Change records in DNS slave if master is offline
Mark Elkins
mje at posix.co.za
Sun Dec 19 14:37:00 UTC 2021
Apart from master/slave now being Primary/Secondary.... (mindset change
after 25 years of DNS management)
... I kind of like the idea - except if the Primary server is DNSSEC
Signing that zone (and DNSSEC is a really smart thing to be able to do)
then editing a Secondary is not a very simple thing to do. The DNSSEC
keys (zsk/ksk/(csk)) are not shared with the transfer of a zone - so
locally signing on a Secondary would be a challenge.
I guess in an emergency one could remove the DNSSEC records from the
Zone along with removing the DS records from the parent. It would then
be safe to edit a text version on the Secondary and better still,
promote it to being the new Primary. Generally though, one can usually
afford for a Primary to be down for a short time until things are fixed.
Having a contingency plan to switch your Primary to a different
(currently Secondary) server along with all the DNSSEC configuration
would be a useful exercise. Have all the same DNS tools on that backup
server that you already have on the current Primary server.
On 12/19/21 3:12 PM, Richard Doty wrote:
> Having text files makes editing easier, but you still want to keep the
> slaves the same - making the identical edit multiple times is some
> work, but may not actually happen depending on circumstances (people
> make mistakes)
>
> I like to make all the servers 'masters' - so whoever has the highest
> serial number wins. Then if you update one slave, it is automatically
> synced to the others. This might conflict with however you populate
> your true master.
>
> On Fri, Dec 17, 2021 at 6:30 AM Roberto Carna
> <robertocarna36 at gmail.com <mailto:robertocarna36 at gmail.com>> wrote:
>
> Warren, thanks a lot....with the masterfile-format clause it works OK.
>
> Greetings!!!
>
> El jue, 16 dic 2021 a las 15:43, Warren Kumari (<warren at kumari.net
> <mailto:warren at kumari.net>>) escribió:
> >
> >
> >
> > On Thu, Dec 16, 2021 at 10:37 AM Roberto Carna
> <robertocarna36 at gmail.com <mailto:robertocarna36 at gmail.com>> wrote:
> >>
> >> Dear all, I have one BIND9 server as master and 3 as slaves.
> >>
> >> The master and one slave are in a given site #1, and the other two
> >> slaves are in a geographical different site #2.
> >>
> >> In case site #1 goes offline, I need to edit records in both slaves
> >> from site #2, in order to point some services to other public
> IP's for
> >> contingency.
> >>
> >> My question is:
> >>
> >> What is the recommended way to edit the records from a BIND9 slave?
> >> Because the zone files are binary files
> >
> >
> > Yup, if you are running (IIRC) > v9.9.x, the default is binary
> files.
> > You can convert these beck to text with:
> > named-compilezone -f raw -F text -o example.com.text example.com
> <http://example.com> example.com.binary
> >
> > You can also change the default in named.conf:
> > options {
> > // many many options
> > masterfile-format text;
> > //
> > // many other options
> > //
> > }
> >
> > The raw (binary) zone files are good for large zones, but for
> small zones, where speed isn't super important, text format works
> just fine...
> > W
> >
> >
> >>
> >> and using the Webmin interface
> >> is blocked.
> >>
> >> The only manner is changing the configuration from slave to master?
> >>
> >> Thanks in advance, greetings!!!
> >> _______________________________________________
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users
> <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe
> from this list
> >>
> >> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/
> <https://www.isc.org/contact/> for more information.
> >>
> >>
> >> bind-users mailing list
> >> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
> >> https://lists.isc.org/mailman/listinfo/bind-users
> <https://lists.isc.org/mailman/listinfo/bind-users>
> >
> >
> >
> > --
> > The computing scientist’s main challenge is not to get confused
> by the
> > complexities of his own making.
> > -- E. W. Dijkstra
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users
> <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/
> <https://www.isc.org/contact/> for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
> <https://lists.isc.org/mailman/listinfo/bind-users>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
<https://ftth.posix.co.za>
Posix SystemsVCARD for MJ Elkins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20211219/c44fa0fb/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abessive_logo.jpg
Type: image/jpeg
Size: 6410 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20211219/c44fa0fb/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QR-MJElkins.png
Type: image/png
Size: 2163 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20211219/c44fa0fb/attachment-0001.png>
More information about the bind-users
mailing list