On Sat, Jan 27, 2001 at 08:01:25AM -0500, "Daniel C. Slagle" <[EMAIL PROTECTED]> wrote:
[ Please reply to the list, not just me. ]
> [...]
> Although I do think e-smith should be a full DNS, I did not convey my
> intent.
> When I say second DNS I meant, during the configuration you ask for the
> primary DNS server to get information from. You never ask for a second.
> [...]
Yes, please read the DNS threads carefully. The only time a second DNS server
will buy you anything at all is when you have an internal root, and there
is extra custom configuration to do in that case.
Here are the cases and the start of a FAQ item:
server-gateway
--------------
e-smith talks to the root servers correctly - no configuration required.
Adding DNS forwarders provides minor performance improvement in some
cases (only on the first query - it is cached thereafter), but reduces
redundancy and robustness as you are now dependant on your ISPs
nameservers and must change the details when they change.
Incorrect setting of the DNS forwarders in server-gateway mode has been
a common cause of support problems. For example, ISPs change their
DNS servers during mergers and acquisitions. We could configure the DNS
forwarders from the information received from the ISP at login time (e.g.
parsing PPP or DHCP options returned) but we do not as the return is not
justified - running without forwarders works fine. We explictly _don't_
want to use the information directly from the PPP/DHCP response - we
must search the e-smith s&g's cache first.
The other problem is when people configure their server to use the
primary and secondary authoritative DNS servers for their ISP, and these
servers are _NOT_ suitable as forwarders. Many large ISPs now run
tightly controlled primary/secondary DNS servers which _only_ answer
queries for domains they control - they will not forward. If you configure
these as your forwarders, you get DNS black holes.
In summary, no configuration is required in server-gatweay mode and can
be harmful.
server-only
-----------
If your firewall allows transparent DNS queries, no configuration is
required. The e-smith nameserver can just talk to the root nameservers in
the same way as in server-gateway mode.
If your firewall provides external DNS services and does not support
transparent DNS queries (quite common) - point the master DNS server to
your firewall
If you are in the _rare_ situation of having two firewalls, you will have
to set the second DNS server manually with
/sbin/e-smith/configuration set DNSSecondaryIP aaa.bbb.ccc.ddd
server-only - no Internet access
--------------------------------
If you have an existing internal DNS infrastructure, you will need to
do custom configuration to properly configure the DNS internal root. Just
setting primary/secondary DNS is not sufficient - you also need to set up
the fake DNS root servers, and this is currently unsupported. Just setting
the primary/secondary DNS servers will result in DNS problems every few
weeks as the root servers time out.
We do not currently support merging of an e-smith server into an existing
internal DNS infrastructure, and so you will required customisations to
make this work properly.
Gordon
--
Gordon Rowell [EMAIL PROTECTED]
http://www.e-smith.org (development) http://www.e-smith.com (corporate)
Phone: +1 (613) 564 8000 ext. 4378 Fax: +1 (613) 564 7739
e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada
