Re: Dynamic updates to multiple masters
You have more than one hypothetical problem there. On Wed, 2 Aug 2023, Shailendra Gautam wrote: I have four authoritative dns servers, all running in master mode for my zone for high availability, Can you give me the justification for why this was chosen and why it works in 100 words or less? I expect at least 50 words each for why it was chosen, and why it works. Am I bad with math? Isn't the DNS Way to secondary zones from a master to achieve this? I'm trying to implement dynamic updates but I am wondering if there is any way to avoid sending an update to each of them Good luck with that! Would like to know if anyone has faced this problem before. Don't do that if it hurts... but I'm a plumber not a doctor. You have multiple engineering problems here. You have eschewed the "DNS Solution" for zone management (zone transfers). Now you want to adopt the DNS Solution for updates (dynamic updates). I have engineered a solution which switched masters in the case of failover and it wasn't too bad, although it required restarting BIND to reload the config file so that nodes would know that one of them was the new master. There were dynamic updates, although ironically my recollection is that the change in config somehow addressed that (it's been a few years). As for the Dynamic Updates Generally problem, have you looked at idempotence as a paradigm? With this idea, updates are applied to converge with the "ideal image" that the updater holds; hopefully your updaters agree on that image, otherwise you have another problem related to conflict resolution (or in the parlance: distributed locking). It's a wonderful world isn't it? Anyway, the "way out" for us, even though the scenario was in someways different, was idempotence: the updaters would continue to attempt to update whatever the master was until it conformed to their ideal image, and their ideal image could change in consideration of what the zone held. -- Fred Morris, internet plumber -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic updates to multiple masters
On 02.08.23 11:53, Shailendra Gautam wrote: I have four authoritative dns servers, all running in master mode for my zone for high availability, currently they all pull a static zonefile. I'm trying to implement dynamic updates but I am wondering if there is any way to avoid sending an update to each of them, and send the update only once and it should sync to all 4. Would like to know if anyone has faced this problem before. Microsoft's AD supports something like this, the domains are kind of synchronized between servers. As a downside, when using AD server as primary for zones in AD, you can't use multiple servers as the zones are often not in sync. I would either create hidden primary that would process dynamic updates. For DNSSEC and inline signing, hidden primary looks as best option to me. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dynamic updates to multiple masters
Hello, I have four authoritative dns servers, all running in master mode for my zone for high availability, currently they all pull a static zonefile. I'm trying to implement dynamic updates but I am wondering if there is any way to avoid sending an update to each of them, and send the update only once and it should sync to all 4. Would like to know if anyone has faced this problem before. -- Thanks, SG -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters for slave zone
On 18 March 2013 23:08, Dave Warren li...@hireahit.com wrote: Does it actually check each master for a serial number, or does it stop at the first one queried if it has a higher-than-current serial number? It would have to otherwise how would it know who has the highest and when to stop checking. Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters for slave zone
On 2013-03-18 23:12, Steven Carr wrote: On 18 March 2013 23:08, Dave Warren li...@hireahit.com wrote: Does it actually check each master for a serial number, or does it stop at the first one queried if it has a higher-than-current serial number? It would have to otherwise how would it know who has the highest and when to stop checking. Well, I guess that's part of my question. Does it? Or if the first master it queries has a higher serial number, does it grab the zone without checking the rest? Does the order of the masters matter? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters for slave zone
I followed the packet stream in order to understand, when the slave server get a notify he sends soa request to 2 servers only. It's always the same servers... if he ask only 2 server how the slave can know which one of the five is holding the most updated serial? בתאריך 19 במרץ 2013 08:56, מאת Dave Warren li...@hireahit.com: On 2013-03-18 23:12, Steven Carr wrote: On 18 March 2013 23:08, Dave Warren li...@hireahit.com wrote: Does it actually check each master for a serial number, or does it stop at the first one queried if it has a higher-than-current serial number? It would have to otherwise how would it know who has the highest and when to stop checking. Well, I guess that's part of my question. Does it? Or if the first master it queries has a higher serial number, does it grab the zone without checking the rest? Does the order of the masters matter? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/**davejwarrenhttp://ca.linkedin.com/in/davejwarren __**_ Please visit https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters for slave zone
It does not matter where the notify comes from (it well can be sent from a
slave too), named will try to transfer the zone from the first master
listed in the masters list. At least it's how it works in 9.7.x, though I
do not believe it's something that changed between the releases.
