Master to Slave Schedule to Avoid Poison Propegation
Kevin Darcy
kcd at daimlerchrysler.com
Sat Aug 13 01:07:28 UTC 2005
Danimal wrote:
>Group:
>
>I am reconfiguring our DNS setup. The current installation is a pretty
>standard setup with a master and a slave. A member of my team inquired
>whether or not we could keep the primary and secondary slightly out of
>sync to eliminate propegating bad data.
>
>So for example if the master somehow became compromised we could remove
>it from the network before it infected the DNS records of the slave.
>
>So two questions:
>
>1) Is this a common goal?
>2) What setup would achieve this goal?
>
>If a setup like this is advisable it would seem there are two options:
>multiples masters or master/slave with delayed zone transfers. I have
>some ideas about what might work but I won't confuse this topic by
>interjecting incorrect information.
>
No, I don't believe it's a common goal at all. Keep the untrusted data
out of the master in the first place. Remember, the master can be kept
as far away from untrusted networks as you want it to be, that's why
they're often referred to as "hidden" masters...
- Kevin
More information about the bind-users
mailing list