Re: NTP through DNS?

[Kevin Darcy]

I'll just toss in the factoid that NTP can be run on multicast or anycast,
which may negate some of the motivation for using a DNS name to access the
service.


   - Kevin

On Wed, Sep 19, 2018 at 11:38 AM Andrew Latham  wrote:

> On Wed, Sep 19, 2018 at 10:19 AM Ray Bellis  wrote:
>
>> On 19/09/2018 15:59, Mauricio Tavares wrote:
>>
>> >> An NTP serice doesn't belong to a domain, so maybe not (I don't know of
>> >> one off my mind).
>> >>
>> >   Not necessarily; I can name a few universities and business who
>> > offer their own NTP servers to their internal systems. AFAIK, this is
>> > considered good practice.
>>
>> That's not the point that Mukund was making.
>>
>> An NTP server is part of your local network configuration.   Your domain
>> name is also part of your local network configuration.  As such, these
>> two values are often served by DHCP.
>>
>> That does not mean, though, that there is a one-to-one mapping from your
>> domain name to your preferred set of NTP servers.
>>
>> One could have numerous subnets located all over the planet with
>> different NTP servers, but all sharing the same domain name.
>>
>> If it were feasible to store an NTP server address in the DNS it would
>> more logically fit in the in-addr.arpa zone, and not in a forward zone.
>>
>
> Many organizations have per site "views" of the zone so it actually works
> out well. There are many ways of building functional infrastructure. I
> agree there are many applications where this setup would not be useful,
> just addressing OP.
>
>
>>
>> Ray
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
> --
> - Andrew "lathama" Latham -
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Andrew Latham]

On Wed, Sep 19, 2018 at 10:19 AM Ray Bellis  wrote:

> On 19/09/2018 15:59, Mauricio Tavares wrote:
>
> >> An NTP serice doesn't belong to a domain, so maybe not (I don't know of
> >> one off my mind).
> >>
> >   Not necessarily; I can name a few universities and business who
> > offer their own NTP servers to their internal systems. AFAIK, this is
> > considered good practice.
>
> That's not the point that Mukund was making.
>
> An NTP server is part of your local network configuration.   Your domain
> name is also part of your local network configuration.  As such, these
> two values are often served by DHCP.
>
> That does not mean, though, that there is a one-to-one mapping from your
> domain name to your preferred set of NTP servers.
>
> One could have numerous subnets located all over the planet with
> different NTP servers, but all sharing the same domain name.
>
> If it were feasible to store an NTP server address in the DNS it would
> more logically fit in the in-addr.arpa zone, and not in a forward zone.
>

Many organizations have per site "views" of the zone so it actually works
out well. There are many ways of building functional infrastructure. I
agree there are many applications where this setup would not be useful,
just addressing OP.


>
> Ray
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Ray Bellis]

On 19/09/2018 15:59, Mauricio Tavares wrote:

>> An NTP serice doesn't belong to a domain, so maybe not (I don't know of
>> one off my mind).
>>
>   Not necessarily; I can name a few universities and business who
> offer their own NTP servers to their internal systems. AFAIK, this is
> considered good practice.

That's not the point that Mukund was making.

An NTP server is part of your local network configuration.   Your domain
name is also part of your local network configuration.  As such, these
two values are often served by DHCP.

That does not mean, though, that there is a one-to-one mapping from your
domain name to your preferred set of NTP servers.

One could have numerous subnets located all over the planet with
different NTP servers, but all sharing the same domain name.

If it were feasible to store an NTP server address in the DNS it would
more logically fit in the in-addr.arpa zone, and not in a forward zone.

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Mauricio Tavares]

On Wed, Sep 19, 2018 at 11:12 AM, Andrew Latham  wrote:
> Additionally you may route all outbound requests for NTP to a local source
> found from an DNS lookup.
>
> Benefits could be:
> * Control of time sources (correct a hardcoded address that is no longer
> valid)
> * Mitigate attack vectors
> * Mitigate bufferbloat

Wait! There is more!