ena
On Mon, Mar 18, 2013 at 3:08 PM, eliran shlomo eliranshl...@gmail.comwrote:
Hi,
I need help with understanding how multiple masters work.
i set for a slave zone few masters
zone example.com in {
type slave;
file secondary/db.example.com;
masters { 192.168.112.10; 192.168.112.12; 192.168.112.13;
192.168.112.14; 192.168.112.15; };
};
Each master is standalone and there's no handshake between them
Now my question is if i change the serial on 192.168.112.13 master, after
the notify from which one the zone transfer will occur?
bind version is Version: 9.5.0-P2
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters for slave zone
In message
CAG=4s2amwgimwvrqszjkmk74v_mmnbxohgc+ofqtjkfonjo...@mail.gmail.com, Emil
Natan writes:
It does not matter where the notify comes from (it well can be sent from a
slave too), named will try to transfer the zone from the first master
listed in the masters list. At least it's how it works in 9.7.x, though I
do not believe it's something that changed between the releases.
ena
Named will transfer from the master with the highest serial. Notify
just triggers early refresh checks.
Mark
On Mon, Mar 18, 2013 at 3:08 PM, eliran shlomo eliranshl...@gmail.comwrote:
Hi,
I need help with understanding how multiple masters work.
i set for a slave zone few masters
zone example.com in {
type slave;
file secondary/db.example.com;
masters { 192.168.112.10; 192.168.112.12; 192.168.112.13;
192.168.112.14; 192.168.112.15; };
};
Each master is standalone and there's no handshake between them
Now my question is if i change the serial on 192.168.112.13 master, after
the notify from which one the zone transfer will occur?
bind version is Version: 9.5.0-P2
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--047d7b6d9340287c6b04d83355db
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
div dir=3DltrIt does not matter where the notify comes from (it well ca=
n be sent from a slave too), named will try to transfer the zone from the f=
irst master listed in the masters list. At least it#39;s how it works in 9=
.7.x, though I do not believe it#39;s something that changed between the r=
eleases.div
br/divdivenabrbrdiv class=3Dgmail_quoteOn Mon, Mar 18, 2013 a=
t 3:08 PM, eliran shlomo span dir=3Dltrlt;a href=3Dmailto:eliranshlo=
m...@gmail.com target=3D_blankeliranshl...@gmail.com/agt;/span wrote=
:br
blockquote class=3Dgmail_quote style=3Dmargin:0 .8ex;border-left:1px #c=
cc solid;border-right:1px #ccc solid;padding-left:1ex;padding-right:1exd=
iv dir=3Drtldiv dir=3Dltr style=3Dtext-align:leftHi,brI need hel=
p with understanding how multiple masters work.br
i set for a slave zone few masters brzone quot;a href=3Dhttp://example=
.com target=3D_blankexample.com/aquot; in {br
=A0=A0=A0=A0=A0=A0=A0 type slave;br=A0=A0=A0=A0=A0=A0=A0 file quot;secon=
dary/a href=3Dhttp://db.example.com; target=3D_blankdb.example.com/a=
quot;;br=A0=A0=A0=A0=A0=A0=A0 masters { 192.168.112.10; 192.168.112.12; =
192.168.112.13; 192.168.112.14; 192.168.112.15; };br
};br
brEach master is standalone and there#39;s no handshake between thembr=
brNow my question is if i change the serial on 192.168.112.13 master, aft=
er the notify from which one the zone transfer will occur?brbrbind vers=
ion is Version: 9.5.0-P2br
br/div/div
br___br
Please visit a href=3Dhttps://lists.isc.org/mailman/listinfo/bind-users; =
target=3D_blankhttps://lists.isc.org/mailman/listinfo/bind-users/a to =
unsubscribe from this listbr
br
bind-users mailing listbr
a href=3Dmailto:bind-users@lists.isc.org;bind-users@lists.isc.org/abr=
a href=3Dhttps://lists.isc.org/mailman/listinfo/bind-users; target=3D_bl=
ankhttps://lists.isc.org/mailman/listinfo/bind-users/abr/blockquote=
/divbr/div/div
--047d7b6d9340287c6b04d83355db--
--===7766140746994652526==
Content-Type: text/plain; charset=us-ascii
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--===7766140746994652526==--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters for slave zone
On 2013-03-18 15:50, Mark Andrews wrote: Named will transfer from the master with the highest serial. Notify just triggers early refresh checks. Does it actually check each master for a serial number, or does it stop at the first one queried if it has a higher-than-current serial number? I've been meaning to test this in the real world, but if anyone can tell me, it would save a bit of time :) -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: faster fail-over between multiple masters
Am 30.08.2011 00:04, schrieb Mark Andrews: In message 4e5b6098.80...@pernau.at, Klaus Darilion writes: Hi! I have 9.7.0-P1 as slave configured with two masters: M1 and M2. M2 is currently down. When M1 sends a NOTIFY to inform the salve of the new zone, bind starts querying for the SOA record at M2. As M2 is down, bind sends retransmissions and tries it several times. It takes up to 2 minutes until bind starts asking M1 - then the transfer of course works fine. The question is: can I tweak bind to fail-over to other master servers faster? try-tcp-refresh no; Hi Mark! Thanks for the hint. But I do not see how this can help us, as the slave never used TCP. The SOA lookups are always done via UDP. Some more debugging showed, that the problem happens in the following scenario: 1. On the slave we have set max-refresh-time to 5 minutes. (We have added this in case the slave missed some NOTIFYs due to network problems). 2. Thus, every 4.5 minutes the slave asks both masters for the serial. The lookup to M1 works fine, the lookup to M2 of course fails as M2 is down and thus bind starts with retransmissions: every lookup has 2 retransmissions every 15 seconds, then bind this again with a new transaction 3. If bind receives a NOTIFY while it tries to query M2, the NOTIFY is more or less ignored: client 1.1.1.1#15733: received notify for zone 'xyz': TSIG 'foobar' zone xyz/IN: notify from 1.1.1.1: refresh in progress, refresh check queued Thus, it takes up two 2 minutes until bind gives up querying M2 and starting again with querying M1. Is it possible to tweak the retransmission timers and query timeouts when bind performs SOA lookups? Thanks Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: faster fail-over between multiple masters
Am 30.08.2011 18:17, schrieb Klaus Darilion: 2. Thus, every 4.5 minutes the slave asks both masters for the serial. The lookup to M1 works fine, the lookup to M2 of course fails as M2 is down and thus bind starts with retransmissions: every lookup has 2 retransmissions every 15 seconds, then bind this again with a new transaction small correction: I observe that bind uses 4 transactions, with every transaction having 2 retransmissions with a timeout of 15 seconds. Thus, during 4x45s=180s bind blocks and does not process the notification. Unfortunately I fail to find the options where I can configure the number of retransmissions, timeouts and number of transactions - please give me some hints. Thanks Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: faster fail-over between multiple masters
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2011-08-30 12:06 PM, Klaus Darilion wrote: Unfortunately I fail to find the options where I can configure the number of retransmissions, timeouts and number of transactions - please give me some hints. I don't believe there are external knobs for this behavior. I can think of several possible fixes here: (1) if we get a notify during a SOA check, proceed as usual but flag this so we will just start another SOA check. We may transfer the zone between these checks (and probably should.) (2) send all SOA requests in parallel, and use an overall max time to wait (perhaps 20 seconds) and re-send the SOA to servers which have not responded every 4 seconds. This limits the total time an SOA check will take. (3) If any of the servers respond with better SOA serial numbers than we have, transfer from the masters as listed in the config file or whichever is better, depending on current behavior. I do not know when we would be able to get to this change, but I'll put them on the back-log for future releases. If you want to go code diving, you can likely find the timeouts and change the behavior for your servers. However, you'll have to track this each time we do a release for the foreseeable future. - -- - --Michael ISC offers support on many of its products, including BIND 9. If you depend on it, depend on us! See http://www.isc.org/support/ for all the details. