NOTIFY-triggered Auto-slaving (was Re: how to list ALL zones of my master server)
kcd at daimlerchrysler.com
Wed Oct 2 00:28:16 UTC 2002
Mark.Andrews at isc.org wrote:
> > Mark_Andrews at isc.org wrote:
> > > If you want this write it up as a draft and submit it to
> > > the IETF. The working group thought about this when we did
> > > NOTIFY but left it as a exercise for the future. At the
> > > time we were worried about security and theft of service
> > > in addition to the meta data problem. We also wanted the
> > > basic zone content updates to get through to RFC status and
> > > not to get bogged down in debate over what metadata needs
> > > to be tranmitted let alone how to do it.
> > >
> > > TSIG can provide the security and through that protection from
> > > theft of service. The rest is still a mess.
> > OK, Mark, try taking off your protocol-designer hat for a moment and put
> > on your BIND-implementor hat. Given that TSIG-signed NOTIFYs are now a
> > reality with BIND, without any protocol changes, RFCs or IETF/IESG action
> > required, and therefore security is no longer the issue it once was,
> > would it not be a reasonable feature request to have a BIND instance
> > automatically slave zones upon receipt of a TSIG-signature-verified
> > NOTIFY, if configured to do so by the administrator of said BIND instance
> > and using metadata provided, perhaps in template form, by said
> > administrator? It's a "halfway measure" only in the sense that we don't
> > have a whole protocol by which a master can communicate metadata to the
> > slave -- as you said, that's "still a mess" -- but just because we can't
> > do *everything* does that mean we should do *nothing* to automate
> > slave-creation? Is this an all or nothing proposition? I don't think so.
> > I know there a lot of DNS admins out there -- I'm one of them, since this
> > is one of the few things I haven't automated yet -- who want to eliminate
> > the drudge work of constantly editing named.conf files, and would eagerly
> > embrace a less-than-comprehensive solution to the problem.
> > - Kevin
> I would review a patch for BIND 9 if you cared to implement it.
Okay, but that sidesteps the question of whether it's a reasonable feature
request or not. I'm not going to commit coding time for something that's
guaranteed to be rejected because of protocol snobbery or some other reason
besides the quality of the patch.
More information about the bind-users