Two masters for one zone

Kevin Darcy kcd at daimlerchrysler.com
Thu Aug 28 00:50:34 UTC 2003 

Jonathan de Boyne Pollard wrote:

> BF> Look at MS KB article 282826 (a revision of Q282826),
> BF> where there is this text:
> BF>
> BF>       Note The multiple-master replication behavior of an Active
> BF>       Directory-integrated Domain Name System (DNS) zone can
> BF>       cause inconsistencies with serial numbers of the zone
> BF>       across multiple DNS servers. It is not possible to
> BF>       retrieve information (pull or source) from multiple Active
> BF>       Directory-integrated primary DNS servers to a secondary
> BF>       DNS server for the same Active Directory-integrated zone.
>
> This isn't (as you imply it to be) a problem.  This is merely a specific case
> of the (quite sensible) warning that one should not mix and match different
> DNS database replication mechanisms across a set of peer content DNS servers
> (unless one is _very_ careful and knows _exactly_ what one is doing).  The
> contents of the "SOA" resource record should be treated as private to each
> particular replication mechanism, and one must not expect different DNS
> database replication mechanisms to use all of the fields in the same way, or
> in a way that is compatible with one another, or even to use them at all.

No, I disagree. Interoperability between standard (i.e. AXFR/IXFR) and
non-standard replication mechanisms (e.g. AD) is a perfectly reasonable thing to
expect, and as long as a given software package implements the serial-number
logic correctly, it should be eminently possible for them to interoperate. The
whole idea of standards is to promote interoperability between different
implementations. "Don't mix and match" is a cop-out that the ignorant and/or
cowardly trot out when interoperability doesn't work as it should, either because

a) the standard is faulty (which it is not in this respect) or b) some or all
implementations of the standard are flawed (which is certainly the case with
respect to Microsoft's handling of serial numbers).

The fault here lies not in the attempt to "mix and match" BIND slaves to an
AD-integrated DNS zone; the fault is with Microsoft's serial-number logic.
Microsoft should fix their code. The "fix" does not consist of unnecessary "don't

mix and match" limitations on the choices of administrators in deciding what
nameserver implementations can be slaves of any given zone.


- Kevin

More information about the bind-users mailing list