically install it and forget about it, never run patches, never give

a fig about security.  Simpler programs like Unbound have less code
and so less things to go wrong, need less patches, and are easier to
support for a longer period of time so they get supported for a longer
period of time.  Also, Unbound's main purpose in life is as a caching
dns program.  Nobody who runs a server on FreeBSD uses Unbound.

Ted


John

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ted 
Mittelstaedt
Sent: Friday, July 17, 2020 12:57 PM
To: bind-users@lists.isc.org
Subject: Re: AW: Debian/Ubuntu: Why was the service renamed from bind9 to named?



Your personal experience is not the gobal truth. It is your opinion but other 
experienced pepole see it different than you.



Hmm I'm a bit late to this discussion but I will chime in with the others.  The service always was 
called "named"  pronounced "name Dee"
it was called that in the Nutshell book which is easily the authoritative book 
on the subject, it was called this before you were born and it was kind of the 
height of hubris for it to ever be named
bind9 in a software distro.

In fact, the ONLY reason that the name "bind9" was ever even coined at all was because 
the changes from bind8 both in the syntax of the config file and how the program operated they 
wanted to boot admins in the behind to get them to change their config files.  It should have been 
put to bed as a name a long time ago, or named "bind version 9" like every other software 
program does with their versions.

So as an experienced person who has been doing this you-nuxs thing since
1982 - I DON'T see it different - and in fact, I see it as a RETURN to what it 
originally was!

Ted
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AW: Debian/Ubuntu: Why was the service renamed from bind9 to named?

2020-07-17 Thread Ted Mittelstaedt 


Your personal experience is not the gobal truth. It is your opinion but other 
experienced pepole see it different than you.



Hmm I'm a bit late to this discussion but I will chime in with the 
others.  The service always was called "named"  pronounced "name Dee"
it was called that in the Nutshell book which is easily the 
authoritative book on the subject, it was called this before you were

born and it was kind of the height of hubris for it to ever be named
bind9 in a software distro.

In fact, the ONLY reason that the name "bind9" was ever even coined at 
all was because the changes from bind8 both in the syntax of the config

file and how the program operated they wanted to boot admins in the
behind to get them to change their config files.  It should have been
put to bed as a name a long time ago, or named "bind version 9" like 
every other software program does with their versions.


So as an experienced person who has been doing this you-nuxs thing since
1982 - I DON'T see it different - and in fact, I see it as a RETURN to
what it originally was!

Ted
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC considering a change to the BIND open source license

2016-06-15 Thread Ted Mittelstaedt 



On 6/14/2016 11:19 PM, Noel Butler wrote:

On 15/06/2016 10:29, Ted Mittelstaedt wrote:

On 6/14/2016 4:28 PM, Noel Butler wrote:

On 15/06/2016 05:38, Ted Mittelstaedt wrote:


It seems some on the list are short on philosophy? Well here is
the actual philosophy and I'll apologize in advance that it won't fit
in a SMS message for those people unable to have deep thoughts more
complex than a SMS message. Hopefully you are not one of them.



I guess we can read this as you are, or are related to, one of these
commercial entities that are not playing nice... There is absolutely no
other reason one would be so dead against it as you are.



Or, you could simply just copy and paste my name into Linkedin and see
who my current employer is. Wow there's even a click-able website
there! What will they think up next, Maw!!!

I know, too boring.

Ted


Why? Its not important to me who your employer is, I have far far far
far far better things to do than research every poster I reply to.

I have also notes the quality of your posts on other lists over time, so
I would be even less inclined to bother. I havent and arent going to
bother, its irrelevant who they are, most of us have several ties to
orgs outside our main income stream. I can assure you my linkedin page
which hasnt been updated in ages, even when current, didnt list half of
mine.

Again, if you are a user - there is no change
if you are a redistributor: there is no change - UNLESS you modify BIND
and keepo it to yourself - thats fair, Vicky's post explained it so well
a child could understand it, if someone is affected by the pending
change, then they are part of the problem that brought this about.



Rather than waste any more electrons I'll just refer you to the
appropriate documentation that covers the substance of your post:

https://en.wikipedia.org/wiki/Straw_man

Ted
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC considering a change to the BIND open source license

2016-06-14 Thread Ted Mittelstaedt 



On 6/14/2016 4:28 PM, Noel Butler wrote:

On 15/06/2016 05:38, Ted Mittelstaedt wrote:


It seems some on the list are short on philosophy? Well here is
the actual philosophy and I'll apologize in advance that it won't fit
in a SMS message for those people unable to have deep thoughts more
complex than a SMS message. Hopefully you are not one of them.



