How can I setup BIND for redundancy with efficient replication?

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Fri Nov 8 23:16:47 UTC 2002 

Frederic <fredericguigand at alamy.com> wrote:

> Thanks for your answers.

> I probably need to clarify a few things...

> The servers are on the perimeter networks (2 different sites). Some
> act as straigth firewalls, others as reverse caching proxies, forward
> caching proxies, vpn servers, smtp relays, or a combination of those.
> The OS is win2k because we are using Microsoft ISA Server.

Is it wize to combine a fw with any kind of application duty ? Some
folks say definite "no" to this for sevaral reasons.

> ( On a side note, I was initially going to use OpenBSD, but I was
> approached by Microsoft to provide some feedback on ISA server. I was
> very impressed by their product and as we got free licenses to use it
> on all our servers, I went with it 2 years ago; so far no regrets )

I'm convinced you can have a free OpenBSD license anytime :-) And
i'm also convinced yoy get a better safer and more managebal environment.

> The backend is running Active Directory and we I Windows DNS there. I
> can open any port I want on the BIND/ISA servers, so configuring them
> to get updates from Windows 2000 AD DNS servers is no problem. However
> that is not an option as I do not have enough trust in AD to let it
> manage our public DNS zones. When AD goes wrong it really goes wrong,
> trust me.

> I can open ports for ssh, sftp, rndc, that's fine. What I would like
> to know is which method is

>   * secure
>   * works on Windows 2000
now you have a contradiction. You cannot have both above.

>   * easily scriptable
any un*x
>   * reliable
BSD is a good choice 
>   * allows me to update all DNS server files from a central location
> and control BIND
this is the "normal method with bind, one master several slaves. With
the reliability we "unix"folks are familiar with, we don't expect any 
problems with this. And, if lightning stucks, OpenBSD may be installed
from scratch to a running nameserver in less then an hour. I'm convinced
you have longer expire times that that!



-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list