how two dns bind master sync?

Barry S. Finkel bsfinkel at att.net
Thu Aug 23 19:20:35 UTC 2018 

On 8/23/2018 9:21 AM, Bob McDonald <bmcdonaldjr at gmail.com> wrote:

>> This may be an unpopular opinion, especially on the BIND-Users mailing
>> list (sometimes BIND is not the best answer).
>>
>> It sounds like you might want something like multi-master DNS servers
>> that Active Directory (with AD integrated zones) provides.
> Here's the Microsoft AD DNS explanation:
> https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active-directory-integrated-dns-zones
> 
> This may be the time to start some dialogue around the way Bind processes
> updates. While AD integrated DNS does process updates for multiple masters,
> it does it outside the Bind-centric communications path. (I believe it uses
> AD to forward updates from one master to the others). Bind needs some sort
> of multi-master framework but there are a few issues if things stay the way
> they are. There are obvious issues with serial number accounting and slave
> notification. There are also issues with update processing (and
> forwarding). Right now the only server that can accept updates is the
> master. Forwarded updates are stamped as coming from the forwarding node.
> That makes tracking updates almost impossible. (And that seems to be the
> case for both signed and un-signed updates) I may be not seeing something
> but from my point of view, that, above all else, must change if a
> meaningful multi-master framework is to emerge.
> 
> Regards,
> 
> Bob


As I wrote many years ago when I had MS AD DNS Servers as slaves to my
BIND servers - See KB28286.  With multi-master servers, it is not clear
what an updated zone serial number should be.  Take this example:

A zone ad.example.com is mastered on two AD DNS Servers.  Each one has
the same contents and serial number, say 100.  Then, at the same time
one update comes in to each server.  Each server performs the update
and updates the serial number to 101.  But each server now has a
different version of the 101-serial zone.  Somehow, under the covers,
AD synchronizes the zones so that they have the same content.  What
should the serial number be for this combined zone?  It can't be 102,
because during the synchronization process another update may have come
into one of those servers, causing the serial number there to have been
increased to 102.  I have no idea what the new serial number should be.

That is why I chose ONE of the several MS AD DNS Servers as the "master"
to my BIND slave servers.  And NO MS machine used the MS AD DNS Servers
as its DNS Servers; all were configured to use my BIND servers as their
DNS servers. That way I did not care what the serial number was on the
other AD DNS servers that were not the master for my BIND slaves.

And, as another related issue, there were times when the serial number
of an AD zone decreased during times when that Domain Controller was
being patched.

--Barry Finkel

More information about the bind-users mailing list