I guess we can read this as you are, or are related to, one of these
commercial entities that are not playing nice... There is absolutely no
other reason one would be so dead against it as you are.



Or, you could simply just copy and paste my name into Linkedin and see 
who my current employer is.  Wow there's even a click-able website 
there!   What will they think up next, Maw!!!


I know, too boring.

Ted
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC considering a change to the BIND open source license

2016-06-14 Thread Ted Mittelstaedt 



On 6/14/2016 11:47 AM, Mukund Sivaraman wrote:

Hi Evan

On Tue, Jun 14, 2016 at 05:45:59PM +, Evan Hunt wrote:

May I ask you to expand on why the MPL is a problem?  So far the distros
have all been supportive.


The BSD camp dislikes copyleft because copyleft prevents exactly what
we're trying to stop: the ability to ship a closed-source forked version
of BIND. They think that software is more free if that is allowed,
although they'd like all software to be free.

The GNU/FSF camp's view is different. In its view, a software is more
free if its freedom is protected and cannot be lost; hence the copyleft
clauses.

To a user of BIND, it makes no difference. To a restributor of BIND who
keeps the modified code free, it makes no difference. Those who are hurt
by it are those who are shipping closed-source modified versions, or
those who'd like to let others continue to do so.



From a practical perspective virtually anyone shipping a commercial 
program with modified BIND in it is almost certainly shipping an 
embedded device of some sort - a NAS or something - and they won't be 
hurt in their current product since they just won't update them.


And if they treat ISC that shabbily then how do you think they are
treating their customers - they will certainly continue to
use that older, non-copyleft version as long as it compiles.

It may be years before some of those commercial people update
their code - a license change now is not going to have immediate
effect.   Eventually one of these days the maker of
whatever CPU they are using will stop production and release a new
version with a new compiler toolkit and then they might update.

Also, has ISC realized that they just got on the biggest soapbox
they have and shouted to the world:

HEY PEEPS WE ARE GOING TO CONTINUE RELEASING NEW VERSIONS OF BIND 9
SINCE WE CARE ENOUGH ABOUT IT TO MPL IT - WE HAVE FUTURE PLANS HERE

That's very good for most people but I think they just killed BIND 10.

Ted
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC considering a change to the BIND open source license

2016-06-14 Thread Ted Mittelstaedt 



On 6/14/2016 1:42 PM, Mukund Sivaraman wrote:

On Tue, Jun 14, 2016 at 08:06:55PM +, Evan Hunt wrote:

On Tue, Jun 14, 2016 at 12:38:14PM -0700, Ted Mittelstaedt wrote:

In reality, there IS no "middle ground"   If you truly believe a
piece of software SHOULD be freely licensed, then that includes the
idea that commercial entities can use it as they see fit.


Thank you for the explanation.

As I undesrtand it, commercial entities *will* be able to use BIND as they
see fit, even if the relicensing goes ahead.  Share bug fixes back, or get
a support contract, and we're good.  We really just want everybody to be a
mensch about it.

On a personal level, I actually agree with you, and I find the idea of
relicensing somewhat regrettable.  It's not that I'm against the GPL, I
think software creators should be able to share their work on whatever
terms they like, but *personally* I like giving my stuff away with as few
encumbrances as possible.  It's disappointing to me to add any burden to
it at all.  I do like eating, though, and I won't be able to fix as many
bugs if I have to stop doing that. :/


This last sentence sums it up well.

There's been quite some internal discussion about the license change,
which is not a lightly attempted and achieved endeavour, and the
discussion is still continuing. There seems to be some public anger at
such a license change, but it is misdirected. Be angry for us, not at
us. We care deeply about BIND's users, the DNS and DNS users in general
(if you have any doubt about that, look at communication with ISC staff,
even if it is with a member of staff from a company that's shipping a
closed fork of BIND, or even another DNS implementation).

In reality, the world is not perfect as we expect it to be, or we would
not have to attempt this license change. It is a means to an end, for
the goal that we most care about which is to make BIND and the DNS
better and have BIND available to everyone to use, modify.

Your anger is misdirected when you say things like "kicking all BSD
distributions in the teeth". That's not what we're thinking of.



BIND occupies a unique position in the Internet - there is no law that
compels people to use DNS nor the root nameservers.  In fact nothing
prohibits Internet users using name resolution from using a completely 
alien mechanism from DNS.  And, before 1983, THEY DID.


Of all the Internet standards DNS is probably the one that the most
Internet users VOLUNTARILY choose to use.

In an ideal world, the major beneficiaries of the Internet would
equally share in funding BIND and BIND would have no license 
restrictions at all, and the ISC would not feel compelled to do this.

(or to fork the code and rename it after a doofus on the TV show
Married With Children)

I see nothing to celebrate here.  This is a wake.  Just in the name
of the spirit of openness and freedom, once you have your new release
out there under the license, sic the legal people on the a-holes who
have been abusing it, starting with the "BIND without the bugs" people,
whoever they are, as they are the ones who caused this to happen.


Ted


(also speaking for myself, not ISC.)

Mukund

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC considering a change to the BIND open source license

2016-06-14 Thread Ted Mittelstaedt 


It seems some on the list are short on philosophy?  Well here is
the actual philosophy and I'll apologize in advance that it won't fit
in a SMS message for those people unable to have deep thoughts more
complex than a SMS message.   Hopefully you are not one of them.

You are asking about GPL but ISC didn't say they wanted to use GPL they 
said MPL, but I will frame my explanation in GPL terms since it is quite 
clear that you are coming from "all the world's a GPL" perspective.


"free" means free as in free beer.  RMS has done a lot of damage
over the years warping the idea of free software to fit his agenda
and that should have become obvious after GPL v3.  (and indeed it
HAS become obvious to a great many people)

Nevertheless the damage has been done, even though licenses like
Mozilla MPL try to retreat from the militancy of RMS to "strike a
middle ground"

In reality, there IS no "middle ground"   If you truly believe a
piece of software SHOULD be freely licensed, then that includes the
idea that commercial entities can use it as they see fit.  Some of
those uses may irritate you or disgust you but they have to be allowed
or it is NOT free.  Imagine for example if the people who invented 
photography had insisted that it only be used to "take nice pleasant 
pictures"


Otherwise you are simply subscribing to the RMS's idea of "free" as
in "free like I say so in GPL" without even realizing it.   The argument
is lost before it is even made because you, Keith Christian, have
unconsciously already accepted a definition of "free" that is NOWHERE
in the dictionary and have unconsciously accepted RMS's redefinition
of the word "free" in software to mean "free except for this and that 
and this and that".


People read books like 1984 and think "no way that could happen" but 
here it is, it's already happened and you don't even see it.


Now, I get that damage can be done by certain jerks out there who take
BIND code, modify it so it is not compatible with other BIND, then 
release it into the wild as "BIND with the bugs removed" or whatever 
other odious name they can dream up.   I get that certain large 
commercial orgs who are making more money in 5 seconds than I'll ever

see in my lifetime due to BIND code should be helping out the hand that
feeds them.  And I also get that a bunch of RMS apologists out there
are trying to remove the word "free" from free software because they
are feeling guilty about their Orwellian tactics which have apparently
succeeded with a lot of software developers who should be intelligent
enough to know they are being played.

But, there are other ways than changing the license so you can make 
legal threats against those jerks to protect your software.   For 
starters, public shaming works pretty damn well - and as a benefit it 
helps out countless of admins out there making product decisions of what 
to purchase, when ISC makes a public statement saying "brandX included 
BIND code but they are lying like dogs when they say their stuff is 
compatible with BIND"   or "BrandY has made 100 million bucks off our 
stuff and never given us a nickle let alone kicked any code back"


If ISC's sole purpose to move to Mozilla is to "protect the purity and
integrity of BIND" or whatever whitewash, and their intent is to do it
by applying a license then using legal threats behind closed doors to
the commercial offenders out there who are screwing up their stuff, they
are simply allowing those offenders to continue to make money by
hoodwinking the public with their products, because while all this is
happening behind closed doors, the public is still buying the stuff. 
Worse, because ISC is following the "get the lawyers in a smoke-filled

room to cut a deal" route, for all we know ISC is signing off on
permitting BrandX to continue to contaminate the DNS system with their 
recompiled version of BIND that is non-standard, in exchange for filthy
lucre and a promise to fix it in the next Windows Service Pack (oops, 
did I say that?)


