Speed of BIND vs. W2k DNS

Danny Mayer mayer at gis.net
Mon Dec 25 01:06:27 UTC 2000 

At 04:33 AM 12/24/00, Jim Reid wrote:
> >>>>> "alevey" == alevey  <alevey at home.com> writes:
>
>     alevey> Unsecure updates work fine between BIND & W2K-DNS 
>
>This is like saying banks work just fine if the door to the vault is
>left wide open to everyone who wants to deposit or withdraw money.
>
>     alevey> You missed a HUGE aspect of W2K DNS... multi-master. No single
>     alevey> point of failure, unlike BIND.
>
>IIUC, multi-master is needed in W2K for Active Directory, not DNS.
>
>The "single point of failure" you refer to is in fact fundamental to
>the DNS. It's not a feature of BIND per se. All DNS implementations
>are supposed to have a single, definitive place where updates to a
>zone contents are performed. I quote from RFC1034:
>
>         The general model of automatic zone transfer or refreshing is
>         that one of the name servers is the master or primary for the
>         zone.  Changes are coordinated at the primary, typically by
>         editing a master file for the zone.
         While it's true that the primary may be considered a single point
   of failure, if it does go down or becomes unavailable the secondaries are
   there to pick up the load.  You can increase availability by adding
   servers.  If the primary is unavailable for any length of time, one of the
   secondaries can become the primary or you can have a backup server
   available to replace the primary at its IP address.  Noone will even
   notice that the primary isn't available.

>In places where this single point of failure *really* matters - and
>there aren't that many of them - there are plenty of solutions:
>redundant hardware, "fault tolerant" OS'es, "high availability"
>subsystems like ServiceGuard, disk mirroring, etc, etc.
>
>As for this multi-master stuff being a benefit, we can agree to
>differ. Firstly, there's no openly published or agreed protocol for
>doing this. So there's no way for non-M$ DNS implementations to
>participate. This is probably only acceptable to the people who want
>to hand over their DNS (and therefore their network) to Microsoft. The
>next issue is that any multi-master scheme will have a complicated
>replication and resynchronisation mechanism. If updates are allowed
>while this is in progress, you could end up in an infinite loop of
>replicating master servers. If you don't, you have a single point of
>failure which eliminates the justification for multi-mastering. Thirdly,
>IIUC, the multi-master features in W2K depend on the masters being
>continuously being in touch with each other. Can you tell me what
>happens when host A sends an update to multi-master server X at the
>same time as host B sends a conflicting update to multi-master server
>Y? Suppose A's update means B's fails and vice versa. What if X and Y
>can't talk to each other and what happens once connectivity between
>them is restored?

         The last time I dealt with Microsoft's LDAP implementation it was
   using SQL Server as a back end database to hold the data, not exactly
   the best way to store a tree-type structure.  Active Directory is the next
   version of this LDAP and is what I half-jokingly refer to as Heavyweight
   LDAP because of the "features" that they added which slow things down
   considerably.  People I know in the LDAP standards community tell me that
   they also violated LDAP standards in a number of ways.  I do believe that they
   have solved the problems that Jim mentions above, which doesn't mean
   you should depend on it.  VMS Clustering faced the same issues back
   in the early 80's and nobody believed it worked, now everyone wants to do
   it.  Active Directory is the replacement strategy for the Microsoft Domain
   Controllers and in that role is probably adequate and will scale better. On
   the other hand by having DNS store its data in Active Directory doesn't
   in any way mean that the DNS is more robust or reliable.  Active Directory
   is just a storage mechanism for MS DNS and you still have the same
   issues about whether or not you have a single point of failure with the
   primary. 

>     alevey> People have seen problems using BIND and DDNS in a W2K
>     alevey> enviro. Mostly with BIND not taking the updates
>     alevey> properly. A records I think....
         Yes, BIND is a) not allowing invalid characters in host names and
   domain names to be added; and b) not allowing updates from unauthorized
   hosts if set up properly.  So what point are you trying to make? We're
   trying to increase security in BIND and reduce the amount of garbage
   records polluting the data.

                 Danny

More information about the bind-users mailing list