Re: BIND DNS Server on Windows
On Sunday, February 9th, 2025 at 6:55 PM, Marco Moock wrote: > Am 09.02.2025 um 10:51:35 Uhr schrieb Turritopsis Dohrnii Teo En Ming > via bind-users: > > > Can I install WinBIND on Windows 10 and Windows 11? The following > > guide mentioned installation of WinBIND on Windows Server only. > > > Should work, give it a try. > > -- > Gruß > Marco Thank you. I will give it a try. Regards, Mr. Turritopsis Dohrnii Teo En Ming Targeted Individuals in Singapore GIMP = Government-Induced Medical Problems -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND DNS Server on Windows
On Monday, 10 February 2025 15:12:05 CET Turritopsis Dohrnii Teo En Ming wrote: > It appears to be too difficult for me to understand. Not gonna lie, Hyper-V is anything but easy to work with, at least initially. It was in response to this thread that I realized that I don't even remember and never documented how I made that network stack work, which I find concerning. The only thing I do remember is that it could be done in Powershell. If I had to choose between Hyper-V, Virtualbox and VMware, I would say that Virtualbox and VMware are easier to work with, while Hyper-V gives better OS integration at the cost of complexity. Against something like QEMU meanwhile, they all create vendor lock-in. But QEMU on Windows comes with less than stellar performance, and there is something to be said about qcow2 being just as locked in of a storage format as the rest. Whichever option you choose in the end, I wish you good luck :) Best regards, Michael -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND DNS Server on Windows
I am pretty much confused, unless you are using this setup for educational purposes, it makes little sense. Setup like this is similar to onion - it has layers and it makes you cry, you can add docker for extra pain or kubernetes for permanent blindness. It is going to be much easier to get $5/month VPS. Alternatively get (used) RPi and host it on a local network. Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 10. 2. 2025, at 15:07, Turritopsis Dohrnii Teo En Ming via bind-users > wrote: > > Rather than using WSL, I think I will use Hyper-V, VMware Workstation or > Oracle VirtualBox instead. signature.asc Description: Message signed with OpenPGP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND DNS Server on Windows
On Sunday, February 9th, 2025 at 9:55 PM, Michael De Roover wrote: > On Sunday, February 9, 2025 12:07:48 PM CET Richard T.A. Neal wrote: > > > That's my site! 😊 > > > That is incredible! > > > One major drawback with WSL is that there doesn't seem to be a way to assign > > it a static IP - i.e. your WSL BIND server will change IP address every > > time (it's a private routed address that will need a Windows Firewall NAT > > rule to be reached from other machines on your network). > > > Please do note that WSL is merely a subset of Hyper-V networking, regardless > of your Windows release. It is possible to assign bridge networking in > Windows' virtualization suite, as well as NAT networking. Whichever one is > chosen in the end, is an exercise left to the reader. > > Either way, I have used massgrave.dev to make my Windows 10 installation > Enterprise, and used it to create various Hyper-V machines. One of those is a > gateway machine that connects to Hyper-V's "Default Switch", which then routes > to another switch I was able to name "internal.switch.ideapad.lan". It goes > without saying that this switch is internal, and therefore network-agnostic. > > Lastly, there is another switch that is named external.switch.ideapad.lan. > This is what my wired interface is bridged into. I no longer use this > interface/switch, but it does still exist nonetheless. That allows for direct > connections into the host network, on a switch level. However, it is only > available for wired networking. Unfortunately, this appears to be a physical > limit. Perhaps it's possible to mitigate this with hostapd voodoo, but I have > yet to master that myself. > > -- > Met vriendelijke groet, > Michael De Roover > > Mail: i...@nixmagic.com > Web: michael.de.roover.eu.org > > It appears to be too difficult for me to understand. Regards, Mr. Turritopsis Dohrnii Teo En Ming Targeted Individuals in Singapore GIMP = Government-Induced Medical Problems > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND DNS Server on Windows
On Sunday, February 9th, 2025 at 7:07 PM, Richard T.A. Neal wrote: > That's my site! 😊 > > Whilst functional please bear in mind that BIND is no longer developed or > supported on Windows so I really don’t recommend doing so. You should install > it on a Linux system as intended, or alternatively in WSL (Windows SubSystem > for Linux). > > One major drawback with WSL is that there doesn't seem to be a way to assign > it a static IP - i.e. your WSL BIND server will change IP address every time > (it's a private routed address that will need a Windows Firewall NAT rule to > be reached from other machines on your network). > > https://www.isc.org/download/ > > Best, > Richard. Dear Richard, Thank you for your reply. Rather than using WSL, I think I will use Hyper-V, VMware Workstation or Oracle VirtualBox instead. Regards, Mr. Turritopsis Dohrnii Teo En Ming > > -Original Message- > From: bind-users bind-users-boun...@lists.isc.org On Behalf Of Turritopsis > Dohrnii Teo En Ming via bind-users > > Sent: 09 February 2025 10:52 am > To: bind-users@lists.isc.org > Subject: BIND DNS Server on Windows > > Subject: BIND DNS Server on Windows > > Good day from Singapore, > > Can I install WinBIND on Windows 10 and Windows 11? The following guide > mentioned installation of WinBIND on Windows Server only. > > Link: https://www.winbind.org/installing-bind-on-windows/ > > Thank you. > > Regards, > > Mr. Turritopsis Dohrnii Teo En Ming > Targeted Individuals in Singapore > GIMP = Government-Induced Medical Problems > 9 Feb 2025 Sunday > > > > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Difference in validating behavior 9.18 / 9.20
Trying to kick this football, I delegated a zone (z.ak.gov) to one of my
test servers, by adding a record to ak.gov
z.ak.gov. IN NS ns88.state.ak.us
And on the ns88 server, I created a zone file with an SOA, NS, A, and a
TXT record. I defined it with a basic zone-statement:
zone "z.ak.gov" { type primary; file "z.ak.gov"; };
and confirmed my delegation worked, and that it would answer correctly.
