FQDNs in masters-list (was: Help: Secondary for...)
Brad Knowles
brad.knowles at skynet.be
Mon Mar 5 14:45:38 UTC 2001
At 10:58 AM +0100 3/5/01, Andreas S. Oesterhelt wrote:
> Maybe it's just my ignorance of the technical details, but I fail to
> see how
> a) Allowing masters to be specified by name and
> b) having the slave do, if necessary, lookups for the master's
> address before zone transfers,
> could possibly require a change in the protocol or standard.
There are people on this list far more qualified to answer this
question than me, however I will try to give it a go.
I haven't yet confirmed this by checking the RFCs, but I think
that the way secondaries are handled is outside of the scope of the
standard. It's primarily an implementation detail of BIND, but if
done wrong it could obviously cause very grave harm.
I can imagine that many zones (in fact probably most of them)
would be seriously broken by doing something like this. First off,
the secondary/ies wouldn't be able to start serving the zone until
it's done the DNS queries to resolve the name of the primary/ies, and
until the release of BINDv9 we didn't have a multi-threaded server
that could serve some zones while it was in the process of loading
others.
Secondly, it is still quite easy for someone to poison the cache
of a nameserver, and lie to it about what the IP address is for a
particular server. It's getting harder and harder to do this (as
people install more and more up-to-date software), but it is still
easy enough to do that virtually any zone this way could be hi-jacked
with ease. The only way to solve this problem would be to force
everyone around the world to upgrade to BINDv9 immediately, and that
would still be only a partial solution (I understand that cache
pollution in BINDv9 is more difficult, but still possible).
Thirdly, if people screwed up their zones by doing stupid stuff
like having CNAMEs exist for nodes that also have other data (e.g.,
giving the zone itself a CNAME alias to another zone or node
somewhere else), then since this would cause SERVFAIL errors, this
would result in the zone being totally unserveable by the secondaries.
I've heard some statistics quoted that around 25% of all zones
registered with well-managed TLD nameservers (e.g., those where the
registrar actually checks to confirm you really do have two separate
nameservers for the zone you're registering, and they appear to be
properly set up according to tools similar to "doc") are actually
lame delegations, and in excess of 50% of all zones registered at
less well-managed TLD nameservers are lame delegations.
If people can't get something correct that is this fundamentally
basic to the nature of DNS, how can you expect them to get something
more complex right at all?
No, I submit that we should be doing things that force them to
fix the more basic things (or simply prevent them from being able to
get them wrong in the first place), and once that is done, we can
consider what future extensions we may be able to make.
--
======================================================================
Brad Knowles, <brad.knowles at skynet.be>
More information about the bind-users
mailing list