On 4/8/2010 2:23 PM, Wang Lei wrote: >> I work for a large multinational, and my CellServDB file, for lack of a >> better word - big. Dozens of cells and well over 100 cell (not file) >> servers. Can you describe a little better how the AFSDB records can be >> used to build a dynamic CellServDB structure, especially without picking >> up all of the non-Company afs cell servers from public dns? > > I know that, clients could get the cell's location from a DNS server. For cell > www.openafs.org, I could get this cell's location with the dns query > > $dig www.openafs.org afsdb > ;; QUESTION SECTION: > ;www.openafs.org. IN AFSDB > > ;; ANSWER SECTION: > www.openafs.org. 3596 IN CNAME openafs.org. > openafs.org. 3600 IN AFSDB 1 andrew.e.kth.se. > openafs.org. 3600 IN AFSDB 1 grand-opening.mit.edu. > openafs.org. 3600 IN AFSDB 1 penn.central.org. > > this format is described in RFC1183
As a reminder, RFC1183 is being deprecated in favor of DNS SRV records. See http://datatracker.ietf.org/doc/draft-allbery-afs-srv-records/ which is awaiting publication by the RFC Editor. > As OpenAFS documentation: > If the client attempts to access an AFS cell not listed in CellServDB and afsd > was started with the -afsdb option, the Cache Manager will attempt an AFSDB > DNS record lookup and dynamically add the database server locations > for that cell > based on the result of the DNS query. > > But The CellServDB must exist however, even if it is empty. The cell > name is needed, > and OpenAFS will use DNS to find the servers. I have no idea about > that how to optimize it if > there are too many cells. I am not very clear about how to add the > afsdb record to DNS. > Maybe you should add it with yourself. I thought you could find that > in the OpenAFS documentation. DNS records, whether AFSDB or SRV, are added to an organization's DNS database by the DNS administrator for the domain. This is not a task that end users are expected to perform. To clarify. When using dynroot on Unix or freelance on Windows, any name that is not found in the locally generated root.afs volume will be searched for according to the CellServDB lookup rules: 1. On Windows only, search the registry for CellServDB info. If data for the cell is located, use the specified server list or DNS as configured. 2. Search CellServDB. If an entry for the cell is found and there is a list of servers, stop and use that list. 3. If CellServDB contains an entry for the cell and no servers, use DNS. 4. If CellServDB does not contain an entry for the cell, use DNS. When DNS is in use, a search will first be performed for SRV records and then a search for AFSDB records as a fallback. This process is described in draft-allbery-afs-srv-records-05. --- However, this was not Dale's question. What Dale wants to know is how can the OpenAFS client rely on DNS for cell information without permitting the clients to discover the locations for servers of cells that are not in an approved list. At the moment, there is no mechanism for instructing an OpenAFS client to only permit contact to cells that meet a particular policy. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
