DNS push mechanism.
John Wobus
jw354 at cornell.edu
Fri Oct 28 17:30:10 UTC 2005
Use your rsync/ssh-type mechanism, making them all DNS masters. This
has been a
common practice among DNS admins for literally decades. Elegance is in
the eye of
the beholder: I happen to appreciate the beauty of "extra-BIND/DNS"
assurance that
the zone data is indeed identical in all zone's authoritative servers,
despite update-cycle times, lost notifies, etc. The scheme can also
lend
elegance to appropriate handling of named.conf updates.
The DNS's mechanism is the notify/pull mechanism, that you are bound
to avoid.
John
On Oct 27, 2005, at 8:57 PM, Steven Hajducko wrote:
> Hi,
>
> Due to the nature of our environment and security concerns, I have to
> come
> up with some way to push DNS zones from our master server to slave
> servers
> in each of our environments. Here's a better explanation.
>
> We have some typical environments in the sense of a 3-tier setup.
> Front -
> Application - Backend Data. We also have several clones of this
> environment. In order to try and centralize management, we also have a
> management lan off to the side. This management lan is where we host
> our
> primary named server. However, our security prevents us from allowing
> the
> slave servers in each tier to pull zone information down from the
> master in
> the management lan. Because of this, I have to develop a mechanism to
> ensure that:
>
> a) The transaction of the zone is done over TCP.
> b) The master pushes the zone to the slave and not vice versa.
>
> We are, under no circumstances, allowed to have the slaves initiate a
> connection to the master in order to download zone files, be it
> incremental
> or full zones. I was curious if anyone else has come up with a
> mechanism
> for doing this or knows of a utility to do this? At this point, I'm
> just
> considering using rsync over ssh ( ala djbdns ) to do the transfers
> anytime
> an update is made, but I'd like to see if there is a more... elegant..
> solution.
>
> Any help would be appreciated.
>
> Thanks.
>
> --
> sh
>
>
More information about the bind-users
mailing list