Using BIND-DLZ for a hidden master [was: Re: dns master-slave transfer]

Peter Andreev andreev.peter at gmail.com
Thu Nov 1 10:19:50 UTC 2012


2012/11/1 Chris Thompson <cet1 at cam.ac.uk>:
> On Oct 29 2012, Feng He wrote:
>
>> 于 2012-10-29 9:58, kavin 写道:
>>>
>>> Now,I want transfer the zone data from the master dns serverto slave
>>> dns server ,the master dns use bind-dlz+mysql and the slave dns server
>>> use bind+file.
>>
>>
>> AFAIK, BIND DLZ doesn't send a notify message to slave, so both your
>> master and slave should be able to use the DLZ backend and run a mysql
>> replication for data sync.
>
>
> That exchange prompts me to ask whether anyone has managed to use
> BIND-DLZ in something like the following scenario.
>
> We have a hidden master for vanity zones (we call them something else
> for the punters) that runs in a small footprint virtual machine
> together with the web server providing the updating interface. The
> latter stores the data in a MySQL database.
>
> At the moment there is a crontab that extracts data from that database
> and updates zone files (if they need changing - there are some neat-o
> optimisations) and does an "rndc reload" on the hidden master daemon.
> That NOTIFYs the public nameservers for the zones, which are are in fact
> our regular authoritative-only ones.
>
> It seems that one ought to be able to use BIND-DLZ to cut out a step
> there, but none of the how-to's for it seem to address this sort of
> scenario, and the NOTIFY issue is particularly relevant. Fast responses
> from the hidden master to queries are certainly *not* a requirement here,
> and indeed we expect to be able to operate with it (and its MySQL database)
> down for significant periods.
>
> On the other hand, there is also a possibility that we might want to sign
> the vanity zones (we use JANET, Nominet and Gandi for their registrations,
> who all support signed delegations now), and how that would interact with
> BIND-DLZ might also be an issue. Can one use BIND 9.9 "inline signing"
> with the unsigned version provided by a DLZ interface?

In our case (big zones, distant servers) we have found DLZ very
inefficient because of huge overhead due to AXFRs. Another problem is
absence of NOTIFIes.

As for me the way your system is working now is much more simple,
predictable and reliable than DLZ.

>
> --
> Chris Thompson
> Email: cet1 at cam.ac.uk
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
AP



More information about the bind-users mailing list