my local zone rejected

Kevin Darcy kcd at daimlerchrysler.com
Fri Apr 20 01:05:51 UTC 2001 

Jim Reid wrote:

> >>>>> "Kevin" == Kevin Darcy <kcd at daimlerchrysler.com> writes:
>
>     >> And try to use the YYYYMMDDVV convention for the SOA Serial
>     >> Number.
>
>     Kevin> Why? That becomes meaningless as people migrate to Dynamic
>     Kevin> Update-based maintenance systems.
>
> True, but why would anyone want/need to manage their zones with
> Dynamic DNS? Why give up audit trails, good change control and
> well-commented zone files?

Audit trails and change control can and probably should be done outside
of the zonefiles themselves.

What kind of comments are you referring to? If they're just "zonefile
navigation aids", e.g. "delegations start here", then that's a circular
justification -- once it's no longer necessary to navigate zone files,
then the need for the comments evaporates.

If the comments contain non-DNS-information, e.g.
assert/location/contact information for the objects in the zonefile,
then due to the variable and/or amorphous nature of such data, it
probably also belongs somewhere else, so that it can be
searched/maintained/updated in more sophisticated ways. We're in the
process, for instance, of migrating much of that kind of information to
an LDAP directory/database.

As for the benefits of Dynamic Update-based maintenance, how about
better integration with DHCP and/or Active Directory, instant
availability of updates on the master, and the ability to elegantly and
securely delegate remote administration of the same zone(s) to multiple
organizations? For example, who needs RFC 2317 ugliness when different
orgs can update the same /24 reverse zone directly? Also, Dynamic
Update-based maintenance facilitates greater separation of the
DNS maintenance frontend (web-based, in our case) from the DNS server
itself, which can be a great benefit in terms of maintainability and
security. Granted, many of the commercial DNS management products also
facilitate this separation, but only at the cost of putting an RDBMS in
between the frontend and the nameserver component. I think that's an
unnecessary complication and expense, personally.


- Kevin

More information about the bind-users mailing list