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5dLQYACgkQLdqv0r6eD6aGmACdGXG8oXQyB2XeZD0x4n8L5K7L JooAn3qhx18/S2fCiJdsYP1zfLf0rz69 =vGoU -END PGP SIGNATURE- attachment: mgraff.vcf___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
faster fail-over between multiple masters
Hi! I have 9.7.0-P1 as slave configured with two masters: M1 and M2. M2 is currently down. When M1 sends a NOTIFY to inform the salve of the new zone, bind starts querying for the SOA record at M2. As M2 is down, bind sends retransmissions and tries it several times. It takes up to 2 minutes until bind starts asking M1 - then the transfer of course works fine. The question is: can I tweak bind to fail-over to other master servers faster? Thanks Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: faster fail-over between multiple masters
In message 4e5b6098.80...@pernau.at, Klaus Darilion writes: Hi! I have 9.7.0-P1 as slave configured with two masters: M1 and M2. M2 is currently down. When M1 sends a NOTIFY to inform the salve of the new zone, bind starts querying for the SOA record at M2. As M2 is down, bind sends retransmissions and tries it several times. It takes up to 2 minutes until bind starts asking M1 - then the transfer of course works fine. The question is: can I tweak bind to fail-over to other master servers faster? try-tcp-refresh no; Thanks Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscrib e from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind 9 multiple masters setup
Hello, I have most of this worked out but I intend to setup bind in a multiple master manner. This makes me question a few things: 1. What can I use for the SOA MNAME? In the off chance a box may die, I am thinking of using a VIP which contains the multiple masters within it. However I am not sure how this would affect NOTIFY. So can I use a VIP or do I just use one of the master DNS boxes in the SOA MNAME field? 2. With that said, I intend to use rndc to push out DNS changes, should I worry about using a VIP still? I may need to use both and NOTIFY seems like it is more built-in so I want to keep rndc and NOTIFY going. Hope someone has gone through this trauma. Thank you!, Zahid Bukhari ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 multiple masters setup
On Wed, Jan 12, 2011 at 5:13 PM, dev null devn...@cimmerii.org wrote:
Hello,
I have most of this worked out but I intend to setup bind in a
multiple master manner.
This makes me question a few things:
1. What can I use for the SOA MNAME? In the off chance a box may die,
I am thinking of using a VIP which contains the multiple masters
within it. However I am not sure how this would affect NOTIFY. So can
I use a VIP or do I just use one of the master DNS boxes in the SOA
MNAME field?
You can use any authoritative for the zone name server. One of the masters
is good enough.
2. With that said, I intend to use rndc to push out DNS changes,
should I worry about using a VIP still? I may need to use both and
NOTIFY seems like it is more built-in so I want to keep rndc and
NOTIFY going.
How do you plan to replicate the zone data between the masters? At the
slaves you can just set few masters for each zone. For example:
zone example.com {
type slave;
file /var/named/example.com.zone;
masters { master_ip_address; master_ip_address; ... };
}
When named receives NOTIFY for a zone it will check one by one the servers
from the masters list.
Hope someone has gone through this trauma.
