Hi Tony, On Nov 27, 2017, at 08:22, Tony Finch <d...@dotat.at> wrote:
> Joe Abley <jab...@hopcount.ca> wrote: >>> On Nov 23, 2017, at 12:44, Tony Finch <d...@dotat.at> wrote: >>> >>> It's quite difficult to have multiple masters and DNSSEC and coherent >>> copies of the zone from all masters - i.e. more effort than just spinning >>> up parallel instances of BIND or Knot in automatic signing mode. >> >> Note that I wasn't talking about multiple signers; I was talking about >> (from the perspective of one particular slave) having multiple masters >> available to serve precisely the same zone. > > A primary master is wrt a zone not a server - a zone's primary master is > a server that's authoritative for a zone and which does not get the zone > contents via axfr/ixfr, but instead from a master file and/or UPDATE (or > a non-standard mechanism such as directly from a database). That's an alluringly clear definition, but I'm not sure it matches common understanding of the term, which I think has more to do with "single source of truth" than with the specifics of what transport is used to provision zone data in a server. For example, W <------- A -------> X Suppose A is a source of truth for a particular zone, and that W and X obtain zone data from A. Are you saying that if the mechanism represented by the arrows is [AI]XFR then A is a primary master and W and X are not, whereas if that mechanism is something else (perhaps it's rsync, with W, A and X all configured to be masters from local zone files) then W, A and X are all primary masters? If A is not a nameserver but instead is a database, and the arrows represent database replication, then W and X are primary masters but A is not? Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop