How do hosting companies do realtime changes?

Kevin Darcy kcd at daimlerchrysler.com
Sat Nov 1 02:46:15 UTC 2003


Paige Stafford wrote:

>
>We are using a kind of 'central server' to manage DES3 (i.e.
>openssl/des.h: des_ecb3_encrypt()) type authentication between nodes to
>update two master name servers (BIND 8 moving to BIND 9).  This central
>server receives socket calls from the client for a update request.  The
>server authenticates, and error checks the request.
>
>Because there are two master servers, and because we have an incredible
>number of nodes who want to maintain a standard IP name within our company
>(using other ISPs), and because we want to ensure the maximum amount of
>security without a tremendous amount of maintenance, would TSIG-signed
>dynamic updates be a better solution?
>
Well, it sounds like you already have a more-or-less secure solution 
from the end-user to your error-checking piece. Is there any particular 
reason you'd want to change that? In order to have the client generate 
signed Dynamic Updates in parallel directly to both of your master 
servers would require some custom code (in the form of a standalone 
program or something like a big hairy Java applet) on the client, and 
this might not go over too well.

So, I'll assume you're only considering changing the backend of this 
system -- everything from the error-checker back to the DNS database 
itself. Certainly nsupdate could handle this -- the "server" command in 
the BIND 9 version of nsupdate lets you target any master you want for a 
given Dynamic Update, and the most recent versions of nsupdate even 
implement a "key" command, which allows you to send multiple Dynamic 
Updates with different keys within the same nsupdate invocation. Would 
nsupdate be better than what you're doing today? It's hard to judge 
"better" without really knowing what your current backend process is. 
I'll guess it's rewriting the zone file, transferring it somehow (e.g. 
scp) to the 2 masters, and then triggering them somehow (e.g. "ndc 
reload <zone>" over ssh) to reload the zone. Doing parallel TSIG-signed 
nsupdate's after the error-checking piece would probably be more 
convenient than all of that, and wouldn't require you to constantly 
reload whole zones, manually increment serial #'s (if you have slaves in 
addition to your masters), and so forth. With nsupdate, you might also 
be able to transform some of the error-checking you're currently doing 
in your own software into Dynamic Update prerequisites, so that the 
nameservers can offload your error-checker to some extent (if that'd be 
beneficial in your environment; I don't know).

But, you said something earlier about updating named.conf files. 
Unfortunately, there is no way to create a zone through nsupdate, so if 
that is part of your requirements, you'll have to retain some 
transfer-file-and-reload (or -reconfig) code anyway, although the 
upgrade from ndc to rndc might make that a little easier to deal with.

- Kevin

>
>Paige Stafford
>Networking and Computing Tech., ORNL
>
>
>
>On Tue, 28 Oct 2003, Kevin Darcy wrote:
>
> > Dan Vande More wrote:
> >
> > >I've found myself in a situation where we'd like to offer the ability for
> > >clients to update/add dns via a website.
> > >I don't feel comfortable with a web server is running on my master server,
> > >so that's not an option, so I was wondering how other people/companies do
> > >it.
> > >I've tested DLZ, but it seems far to slow for a web hosting provider(Or a
> > >web hosting provider that prefers to be fast:)). I've also see that bind has
> > >some built in APIs for databases, but it doesn't look like something that is
> > >a 'professional' solution just yet.
> > >I'm experimenting with perl scripts writing the confs and zone files, but
> > >what is the best way to tell my master to regenerate the files, and reload
> > >the zone from a remote machine?
> > >
> > >And while perl is writing my named.conf or even a dns file, even if
> > >everything is loaded into memory, will it affect the running named process?
> > >(I.E. It takes a good 2 minutes to generate everything on a full rewrite.
> > >Though if I did go this route, timestamps would affect which zone would be
> > >regenerated.)
> > >
> > >Sure there are tons of ways to do that, but which way to people feel most
> > >comfortable with?
> > >
> > >Is nsupdate an option?
> > >
> > >How would I do reloads? When someone changes a record, or every 2-5 minutes,
> > >etc.
> > >
> > >I've formed several of my own conclusions, but I'm still in the alpha stage,
> > >so any varying methods would be tremendously helpful.
> > >I don't think a canned solution would help at this point, due to the
> > >customizations I'd prefer, and from my searches of archives, most of the
> > >linked ones will not work.
> > >
> > >
> > I don't know how large hosting companies do it, but I've developed a
> > homegrown system here (it's DaimlerChrysler Intellectual Property,
> > unfortunately) that is based entirely on TSIG-signed Dynamic Update.
> >
> >
> >                            - Kevin
> >
> >
> >
> >
> >
>
>
>  
>




More information about the bind-users mailing list