Thank you!,
Zahid Bukhari
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ena
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 multiple masters setup
On 01/12/11 16:13, dev null wrote: Hello, I have most of this worked out but I intend to setup bind in a multiple master manner. This makes me question a few things: 1. What can I use for the SOA MNAME? In the off chance a box may die, I am thinking of using a VIP which contains the multiple masters within it. However I am not sure how this would affect NOTIFY. So can I use a VIP or do I just use one of the master DNS boxes in the SOA MNAME field? It's mostly ignored. All resolvers go for the NS records at the zone apex, not for MNAME. Even if the server named in MNAME dies, it won't affect resolving. You just rebuild that machine, or even build another one and change slaves to get data from new master. 2. With that said, I intend to use rndc to push out DNS changes, should I worry about using a VIP still? I may need to use both and NOTIFY seems like it is more built-in so I want to keep rndc and NOTIFY going. Isn't it simplier to just let BIND do it's job? When master loads a changed zone, it sends NOTIFY messages to slaves, and slaves seeing that they have outdated zone files download the zone from master. rndc can only tell BIND (either master or slave) to initiate that connection, it can't change zones by itself. You could of course copy zone files to slaves by some means (rsync? scp?) and then rndc reload the slave, but a) why? b) it really isn't a slave anymore, at least not in DNS terms. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 multiple masters setup
If a zone is not dynamic, then the MNAME does nothing except to possibly inhibit notifies to the declared master iff you specify the option notify yes or if you do not specify any notify option (as notify yes is the default). If a zone is dynamic, then the MNAME plays a very critical role of telling all clients where to send dynamic DNS updates. I hear that support for multi-master with dynamic zones is expected in version 10. I have my own questions about how that will be done. -- Gordon A. Lang / 313-819-7978 - Original Message - From: dev null devn...@cimmerii.org To: bind-users@lists.isc.org Sent: Wednesday, January 12, 2011 10:13 AM Subject: bind 9 multiple masters setup Hello, I have most of this worked out but I intend to setup bind in a multiple master manner. This makes me question a few things: 1. What can I use for the SOA MNAME? In the off chance a box may die, I am thinking of using a VIP which contains the multiple masters within it. However I am not sure how this would affect NOTIFY. So can I use a VIP or do I just use one of the master DNS boxes in the SOA MNAME field? 2. With that said, I intend to use rndc to push out DNS changes, should I worry about using a VIP still? I may need to use both and NOTIFY seems like it is more built-in so I want to keep rndc and NOTIFY going. Hope someone has gone through this trauma. Thank you!, Zahid Bukhari ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters and multiple TSIG keys
On 29 Sep 2010, at 09:34, Anand Buddhdev wrote: Now, I have been given 2 keys, t1 and t2, to use for transferring z1 and z2 respectively. [Wandering off topic, perhaps] That seems to me a back-to-front way to do things. If the organization running the master is concerned to identify responsibility for purported slave access, the key needs to be provided by the organization responsible for running the slave, and accepted (or not) at the master end. That's what I expect from my slaves. None has revolted yet. 8-) One way or the other, using multiple keys to express what is intrinsically a single trust relationship seems to be both likely to increase the risk of compromise and certain to add administrative burden. Why do it? ATB /Niall ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters and multiple TSIG keys
On 29/09/2010 12:09, Niall O'Reilly wrote:
On 29 Sep 2010, at 09:34, Anand Buddhdev wrote:
Now, I have been given 2 keys, t1 and t2, to use for transferring z1 and
z2 respectively.
[Wandering off topic, perhaps]
That seems to me a back-to-front way to do things.
If the organization running the master is concerned to identify
responsibility for purported slave access, the key needs to be
provided by the organization responsible for running the slave,
and accepted (or not) at the master end.
That's what I expect from my slaves.
None has revolted yet. 8-)
One way or the other, using multiple keys to express what is
intrinsically a single trust relationship seems to be both likely
to increase the risk of compromise and certain to add administrative
burden. Why do it?
Hi Niall,
You're probably right, and it does increase administrative burden.
However, this design isn't my choice, so I'm stuck with it.
Anyway, I discussed this with my colleague here, and we came up with a
solution that works. We have created 2 views of the master name servers:
masters m-key1 {ip1 key key1; ... };
masters m-key2 {ip1 key key2; ... };
zone z1 {
masters { m-key1; };
...
};
zone z2 {
masters { m-key2; };
...
};
Regards,
Anand Buddhdev
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters and multiple TSIG keys
On 29 Sep 2010, at 15:53, Anand Buddhdev wrote: Anyway, I discussed this with my colleague here, and we came up with a solution that works. We have created 2 views of the master name servers: Nice one, and useful to have in the mailing-list archive! /Niall ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters expected behavior?