Licenses are licenses and people can write up whatever license they 
want.  My objection is this continued Orwellian GPL BS of claiming you

are making software free by restricting it.  And a lot of other
people agree or ISC would just stick it under GPL instead of MPL.   The 
sad part is that the entire discussion has been moved to use terms that

GPL people have redefined, and as a result a superficial discussion
or comment (like has been thrown up so far on this) always ends up
with GPL or GPL-approach licenses (like MPL) winning the discussion.

There is a famous line used to illustrate how redefining terms can
always cause one side to win, it is "have you stopped beating your
wife yet"  That is what has gone on in free software licensing with GPL 
and it's just a shame to see so many people sign off on that with

thunderous applause without even realizing what has been taken from them.


Ted




On 6/14/2016 11:48 AM, Keith Christian wrote:

(Sorry if

Re: ISC considering a change to the BIND open source license

2016-06-14 Thread Ted Mittelstaedt 



On 6/14/2016 10:45 AM, Evan Hunt wrote:

On Tue, Jun 14, 2016 at 10:10:16AM -0700, Ted Mittelstaedt wrote:

I disagree with this but who am I to stand in the way of the goddam
almighty dollar, you're going to do it anyway regardless of what anyone
says, this comment thing is just window dressing.

I would request that you consider doing one thing before kicking all
the BSD distributions in the teeth, and that is to at least publish
an End-Of-Patch-Release date for BIND 9.10 so that people running
those distros know how much time they have to get it unbundled - and
make sure the patches to the older version don't "accidentally"
fall under the new license.


May I ask you to expand on why the MPL is a problem?


As I said already, the reason why is because it's a goddam shame that 
some commercial a-holes out there have to spoil it for everyone by not 
kicking back a few bucks of their ill-gotten gains to you guys.  (ISC)


That's why.   If that doesn't explain it, then you are just looking to 
argue license religion and justify a choice you already made, and I 
can't help you with that.


Ted
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC considering a change to the BIND open source license

2016-06-14 Thread Ted Mittelstaedt 


I disagree with this but who am I to stand in the way of the goddam 
almighty dollar, you're going to do it anyway regardless of what anyone 
says, this comment thing is just window dressing.


I would request that you consider doing one thing before kicking all
the BSD distributions in the teeth, and that is to at least publish
an End-Of-Patch-Release date for BIND 9.10 so that people running
those distros know how much time they have to get it unbundled - and
make sure the patches to the older version don't "accidentally"
fall under the new license.

I know it would be too much to ask that the resolver library at least
stay under BSD license so I won't even bother.

It's a goddam shame that some commercial a-holes out there have to spoil 
it for everyone by not kicking back a few bucks of their

ill-gotten gains to you guys.  All I can say is once you have your
shiny new license I'm going to be mighty POed if you don't sue
the pants off the next one of those companies that uses the BIND code
and effs it up to make an example for the rest of them.   BIND but 
without the bugs, indeed!   What rot.


That's why we can't have nice things.

Ted


On 6/13/2016 1:52 PM, Victoria Risk wrote:

Hello BIND users-

ISC published BIND under a very permissive open source license

(https://www.isc.org/downloads/software-support-policy/isc-license/)
nearly two decades ago. ISC is the organizational steward for BIND; in
order to preserve the software for the long term, we are considering a
move to the more restrictive Mozilla Public License (MPL 2.0)

(https://www.mozilla.org/en-US/MPL/2.0/).

The MPL license requires that anyone redistributing the code who has
changed it must publish their changes (or pay for an exception to the
license). It doesn’t impact anyone who is using the software without
redistributing it, nor anyone redistributing it without changes – so
most users will not see any change.

In the event we do proceed with the change in license, we will announce
this with the 9.11.0 beta and it will take effect with the BIND 9.11.0
release.

We welcome comments from BIND users, including statements of support or
concern. Email Vicky Risk, Product Manager at vi...@isc.org if you want
to discuss privately, Tweet at us at @ISCdotORG
, or discuss on bind-users@lists.isc.org
.

Regards,

Vicky Risk,
Product Manager

Jeff Osborn, President of ISC, announcing we are considering this change
at RIPE72 in Copenhagen May 26th,
https://ripe72.ripe.net/archives/video/206.







___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Courses

2013-04-26 Thread Ted Mittelstaedt 
Years ago I used to work for a training company so I will go ahead and 
try to answer this one for you.


