NOTIFY-triggered Auto-slaving (was Re: how to list ALL zones of my master server)
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Wed Oct 2 00:56:30 UTC 2002
>
> Mark.Andrews at isc.org wrote:
>
> > > Mark_Andrews at isc.org wrote:
> > >
> > > > If you want this write it up as a draft and submit it to
> > > > the IETF. The working group thought about this when we did
> > > > NOTIFY but left it as a exercise for the future. At the
> > > > time we were worried about security and theft of service
> > > > in addition to the meta data problem. We also wanted the
> > > > basic zone content updates to get through to RFC status and
> > > > not to get bogged down in debate over what metadata needs
> > > > to be tranmitted let alone how to do it.
> > > >
> > > > TSIG can provide the security and through that protection from
> > > > theft of service. The rest is still a mess.
> > >
> > > OK, Mark, try taking off your protocol-designer hat for a moment and put
> > > on your BIND-implementor hat. Given that TSIG-signed NOTIFYs are now a
> > > reality with BIND, without any protocol changes, RFCs or IETF/IESG action
> > > required, and therefore security is no longer the issue it once was,
> > > would it not be a reasonable feature request to have a BIND instance
> > > automatically slave zones upon receipt of a TSIG-signature-verified
> > > NOTIFY, if configured to do so by the administrator of said BIND instance
> > > and using metadata provided, perhaps in template form, by said
> > > administrator? It's a "halfway measure" only in the sense that we don't
> > > have a whole protocol by which a master can communicate metadata to the
> > > slave -- as you said, that's "still a mess" -- but just because we can't
> > > do *everything* does that mean we should do *nothing* to automate
> > > slave-creation? Is this an all or nothing proposition? I don't think so.
> > > I know there a lot of DNS admins out there -- I'm one of them, since this
> > > is one of the few things I haven't automated yet -- who want to eliminate
> > > the drudge work of constantly editing named.conf files, and would eagerly
> > > embrace a less-than-comprehensive solution to the problem.
> > >
> > >
> > - Kevin
> >
> > I would review a patch for BIND 9 if you cared to implement it.
>
> Okay, but that sidesteps the question of whether it's a reasonable feature
> request or not. I'm not going to commit coding time for something that's
> guaranteed to be rejected because of protocol snobbery or some other reason
> besides the quality of the patch.
>
> -Kevin
I don't ask people to code things for review unless I am willing
to include the reviewed code. I've got better things to do with
my time than review random bits of code.
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list