\On 07/26/10 23:02, Barry Margolin wrote: In articlemailman.100.1280077153.15649.bind-us...@lists.isc.org, Laws, Peter C.pl...@ou.edu wrote: Understood, but what I'm asking about is that the slave does not appear to be losing contact with the first-listed master. In fact, from the logs, it appears to be flipping back and forth (though not round-robinning). Multiple masters is not about losing contact, it's about getting the most up-to-date version of the zone. There's no reason for the slave to A HA! So the answer to my original question, after all this, is Yes (this is expected behavior). Thanks. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters expected behavior?
On 2010-07-23 22:52, Peter Laws wrote: I would have expected that it would only ask the second-listed master if the first didn't answer ... but I didn't write the code (and haven't read it either! And how would your slave ever pick up an update on second-listed master that (for whatever reason) doesn't propagate to the first? After all, the first is still answering, but with old data. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters expected behavior?
In article mailman.100.1280077153.15649.bind-us...@lists.isc.org, Laws, Peter C. pl...@ou.edu wrote: Understood, but what I'm asking about is that the slave does not appear to be losing contact with the first-listed master. In fact, from the logs, it appears to be flipping back and forth (though not round-robinning). Multiple masters is not about losing contact, it's about getting the most up-to-date version of the zone. There's no reason for the slave to assume that the first master has the best version of the zone. The only way to tell is to check the SOA records on all the masters, and perform a zone transfer from any of them that have a higher serial than the one you already have. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Multiple masters expected behavior?
Understood, but what I'm asking about is that the slave does not appear to be losing contact with the first-listed master. In fact, from the logs, it appears to be flipping back and forth (though not round-robinning). Someone else asked, essentially, why? ... The network paths are diverse to the different interfaces so, while I'm not protecting against failure of the master, I am protecting against network path failure. -- Peter Laws / N5UWY National Weather Center / Network Operations Center / Web University of Oklahoma Information Technology pl...@ou.edu From: bind-users-bounces+plaws=ou@lists.isc.org [bind-users-bounces+plaws=ou@lists.isc.org] on behalf of Barry Margolin [bar...@alum.mit.edu] Sent: Saturday, July 24, 2010 07:09 To: comp-protocols-dns-b...@isc.org Subject: Re: Multiple masters expected behavior? In article mailman.83.1279918361.15649.bind-us...@lists.isc.org, Peter Laws pl...@ou.edu wrote: On 07/22/10 19:57, Barry Margolin wrote: In articlemailman.65.1279835965.15649.bind-us...@lists.isc.org, Peter Lawspl...@ou.edu wrote: I have multiple interfaces on my master and multiple interfaces on most of my slaves. Is that expected behavior? Yes. What if the first server stops getting updates, but the second one does and has a higher serial number? Don't you want the slaves to check the SOA record on it to pick up these changes? Except that the 2 masters are simply different interfaces on the same master ... so the serial number *better* always be the same! That's true in *your* case. But BIND was designed to handle the more general case, where the masters can be different machines. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Multiple masters expected behavior?
Well aware of that, but we have RedHat support so we're stuck with that given that the alternatives are self-supporting BIND (which you could argue I'm doing right now!) or going with a 3rd party. Given the economy, I'm pleased we're keeping RH support. -- Peter Laws / N5UWY National Weather Center / Network Operations Center / Web University of Oklahoma Information Technology pl...@ou.edu From: Doug Barton [do...@dougbarton.us] Sent: Friday, July 23, 2010 19:23 To: Laws, Peter C. Cc: bind-us...@isc.org Subject: Re: Multiple masters expected behavior? On Thu, 22 Jul 2010, Peter Laws wrote: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 9.3.x has been EOL for a long time now, FYI. -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters expected behavior?
It makes it really hard to follow the thread. Why not? Please don't top post! From: Laws, Peter C. pl...@ou.edu Date: Sun, 25 Jul 2010 16:56:26 + Sender: bind-users-bounces+oberman=es@lists.isc.org Well aware of that, but we have RedHat support so we're stuck with that given that the alternatives are self-supporting BIND (which you could argue I'm doing right now!) or going with a 3rd party. Given the economy, I'm pleased we're keeping RH support. While all of our (public) servers run on FreeBSD which has not shipped with 9.3 for a long time, we always run a near-current ISC release of BIND. The amount of support needed is trivial and I sleep much better at night that way. Yes, depending on the integration of your back-office DNS management/DNSSEC, it might be less so for some. Keeping the support of BIND on our public servers mostly unrelated to the IPAM and DNSSEC stuff has really not been hard. In the time it took me to send my reply, I could have updated BIND on all of our public servers and I don't have to upgrade all that often. I think running 9.3 is false economy. DNS is just too important. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters expected behavior?