The training company is not like a grocery store where they have a 
steady stream of customers.  They are all feast or famine companies.

Some months there's new software releases and everyone wants training
and all of their trainers are busy.  Other months it's dead and their
trainers are sitting around doing research or other stuff that isn't
revenue generating.

It's not like the training company can just lay off their teachers
when there are no classes.  That happened at the one training company I
worked at (as a trainer), and since the company gave me
no assurances they would rehire (we will hire you back -if- we get
some classes) I said screw it and started looking and within 3 weeks
had another job.  (If you ever want something on your resume that will 
guarantee you an interview, get hired to teach a class)  As did the

other trainers who were laid off.  For a trainer to lay off it's
trainers is equivalent to Intel laying off it's CPU designers - those
are the people making the gold, you get rid of them and you have
nothing.  Intel will sacrifice everyone else in the company before
they touch those people, and a well run training company will do
the same for it's trainers.

So, the training companies often have months during the year that they
are paying teacher salaries and there's no classes bringing in the
money.  So, when they do get classes, the class has to not only pay the
salary of the trainer who is teaching it, it has to pay the salary of
that same trainer for the rest of the year that he's not doing anything.

Obviously a lot of training companies try to use part timers.  That
works if your teaching something like how to use Microsoft Word or
Excel.  But nobody who really knew anything about Bind would tolerate
that sort of stuff - either you hire them full time or get the $uc$
out of the business.

Frankly, it is possible to self train on this stuff so you have to
look at how much time that you save by taking a class vs buying the
book and doing it yourself.  If your cost to your company is $80 an
hour and you can do the book in 40 hours (1 week) and take the class
and get trained in 20 hours - well right there that $1795 is a wash.
Meaning that if the class saves your company 22 hours then it's cost
them the same to send you to class vs paying you the extra time to
learn it yourself is the same.

Ted Mittelstaedt
Internet Partners, Inc.

On 4/26/2013 10:47 AM, rohan.he...@cwjamaica.com wrote:

Hello,

Can anyone say why Bind course offering appears so expensive? Is something else 
included in the package that is not specified?

2-Day Introduction to DNS  BIND Training
Price: $1,795.00

Rohan
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Change in statistics format

2012-11-15 Thread Ted Mittelstaedt 

Hi Peter,

  Would you consider donating that script to ISC so they can bundle it
with the BIND distribution?

  I have a whole library of scripts like yours which I've collected over
the last 10 years.  Most of the hosts that are linked to as where these
scripts are located are long gone and the authors long since disappeared.

  It is very frustrating when I'm looking for a script to do something 
on Google to come up with links to these old dead hosts.


 Your post here is going to be archived in Google's bowels
for at least the next decade.

  if you maintain your host - great - kids who don't even have their
drivers licenses today will be able to get the current version when they
are system admins someday in the future.

  But, if something happens to you - slip in the shower, fall down the
stairs, hit by a bus - I guarantee that your heirs are not going to be
interested in maintaining it.

Ted


On 11/15/2012 5:10 PM, Peter Yardley wrote:

I wrote a script to extract stats from the XML channel. Works for cricket, 
cacti, MRTG ...

You can find it here…

http://members.iinet.net/~pyard...@ihug.com.au/projects/?project=bind9_5_counters

Looks like I'll have to update it for 9.10 tho, hope they updated the schema 
number.

On 16/11/2012, at 6:04 AM, John Miller johnm...@brandeis.edu wrote:


Thanks, Evan.  That's exactly what I wanted to know.  I'm already
running the statistics server, so I'd certainly prefer to leverage that
rather than rely on a bunch of regexes to parse the statistics file.

I'll let the folks at Hyperic know about the upcoming schema changes.

John

On 11/15/2012 12:22 PM, Evan Hunt wrote:

On Thu, Nov 15, 2012 at 11:44:12AM -0500, John Miller wrote:

Hello everyone,

When did BIND 9 switch over from the older


The new stats counters were added in 9.5.0.  They're in all currently-
supported releases; the old format is fully deprecated now.

Incidentally, that release also introduced an http statistics channel
and XML stats reporting, which might be of interest to your monitoring
software.  (Note, though, in 9.9.3 we're going to introduce a newer
better XML schema for statistics as a compile-time option, and it'll
be standard in 9.10, so if they wanted to write code to parse our XML,
they might want to know there'll be a few different schema versions in
the field soon.)