   * Provide NTP for hosts which cannot reach the outside world
   * Keep Kerberos happy as the NTP server is not far.
>
> DNS is an important piece to this puzzle and SRV records can be useful when
> devices support them. It does not hurt to add the SRV records for common
> services.
>
> On Wed, Sep 19, 2018 at 9:59 AM Mauricio Tavares 
> wrote:
>>
>> On Wed, Sep 19, 2018 at 10:12 AM, Andrew Latham  wrote:
>> > You can add SRV records for NTP to your domain if that is what you are
>> > asking.
>> >
>>   Thanks. I was trying to query for it using dig and then realized
>> I did not know if that is doable.
>>
>> On Wed, Sep 19, 2018 at 10:16 AM, Mukund Sivaraman 
>> wrote:
>> > On Wed, Sep 19, 2018 at 10:08:34AM -0400, Mauricio Tavares wrote:
>> >> Stupid question: can I publish/query the NTP server through DNS the
>> >> same way I can ask who is doing LDAP?
>> >
>> > An NTP serice doesn't belong to a domain, so maybe not (I don't know of
>> > one off my mind).
>> >
>>   Not necessarily; I can name a few universities and business who
>> offer their own NTP servers to their internal systems. AFAIK, this is
>> considered good practice.
>>
>> > For provisioning, there are DHCP options to do this. E.g., with ISC-DHCP
>> > and 10.98.0.5 as the NTP server:
>> >
>> > subnet 10.98.0.0 netmask 255.255.0.0 {
>> >...
>> >option ntp-servers 10.98.0.5;
>> > }
>> >
>> > and perhaps also use "tcode" and "time-offset" options to set the
>> > timezone.
>> >
>> > But a real bummer is that some DHCP clients (e.g., Android phones) do
>> > not make use of this option, and don't even provide a config setting to
>> > do so. IIRC they synchronize time via the cell phone signal.
>> >
>>   Add Windows devices to the list.
>>
>> > Mukund
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> --
> - Andrew "lathama" Latham -
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Andrew Latham]

Additionally you may route all outbound requests for NTP to a local source
found from an DNS lookup.

Benefits could be:
* Control of time sources (correct a hardcoded address that is no longer
valid)
* Mitigate attack vectors
* Mitigate bufferbloat

DNS is an important piece to this puzzle and SRV records can be useful when
devices support them. It does not hurt to add the SRV records for common
services.

On Wed, Sep 19, 2018 at 9:59 AM Mauricio Tavares 
wrote:

> On Wed, Sep 19, 2018 at 10:12 AM, Andrew Latham  wrote:
> > You can add SRV records for NTP to your domain if that is what you are
> > asking.
> >
>   Thanks. I was trying to query for it using dig and then realized
> I did not know if that is doable.
>
> On Wed, Sep 19, 2018 at 10:16 AM, Mukund Sivaraman 
> wrote:
> > On Wed, Sep 19, 2018 at 10:08:34AM -0400, Mauricio Tavares wrote:
> >> Stupid question: can I publish/query the NTP server through DNS the
> >> same way I can ask who is doing LDAP?
> >
> > An NTP serice doesn't belong to a domain, so maybe not (I don't know of
> > one off my mind).
> >
>   Not necessarily; I can name a few universities and business who
> offer their own NTP servers to their internal systems. AFAIK, this is
> considered good practice.
>
> > For provisioning, there are DHCP options to do this. E.g., with ISC-DHCP
> > and 10.98.0.5 as the NTP server:
> >
> > subnet 10.98.0.0 netmask 255.255.0.0 {
> >...
> >option ntp-servers 10.98.0.5;
> > }
> >
> > and perhaps also use "tcode" and "time-offset" options to set the
> > timezone.
> >
> > But a real bummer is that some DHCP clients (e.g., Android phones) do
> > not make use of this option, and don't even provide a config setting to
> > do so. IIRC they synchronize time via the cell phone signal.
> >
>   Add Windows devices to the list.
>
> > Mukund
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Mauricio Tavares]

On Wed, Sep 19, 2018 at 10:12 AM, Andrew Latham  wrote:
> You can add SRV records for NTP to your domain if that is what you are
> asking.
>
  Thanks. I was trying to query for it using dig and then realized
I did not know if that is doable.

On Wed, Sep 19, 2018 at 10:16 AM, Mukund Sivaraman  wrote:
> On Wed, Sep 19, 2018 at 10:08:34AM -0400, Mauricio Tavares wrote:
>> Stupid question: can I publish/query the NTP server through DNS the
>> same way I can ask who is doing LDAP?
>
> An NTP serice doesn't belong to a domain, so maybe not (I don't know of
> one off my mind).
>
  Not necessarily; I can name a few universities and business who
offer their own NTP servers to their internal systems. AFAIK, this is
considered good practice.

