Any way to query/determine all domains for which a particular server is authoritative?
Kevin Darcy
kcd at chrysler.com
Fri Apr 4 22:00:59 UTC 2008
Chris Buxton wrote:
>>> Or: within DNS, you could craft your own way to expose this
>>> information
>>> in the
>>> master using a scheme of your own making. TXT records, for example,
>>> give you lots of data
>>> flexibility, and the zone transfer mechanism can also be helpful.
>>>
>>> Recently, there was some discussion of efforts to standardize a
>>> particular version of this latter approach.
>>>
>> That's an interesting idea. Not entirely sure have safe/secure it
>> is, but
>> then again, any info in the TXT record would be publicly available
>> info
>> anyhow.
>>
>> Will fish around and see if I can find anything in the archives for
>> this.
>>
>
> Look for posts by Kevin Darcy. His system uses PTR records, not TXT
> records, and they're in a special zone that is not generally
> queryable. Actual replication is driven by cron, I believe.
>
>
Actually, it's just regular master/slave replication, and there are no
special allow-query controls on the "index" zone. In our case, the
script on the slaves which processes the "index" zone's contents is only
run nightly, so REFRESH is set to just a few hours, but it could be
tuned. Note that by using DNS itself to carry this metadata, one doesn't
have to write any special firewall rules or set up any special trust
relationships between the master and slaves (the general recommendation
to set up TSIG-based server-to-server authentication still applies of
course).
Perhaps I should mention that although our handling of the
list-of-zones-to-be-slaved may sound rather simplistic, we have a
somewhat-more elaborate mechanism for describing our slave topology (who
uses whom as a master, who sends NOTIFYs to whom, etc.), since we have
several levels of slaves and a few special requirements here and there.
That's actually where most of the complexity resides in our homegrown
slave-autoconfiguration script, unfortunately I'm not at liberty to
really describe it because of Intellectual Property concerns (gotta love
bureaucracies).
- Kevin
More information about the bind-users
mailing list