Is this a tunable parameter?


No.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


._--_|\   Peter Yardley|
/  \  Senior Network Administrator | peter.yard...@uts.edu.au
\_.--._*  Information Technology Division, | Ph:  +61 2 9514-2358
. v   University of Technology, Sydney.| Fax: +61 2 9514-4327





UTS CRICOS Provider Code: 00099F
DISCLAIMER: This email message and any accompanying attachments may contain 
confidential information.
If you are not the intended recipient, do not read, use, disseminate, 
distribute or copy this message or
attachments. If you have received this message in error, please notify the 
sender immediately and delete
this message. Any views expressed in this message are those of the individual 
sender, except where the
sender expressly, and with authority, states them to be the views of the 
University of Technology Sydney.
Before opening any attachments, please check them for viruses and defects.

Think. Green. Do.

Please consider the environment before printing this email.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What is the deal on missing Authority Section and additional section from google's DNS servers?

2012-07-11 Thread Ted Mittelstaedt 

On 7/10/2012 6:37 PM, Michael Hoskins (michoski) wrote:

-Original Message-

From: Ted Mittelstaedt t...@ipinc.net
Date: Tuesday, July 10, 2012 6:24 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: What is the deal on missing Authority Section and
additionalsection from google's DNS servers?


   I can't seem to find an option to turn off additional data.  How
does Google and OpenDNS do it?  WHY do they do it?


have you tried minimal-responses yes;?



That did it, thanks!


it can increase name server performance, but can also increase client
workload (e.g. lead to additional queries).  some might also feel it's
best to be conservative in what you send.



I would then have to assume that Google and OpenDNS are aware of
bugs in specific resolver implementations - very likely in certain
firmware versions of the small Dlink/Linksys/etc. routers - and
have turned off the additional data in order to make their stuff as
compatible as possible so that as few people as possible complain.

It would be nice if anyone could confirm this.

It would be nicer if Google or OpenDNS would confirm they are doing
it and why.

No doubt both regard it as some sort of trade secret.

Ted
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Survey - how many people running ISP nameservers define minimal-responses - was Re: What is the deal on missing Authority Section and additional section from google's DNS servers?

2012-07-11 Thread Ted Mittelstaedt 

Great answers to my question, thanks!

So now, what do you guys all run?

I have always followed the principle of provide the most information
possible and let the users decide what to ignore which is why I never
gave a second thought to providing additional data.

But if as Warren said:

...Many things (correctly (IMO)) ignore the info in additional section 
due to past entertainment with cache poising, etc


then what would be best practices for an ISP?

Ted

On 7/11/2012 8:03 AM, Warren Kumari wrote:


On Jul 11, 2012, at 6:30 AM, Ted Mittelstaedt wrote:


On 7/10/2012 6:37 PM, Michael Hoskins (michoski) wrote:

-Original Message-

From: Ted Mittelstaedt t...@ipinc.net
Date: Tuesday, July 10, 2012 6:24 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: What is the deal on missing Authority Section and
additionalsection from google's DNS servers?


   I can't seem to find an option to turn off additional data.  How
does Google and OpenDNS do it?  WHY do they do it?


have you tried minimal-responses yes;?



That did it, thanks!


it can increase name server performance, but can also increase client
workload (e.g. lead to additional queries).  some might also feel it's
best to be conservative in what you send.



I would then have to assume that Google and OpenDNS are aware of
bugs in specific resolver implementations - very likely in certain
firmware versions of the small Dlink/Linksys/etc. routers - and
have turned off the additional data in order to make their stuff as
compatible as possible so that as few people as possible complain.

It would be nice if anyone could confirm this.



As you have just seen from one of your customers, there are a non-zero number of folk / 
devices that have issues with larger responses / responses with additional 
data / etc. Exactly what the devices are isn't (IMO) important, what is is getting 
answers to folk.

By *far* the majority of folk querying these services are end users / stub 
resolvers. What they are looking for is simply an A /  and anything extra 
is simply wasted bandwidth, time, opportunities to get confused, etc.

Many things (correctly (IMO)) ignore the info in additional section due to past 
entertainment with cache poising, etc.


It would be nicer if Google or OpenDNS would confirm they are doing
it and why.



I think that it is clear from querying (at least Google!) that this is the case:
$ dig www.example.com @8.8.8.8 | grep ADDI
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0



No doubt both regard it as some sort of trade secret.


