Sysquery Errors

[Kevin Darcy]

Jim Reid wrote:

> >>>>> "Kevin" == Kevin Darcy <kcd at daimlerchrysler.com> writes:
>
>     >> Also, make sure your internal root servers are master or slave
>     >> for the root zone. Master is preferable as root zones tend to
>     >> require special administration rather than routine reloading
>     >> and zone transfers.
>
>     Kevin> Hmmm?? I've been running an internal root for years and
>     Kevin> I've never had any problems with a regular master/slave
>     Kevin> setup. I think BIND 8 fixed all of the pre-existing
>     Kevin> root-slave problems...
>
> The "special administration" I was alluding to did not concern the
> name servers or the DNS protocol. They work just fine. I meant the
> control of the contents of the root zone: who's allowed to change it
> and put the new root zone on the name servers; the change windows when
> this can be done; access permissions on copies of the root zone file;
> when servers can be reloaded/restarted; CM procedures and audit
> trails; etc, etc.

These considerations strike me as arguments for having
*less* root-masters, not *more*. With a "single master, multiple
slaves" setup, you only need a *single* set of access rights, change
procedures, audit trails, maintenance windows, etc. since the slaves just
update automatically.

> As you say, there's no technical reason preventing
> the root zone being slaved in the usual manner: a zone is a
> zone. However there can be procedural and organisational reasons for
> not doing that as a matter of routine. And sometimes the zone
> propagation delay - even with NOTIFY - takes too long. This can
> present problems for any critical DNS zone, especially the root.

Good point. To speed up change propagation beyond the NOTIFY level
entails using some sort of out-of-band replication mechanism, and this
almost certainly requires configuring all of the slaves as
(pseudo-)masters.

Fortunately, I've never had such strict change-propagation requirements
for our internal root zone.


- Kevin