NOTIFY-triggered Auto-slaving (was Re: how to list ALL zones of my master server)

Wed Oct 2 00:56:30 UTC 2002

> 
> Mark.Andrews at isc.org wrote:
> 
> > > Mark_Andrews at isc.org wrote:
> > >
> > > >         If you want this write it up as a draft and submit it to
> > > >         the IETF.  The working group thought about this when we did
> > > >         NOTIFY but left it as a exercise for the future.  At the
> > > >         time we were worried about security and theft of service
> > > >         in addition to the meta data problem.  We also wanted the
> > > >         basic zone content updates to get through to RFC status and
> > > >         not to get bogged down in debate over what metadata needs
> > > >         to be tranmitted let alone how to do it.
> > > >
> > > >         TSIG can provide the security and through that protection from
> > > >         theft of service.  The rest is still a mess.
> > >
> > > OK, Mark, try taking off your protocol-designer hat for a moment and put
> > > on your BIND-implementor hat. Given that TSIG-signed NOTIFYs are now a
> > > reality with BIND, without any protocol changes, RFCs or IETF/IESG action
> > > required, and therefore security is no longer the issue it once was,
> > > would it not be a reasonable feature request to have a BIND instance
> > > automatically slave zones upon receipt of a TSIG-signature-verified
> > > NOTIFY, if configured to do so by the administrator of said BIND instance
> > > and using metadata provided, perhaps in template form, by said
> > > administrator? It's a "halfway measure" only in the sense that we don't
> > > have a whole protocol by which a master can communicate metadata to the
> > > slave -- as you said, that's "still a mess" -- but just because we can't
> > > do *everything* does that mean we should do *nothing* to automate
> > > slave-creation? Is this an all or nothing proposition? I don't think so.
> > > I know there a lot of DNS admins out there -- I'm one of them, since this
> > > is one of the few things I haven't automated yet -- who want to eliminate
> > > the drudge work of constantly editing named.conf files, and would eagerly
> > > embrace a less-than-comprehensive solution to the problem.
> > >
> > >
> > - Kevin
> >
> >         I would review a patch for BIND 9 if you cared to implement it.
> 
> Okay, but that sidesteps the question of whether it's a reasonable feature
> request or not. I'm not going to commit coding time for something that's
> guaranteed to be rejected because of protocol snobbery or some other reason
> besides the quality of the patch.
> 
> -Kevin

	I don't ask people to code things for review unless I am willing
	to include the reviewed code.  I've got better things to do with
	my time than review random bits of code.

	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org