my local zone rejected
Kevin Darcy
kcd at daimlerchrysler.com
Fri Apr 20 17:57:13 UTC 2001
Jim Reid wrote:
> >>>>> "Kevin" == Kevin Darcy <kcd at daimlerchrysler.com> writes:
>
> >> True, but why would anyone want/need to manage their zones
> >> with Dynamic DNS? Why give up audit trails, good change control
> >> and well-commented zone files?
>
> Kevin> Audit trails and change control can and probably should be
> Kevin> done outside of the zonefiles themselves.
>
> Perhaps, but they're harder to do when there's a free-for-all with
> DDNS on the zone file.
Actually, I think they're easier to do outside of the zone files. I have
hundreds of zone files but only one audit trail. If I want to track down
something, is it easier to look through those hundreds of zone files, or
the single audit trail?
And obviously, I don't recommend DDNS free-for-all's...
> Kevin> What kind of comments are you referring to? If they're just
> Kevin> "zonefile navigation aids", e.g. "delegations start here",
> Kevin> then that's a circular justification -- once it's no longer
> Kevin> necessary to navigate zone files, then the need for the
> Kevin> comments evaporates.
>
> I'm referring to comments like "don't remove or change the RR below
> because foo depends on it" or "the following RRset is a short-term
> kludge that can go away when the foobar project is over".
Again, I think it's probably better to maintain that information outside
of the zone files themselves. That way you have a *global* view. Often
dependencies occur across zone boundaries.
Also, warnings like "don't change X because of Y" tend to become
unnecessary if one has a mature access-control/authorization system which
only lets specific people change X, i.e. only the people who are familiar
with Y and thus can be trusted not to change X at the wrong time or in
the wrong way.
- Kevin
More information about the bind-users
mailing list