Then I added " dnssec-policy default; inline-signing yes;" to my zone
statement, reloaded the zone, and used rndc dnssec -status z.ak.gov to
see that it was happy. I could still dig the records I had entered. If I
added +dnssec to my /dig/ I saw the RRSIG record. If I used /delv/ I
would get an 'unsigned answer'. If I used /delv/, and made it reference
an anchor-file of my own making
delv @ns88.state.ak.us -a ./z.ak.gov.key +root=z.ak.gov. z.ak.gov. SOA
I could get a fully-validated answer. Yay!!
The zone ak.gov is not signed, so while I could publish a DS-record
there, I suspect delv won't accept it while performing its validation
work. I expect that naming my .key file as an anchor is just as good as
letting delv find a validated DS record in a.gov (for the purposes of
learning how 9.18 and 9.20 validating resolvers differ).
But now I think I'm stuck. I think the default dnssec-policy isn't going
to let me force a re-signing in a way which will leave expired RRSIG
records behind (which is what I'm trying to test). I suspect I'm going
to have to
* switch to manual signing
* define a long TTL for my zone
* sign the zone with a key with a short longevity
* get the long TTL RRSIGs cached in my resolvers
* after RRSIG is invalid, shorten the TTL on the zone
* re-sign the zone
* find both the new and the old RRSIG in my resolvers
Is there a simpler way to force an expired RRSIG into a response-set?
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 2/7/2025 12:50 PM, John Thurston wrote:
Right now, the only way I can think to nail down this behavior is to:
* delegate a subdomain to myself
* sign it
* intentionally publish an expired RRSIG in it
Which makes my next question:
Will BIND even let me do this? Or will it the automation rake out
the expired records and refuse to serve them
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Difference in validating behavior 9.18 / 9.20
If you want to test behaviour with expired records you are going to need to use
dnssec-signzone.
The tests that ship with BIND use dnssec-signzone to build zones with out of
date signatures.
As for dnssec-policy it is not designed to produce broken zones.
Mark
> On 11 Feb 2025, at 10:18, John Thurston wrote:
>
> Trying to kick this football, I delegated a zone (z.ak.gov) to one of my test
> servers, by adding a record to ak.gov
> z.ak.gov. IN NS ns88.state.ak.us
> And on the ns88 server, I created a zone file with an SOA, NS, A, and a TXT
> record. I defined it with a basic zone-statement:
> zone "z.ak.gov" { type primary; file "z.ak.gov"; };
> and confirmed my delegation worked, and that it would answer correctly.
> Then I added " dnssec-policy default; inline-signing yes;" to my zone
> statement, reloaded the zone, and used rndc dnssec -status z.ak.gov to see
> that it was happy. I could still dig the records I had entered. If I added
> +dnssec to my dig I saw the RRSIG record. If I used delv I would get an
> 'unsigned answer'. If I used delv, and made it reference an anchor-file of my
> own making
> delv @ns88.state.ak.us -a ./z.ak.gov.key +root=z.ak.gov. z.ak.gov. SOA
> I could get a fully-validated answer. Yay!!
> The zone ak.gov is not signed, so while I could publish a DS-record there, I
> suspect delv won't accept it while performing its validation work. I expect
> that naming my .key file as an anchor is just as good as letting delv find a
> validated DS record in a.gov (for the purposes of learning how 9.18 and 9.20
> validating resolvers differ).
> But now I think I'm stuck. I think the default dnssec-policy isn't going to
> let me force a re-signing in a way which will leave expired RRSIG records
> behind (which is what I'm trying to test). I suspect I'm going to have to
> • switch to manual signing
> • define a long TTL for my zone
> • sign the zone with a key with a short longevity
> • get the long TTL RRSIGs cached in my resolvers
> • after RRSIG is invalid, shorten the TTL on the zone
> • re-sign the zone
> • find both the new and the old RRSIG in my resolvers
> Is there a simpler way to force an expired RRSIG into a response-set?
>
> --
> Do things because you should, not just because you can.
>
> John Thurston 907-465-8591
> john.thurs...@alaska.gov
> Department of Administration
> State of Alaska
> On 2/7/2025 12:50 PM, John Thurston wrote:
>> Right now, the only way I can think to nail down this behavior is to:
>> • delegate a subdomain to myself
>> • sign it
>> • intentionally publish an expired RRSIG in it
>> Which makes my next question:
>> Will BIND even let me do this? Or will it the automation rake out the
>> expired records and refuse to serve them
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
