Two masters for one zone

Jonathan de Boyne Pollard J.deBoynePollard at tesco.net
Wed Aug 27 12:22:14 UTC 2003


BF> Look at MS KB article 282826 (a revision of Q282826), 
BF> where there is this text:
BF> 
BF>       Note The multiple-master replication behavior of an Active
BF>       Directory-integrated Domain Name System (DNS) zone can
BF>       cause inconsistencies with serial numbers of the zone
BF>       across multiple DNS servers. It is not possible to
BF>       retrieve information (pull or source) from multiple Active
BF>       Directory-integrated primary DNS servers to a secondary
BF>       DNS server for the same Active Directory-integrated zone.

This isn't (as you imply it to be) a problem.  This is merely a specific case
of the (quite sensible) warning that one should not mix and match different
DNS database replication mechanisms across a set of peer content DNS servers
(unless one is _very_ careful and knows _exactly_ what one is doing).  The
contents of the "SOA" resource record should be treated as private to each
particular replication mechanism, and one must not expect different DNS
database replication mechanisms to use all of the fields in the same way, or
in a way that is compatible with one another, or even to use them at all. 
This warning isn't even Microsoft-specific, as it applies to _all_ content DNS
server softwares.

If one is using Active Directory database replication, one must use it between
_all_ of the content DNS servers involved (unless one is very careful and
knows exactly what one is doing).  The serial number in the "SOA" resource
record is updated by Active Directory database replication, but that's just a
sop for the benefit of things (mostly human beings running diagnostic tools,
ironically) that expect serial numbers to change.  Active Directory database
replication doesn't use the serial number field of "SOA" resource records any
more than it uses the "primary master name", "refresh", or "retry" fields. 
(The serial number could be a fixed constant, and Active Directory database
replication would still work.)  Active Directory makes it appear as if there
is a single, sequenced, counter.  But in fact that simply doesn't match the
"multi-master" paradigm at all.  There is no perfect mapping from the
"multi-master" paradigm to a single, sequenced, counter, and the serial number
is at best a simulacrum.  Therefore constructing anything based upon the
notion of there _being_ a single, sequenced, counter, such as anything but a
trivial single-master "zone transfer" database replication setup, will fail. 
But this is not a problem, because doing so is expecting two different DNS
database replication mechanisms to use the fields of "SOA" resource records in
ways that are compatible with each other, and violating the rule that one must
_not_ expect this.


More information about the bind-users mailing list