Simple problem is search of a simple solution

Kevin Darcy kcd at daimlerchrysler.com
Wed Jun 6 22:12:26 UTC 2001


Neither the DNS protocol nor BIND supports automatic slaving currently.
However, it would only be a minor protocol change to allow NOTIFYs to be
cryptographically signed. If NOTIFYs could be trusted, then I don't see any
reason why they couldn't be used to trigger automatic slave creation.

In the meantime, plenty of folks have cobbled together solutions to this
problem. One common method is to have some sort of "zone list" in DNS,
composed of TXT or PTR records. The would-be slaves check that list
periodically and start/stop slaving zones as necessary. A less common method,
which only works on small internal-root namespaces, is to have a script on the
slaves walk through the entire namespace tree to determine what zones to slave
(I do this internally). A more radical approach is to not use AXFR/IXFR for
master/slave replication at all. Use something like rsync-over-ssh to
replicate the zonefiles, with each of the slaves defining the zone as "master"
and reloading the zone after every change. One benefit of this approach is
that along with the zonefiles themselves, you can replicate the relevant
named.conf definitions.

Note that even if NOTIFYs *cannot* currently be trusted, they could at least
be used as a "hint" to start slaving a zone. Just make sure to check the
delegations from a trusted server so that you don't get spoofed into slaving
something you shouldn't...


- Kevin

Ronald F. Guilmette wrote:

> Given a set of name servers, A, B, C, and D, all running BIND 8.2.x,
> and given that server A is generally used as the master for all of
> the zones that these servers are authoritative for, and given that
> B, C, and D are generally used as slaves for all such zones, is there
> any way to add a brand new zone to A in a way that makes it unnecessary
> to also go around and also manually diddle all of the /etc/named.conf
> files on all of the other servers, B, C, and D?
>
> I am in a situation where I am going to be adding LOTS of authoritative
> zones to A, and to the /etc/named.conf file of A, and I really don't
> want to have to go around to all of the other (slave) servers each time
> I add such a (new) zone and manually edit all of THEIR /etc/named.conf
> files also.
>
> Surely I'm not the first person to have mentioned this as a problem, right?
>
> Surely someone must have solved this problem by now, right?
>
> If someone would be kind enough to point me at the solution, I would
> greatly appreciate it.
>
> P.S.  Getting the new hunks of /etc/named.conf stuff distributed out to
> the various slave name servers is only half the battle here.  Each of
> those servers also have to be (automagically) reloaded after it has
> received the new hunk of /etc/named.conf stuff.
>
> I kinda wish that there were something like `NOTIFY' that would handle
> all of this, including retries (where necessary) encryption, validation,
> etc., etc.





More information about the bind-users mailing list