Hopefully not… ;-)

W




Ted
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

What is the deal on missing Authority Section and additional section from google's DNS servers?

2012-07-10 Thread Ted Mittelstaedt 

Hi All,

  I manage an ISP that runs BIND 9.6-ESV-R7-P1  (to be fair it was 
running 9.6-ESV-R6 until an hour ago but I'm not that dumb to

post the location of an unpatched nameserver to the mailing list)

  One of our customers reported that she was having problems with her 
mailserver not sending mail to comcast.com users.  When she switched to

using Google's open DNS servers or opendns's servers, the problem went
away.

  No other customer reported this and I see no problem with our own
mailservers.

  In looking at the output of my own servers, I see data in
authority and additional sections.  In looking at data from the
output of those dns servers, I do not.  Since only comcast.com was
affected, and they have a very large amount of additional data in
the response, I am theorizing that her firewall thinks the DNS
response query packet is too large and is trashing it.  Either that
or there's a network layer problem that is trashing UDP packets.

  I can't seem to find an option to turn off additional data.  How
does Google and OpenDNS do it?  WHY do they do it?

  Dig's that show what I mean follow:


C:\digdig @8.8.8.8 -t MX comcast.com

;  DiG 9.3.2  @8.8.8.8 -t MX comcast.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 556
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;comcast.com.   IN  MX

;; ANSWER SECTION:
comcast.com.533 IN  MX  5 mx1.comcast.com.
comcast.com.533 IN  MX  5 mx4.comcast.com.
comcast.com.533 IN  MX  5 mx3.comcast.com.

;; Query time: 109 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 10 18:18:43 2012
;; MSG SIZE  rcvd: 89


C:\dig

C:\digdig @resolver1.opendns.com -t MX comcast.com

;  DiG 9.3.2  @resolver1.opendns.com -t MX comcast.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 21
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;comcast.com.   IN  MX

;; ANSWER SECTION:
comcast.com.567 IN  MX  5 mx1.comcast.com.
comcast.com.567 IN  MX  5 mx4.comcast.com.
comcast.com.567 IN  MX  5 mx3.comcast.com.

;; Query time: 93 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Jul 10 18:20:24 2012
;; MSG SIZE  rcvd: 89


C:\dig
C:\dig


C:\digdig @dns1.ipinc.net -t MX comcast.com

;  DiG 9.3.2  @dns1.ipinc.net -t MX comcast.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 315
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 13

;; QUESTION SECTION:
;comcast.com.   IN  MX

;; ANSWER SECTION:
comcast.com.600 IN  MX  5 mx4.comcast.com.
comcast.com.600 IN  MX  5 mx1.comcast.com.
comcast.com.600 IN  MX  5 mx3.comcast.com.

;; AUTHORITY SECTION:
comcast.com.1712IN  NS  dns104.comcast.net.
comcast.com.1712IN  NS  dns102.comcast.net.
comcast.com.1712IN  NS  dns101.comcast.net.
comcast.com.1712IN  NS  dns103.comcast.net.
comcast.com.1712IN  NS  dns105.comcast.net.

;; ADDITIONAL SECTION:
mx1.comcast.com.3600IN  A   76.96.32.244
mx3.comcast.com.1712IN  A   69.241.43.117
mx4.comcast.com.1712IN  A   69.241.43.118
dns101.comcast.net. 1680IN  A   68.87.29.164
dns101.comcast.net. 1680IN  2001:558:1002:a:68:87:29:164
dns102.comcast.net. 1680IN  A   68.87.85.132
dns102.comcast.net. 1680IN  2001:558:1004:7:68:87:85:132
dns103.comcast.net. 1680IN  A   68.87.76.228
dns103.comcast.net. 1680IN  2001:558:1014:c:68:87:76:228
dns104.comcast.net. 1680IN  A   68.87.68.244
dns104.comcast.net. 1680IN  2001:558:100a:5:68:87:68:244
dns105.comcast.net. 1680IN  A   68.87.72.244
dns105.comcast.net. 1680IN  2001:558:100e:5:68:87:72:244

;; Query time: 156 msec
;; SERVER: 65.75.192.10#53(65.75.192.10)
;; WHEN: Tue Jul 10 18:17:24 2012
;; MSG SIZE  rcvd: 473


C:\dig
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users