In article mailman.83.1279918361.15649.bind-us...@lists.isc.org, Peter Laws pl...@ou.edu wrote: On 07/22/10 19:57, Barry Margolin wrote: In articlemailman.65.1279835965.15649.bind-us...@lists.isc.org, Peter Lawspl...@ou.edu wrote: I have multiple interfaces on my master and multiple interfaces on most of my slaves. Is that expected behavior? Yes. What if the first server stops getting updates, but the second one does and has a higher serial number? Don't you want the slaves to check the SOA record on it to pick up these changes? Except that the 2 masters are simply different interfaces on the same master ... so the serial number *better* always be the same! That's true in *your* case. But BIND was designed to handle the more general case, where the masters can be different machines. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters expected behavior?
On 07/22/10 19:57, Barry Margolin wrote: In articlemailman.65.1279835965.15649.bind-us...@lists.isc.org, Peter Lawspl...@ou.edu wrote: I have multiple interfaces on my master and multiple interfaces on most of my slaves. Is that expected behavior? Yes. What if the first server stops getting updates, but the second one does and has a higher serial number? Don't you want the slaves to check the SOA record on it to pick up these changes? Except that the 2 masters are simply different interfaces on the same master ... so the serial number *better* always be the same! Looking at the logs, it appears that the choice of masters is a second-to-second thing because what I'm seeing is that one zone goes via one interface and then the next zone, perhaps only a few 10s of ms later, goes via the other interface. I would have expected that it would only ask the second-listed master if the first didn't answer ... but I didn't write the code (and haven't read it either! -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters expected behavior?
On Fri, 23 Jul 2010, Peter Laws wrote: Except that the 2 masters are simply different interfaces on the same master Why do you think that would be helpful? Or are you just testing the multi-master configuration in the hopes of adding actual diversity down the road? Doug -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters expected behavior?
On Thu, 22 Jul 2010, Peter Laws wrote: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 9.3.x has been EOL for a long time now, FYI. -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Multiple masters expected behavior?
I have multiple interfaces on my master and multiple interfaces on most of
my slaves.
I've got one of the slaves set up so that its masters {}; statement has two
of the master's interfaces in it. The preferred is first, with the
non-preferred second. I was contemplating using this on all slaves to
guard against a network path failure.
Note that I also have both of the slave's interfaces in the also-notify
statement on the master (it's an unpublished slave).
I would have thought that BIND would always hit the first and never the
second. That doesn't seem to be the case however. In fact, in a few cases
I've seen it seems to use both, though not round-robinning that I can see
from the logs.
Is that expected behavior?
BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2
--
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
pl...@ou.edu
---
Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters expected behavior?
On 07/22/2010 10:59 PM, Peter Laws wrote:
I have multiple interfaces on my master and multiple interfaces on most of
my slaves.
I've got one of the slaves set up so that its masters {}; statement has two
of the master's interfaces in it. The preferred is first, with the
non-preferred second. I was contemplating using this on all slaves to
guard against a network path failure.
Note that I also have both of the slave's interfaces in the also-notify
statement on the master (it's an unpublished slave).
I would have thought that BIND would always hit the first and never the
second. That doesn't seem to be the case however. In fact, in a few cases
I've seen it seems to use both, though not round-robinning that I can see
from the logs.
I believe like all DNS servers, bind will pick the quickest-responding
one (with the highest SOA serial, of course). It will certainly send SOA
queries to both in case one master has a higher serial than the other.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters expected behavior?
In article mailman.65.1279835965.15649.bind-us...@lists.isc.org,
Peter Laws pl...@ou.edu wrote:
I have multiple interfaces on my master and multiple interfaces on most of
my slaves.
