my local zone rejected

[Kevin Darcy]

Jim Reid wrote:

> >>>>> "Kevin" == Kevin Darcy <kcd at daimlerchrysler.com> writes:
>
>     >>  True, but why would anyone want/need to manage their zones
>     >> with Dynamic DNS? Why give up audit trails, good change control
>     >> and well-commented zone files?
>
>     Kevin> Audit trails and change control can and probably should be
>     Kevin> done outside of the zonefiles themselves.
>
> Perhaps, but they're harder to do when there's a free-for-all with
> DDNS on the zone file.

Actually, I think they're easier to do outside of the zone files. I have
hundreds of zone files but only one audit trail. If I want to track down
something, is it easier to look through those hundreds of zone files, or
the single audit trail?

And obviously, I don't recommend DDNS free-for-all's...

>     Kevin> What kind of comments are you referring to? If they're just
>     Kevin> "zonefile navigation aids", e.g. "delegations start here",
>     Kevin> then that's a circular justification -- once it's no longer
>     Kevin> necessary to navigate zone files, then the need for the
>     Kevin> comments evaporates.
>
> I'm referring to comments like "don't remove or change the RR below
> because foo depends on it" or "the following RRset is a short-term
> kludge that can go away when the foobar project is over".

Again, I think it's probably better to maintain that information outside
of the zone files themselves. That way you have a *global* view. Often
dependencies occur across zone boundaries.

Also, warnings like "don't change X because of Y" tend to become
unnecessary if one has a mature access-control/authorization system which
only lets specific people change X, i.e. only the people who are familiar
with Y and thus can be trusted not to change X at the wrong time or in
the wrong way.


- Kevin