FQDNs in masters-list (was: Help: Secondary for...)
Kevin Darcy
kcd at daimlerchrysler.com
Thu Mar 8 20:01:12 UTC 2001
Brad Knowles wrote:
> At 4:00 PM +0100 3/8/01, Andreas S. Oesterhelt wrote:
>
> > First, as Kevin Darcy mentioned, signed notifies might even simplify
> > things where no nomadic masters are involved in that they make DOS
> > attacks with spoofed notifies harder.
>
> I don't think that even signed notifies are going to solve the
> whole problem. At least part of the configuration details of where a
> secondary pulls copies of the zones from is completely outside the
> spec of the DNS protocol, and IMO that is for good reason.
It solves the problem of slave auto-configuration if everything (other than the
address of the master server in the "roving master" scenario we've been
discussing) can be "templated", i.e. those values are constant for all slave
zones, or can be derived using some local conventions. This is appropriate for
many situations where the slaves are *pure* slaves, i.e. no master zones except
perhaps for loopback, with no server- or location-specific configuration.
I concur that nameserver configuration details should probably stay out of the DNS
protocol _per_se_, although it might be worthwhile trying to develop a
*different* protocol (Nameserver Management Protocol == "NMT"?) for this. It would
have to be really flexible and extensible, though, so that all of the various
flavors and possible flavors of nameservers could use it. (ASN.1 anyone?) And of
course it would have to be secure. Or maybe this could piggyback off a secured
version of an existing management protocol, e.g. SNMP (?)
- Kevin
More information about the bind-users
mailing list