I've got one of the slaves set up so that its masters {}; statement has two
of the master's interfaces in it. The preferred is first, with the
non-preferred second. I was contemplating using this on all slaves to
guard against a network path failure.
Note that I also have both of the slave's interfaces in the also-notify
statement on the master (it's an unpublished slave).
I would have thought that BIND would always hit the first and never the
second. That doesn't seem to be the case however. In fact, in a few cases
I've seen it seems to use both, though not round-robinning that I can see
from the logs.
Is that expected behavior?
Yes. What if the first server stops getting updates, but the second one
does and has a higher serial number? Don't you want the slaves to check
the SOA record on it to pick up these changes?
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Multiple masters in slave zone
Hello How does BIND handle multiple masters in a slave zone definition? I know that if one master doesn't answer, a second one is checked for new zone data, but does BIND periodically check ALL master servers for new data? Best regards Fabian Gut -- Fabian Gut Trainee open systems ag raeffelstrasse 29 ch-8045 zurich t: +41 44 455 74 00 f: +41 44 455 74 01 f...@open.ch http://www.open.ch ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters in slave zone
In article mailman.859.1268840913.21153.bind-us...@lists.isc.org, Fabian Gut f...@open.ch wrote: Hello How does BIND handle multiple masters in a slave zone definition? I know that if one master doesn't answer, a second one is checked for new zone data, but does BIND periodically check ALL master servers for new data? It checks them all. If any has a higher serial number than the one that's loaded, it performs a zone transfer from it. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters?
Chris Buxton wrote: On Jan 14, 2010, at 5:04 PM, Peter Laws wrote: And I right in thinking that, on a slave, I can have multiple masters designated for a particular zone? I just have to make sure that the slave that is pretending to be the master allows transfers, right? Don't forget about the notify mechanism. Make sure it's properly configured and tuned. Glad you brought that up. Should the real master be the only one sending out notifies or should the fake master do it as well? Thanks, Peter -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters?
On Jan 15, 2010, at 10:17 AM, Peter Laws wrote: Chris Buxton wrote: On Jan 14, 2010, at 5:04 PM, Peter Laws wrote: And I right in thinking that, on a slave, I can have multiple masters designated for a particular zone? I just have to make sure that the slave that is pretending to be the master allows transfers, right? Don't forget about the notify mechanism. Make sure it's properly configured and tuned. Glad you brought that up. Should the real master be the only one sending out notifies or should the fake master do it as well? Every slave server needs the following from its masters (whether that's the primary master and/or one or more slaves): - zone transfer access - notifications of zone updates Unless you put in some special and usually unnecessary (and useless) configuration, the notification message has to come from the slave's master, not from the primary master (unless they are the same). Chris Buxton ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters?
Chris Buxton wrote:
Every slave server needs the following from its masters (whether that's the
primary master and/or one or more slaves):
- zone transfer access
- notifications of zone updates
OK.
Unless you put in some special and usually unnecessary (and useless)
configuration, the notification message has to come from the slave's master,
not from the primary master (unless they are the same).
No, no useless configs I'm aware of. Just trying to give the outlying
slaves a second place to go, should the real master be busy, i.e.
masters { IPofserver1;
IPofserver2;
};
Our architecture is sub-optimal (among other things, hardest hit of all
public servers is the master) and this is one more step towards getting out
from under that.
I'd love to have a master that wasn't even a published DNS server, but
we're not there quite yet.
Thanks!
--
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
pl...@ou.edu
---
Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Multiple masters?
And I right in thinking that, on a slave, I can have multiple masters designated for a particular zone? I just have to make sure that the slave that is pretending to be the master allows transfers, right? All but two of the slaves are BIND, the other two are Evil Empire servers. Still no problem? -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters?
On Jan 14, 2010, at 5:04 PM, Peter Laws wrote: And I right in thinking that, on a slave, I can have multiple masters designated for a particular zone? I just have to make sure that the slave that is pretending to be the master allows transfers, right? Don't forget about the notify mechanism. Make sure it's properly configured and tuned. All but two of the slaves are BIND, the other two are Evil Empire servers. Still no problem? No problem. Chris Buxton ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