> For provisioning, there are DHCP options to do this. E.g., with ISC-DHCP
> and 10.98.0.5 as the NTP server:
>
> subnet 10.98.0.0 netmask 255.255.0.0 {
>...
>option ntp-servers 10.98.0.5;
> }
>
> and perhaps also use "tcode" and "time-offset" options to set the
> timezone.
>
> But a real bummer is that some DHCP clients (e.g., Android phones) do
> not make use of this option, and don't even provide a config setting to
> do so. IIRC they synchronize time via the cell phone signal.
>
  Add Windows devices to the list.

> Mukund
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Mukund Sivaraman]

On Wed, Sep 19, 2018 at 10:08:34AM -0400, Mauricio Tavares wrote:
> Stupid question: can I publish/query the NTP server through DNS the
> same way I can ask who is doing LDAP?

An NTP serice doesn't belong to a domain, so maybe not (I don't know of
one off my mind).

For provisioning, there are DHCP options to do this. E.g., with ISC-DHCP
and 10.98.0.5 as the NTP server:

subnet 10.98.0.0 netmask 255.255.0.0 {
   ...
   option ntp-servers 10.98.0.5;
}

and perhaps also use "tcode" and "time-offset" options to set the
timezone.

But a real bummer is that some DHCP clients (e.g., Android phones) do
not make use of this option, and don't even provide a config setting to
do so. IIRC they synchronize time via the cell phone signal.

Mukund
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Andrew Latham]

You can add SRV records for NTP to your domain if that is what you are
asking.

On Wed, Sep 19, 2018 at 9:09 AM Mauricio Tavares 
wrote:

> Stupid question: can I publish/query the NTP server through DNS the
> same way I can ask who is doing LDAP?
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

NTP through DNS?

[Mauricio Tavares]

Stupid question: can I publish/query the NTP server through DNS the
same way I can ask who is doing LDAP?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: load balancing

[Matus UHLAR - fantomas]

On 18.09.18 14:39, SIMON BABY wrote:

I am looking DNS RR distribution. (DNS Round Robin Load distribution).

Round robin DNS is often used to load balance requests between a number of Web
servers .
For example, a company
has one domain name and three identical copies of the same web site
residing on three servers with three different IP addresses. When one user
accesses the home page it will be sent to the first IP address. The second
user who accesses the home page will be sent to the next IP address, and
the third user will be sent to the third IP address. In each case, once the
IP address is given out, it goes to the end of the list. The fourth user,
therefore, will be sent to the first IP address, and so forth.


This is standard and supoprted DNS feature.

However, it's not designed to do failover switching.

Each browser may (and apparently will - correct me if I'm wrong) access
random of those IP addresses for each request and since web pages are
usually assembled of tens of objects, each one may be fetched from different
IP.

Long time ago (>15 years) we have tried using this for failover with bad
results (half of the web page not read).

If you want failover, I recommend L3 switch like linux ipvs or similar.


On Tue, Sep 18, 2018 at 4:01 PM SIMON BABY  wrote:

Are we support load balancing with latest DNSSEC ? I have a DNSSEC
application with unbound library. Do i have to add any extra configuration
to support Load Balancing?



On Tue, Sep 18, 2018 at 1:22 PM Warren Kumari  wrote:

Your question is sufficiently light on detail that it cannot be
realistically answered.

What sort of load balancing?
1: Traditional SLB - you hand out one IP address, and have a load balancer
widget which shares this to multiple backends?
2: Global SLB - you hand out different IP addresses to different clients?
3: Round Robin - you hand out different IP addresses, but randomly / in a
order, not tied to specific clients?
4: Anycast - you hand out the same IP address, but this lives on multiple
sites, and routing takes care of getting people to the closest site?
5: Multiple nameservers? Something else?

The term "load balance" is very vague / can be applied to multiple things
- for all of the above except  #2, this should just work without any
changes. GSLB *may* require more work, but may not. # 5 is sufficiently
undefined that it cannot really be answered :-)

What *exactly* is the question / scenario you are asking?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson.  -- Daffy Duck & Porky Pig
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users