Request For Help: Large Scale DNS/ip management,servers, tools/products

Brad Knowles brad.knowles at skynet.be
Thu Aug 2 07:23:05 UTC 2001 

At 1:14 AM -0400 8/2/01, Ray Bush wrote:

>  If anyone with experience with one or more of the following dns/ip
>  management tools/products (or others i may not yet seen)  in similar
>  situations could comment or share their experiences with these products
>  it would be greatly appreciated.    I would be willing to summarize as i
>  will have to do so anyhow.  We would prefer a solution that stays with
>  bind as most our people are familiar with it but this is not entirely a
>  necessity depending on the solution(s).
>
>  bind
>  http://www.isc.org/products/BIND/

	BIND in and of itself can't really do the sorts of things you're 
talking about, not without some outside assistance.  Sure, you could 
issue everyone TSIG keys and work on server-side ACLs from there, but 
that only allows you to securely edit information within a zone, and 
doesn't allow you to make meta-data changes to the zones themselves.

	Besides, it's a purely command-line interface, and I doubt that 
most of your less experienced people would be willing/interested in 
working that way.

>  qip
>  http://www.qip.lucent.com/
>
>  Check point Meta IP
>  http://www.checkpoint.com/products/metaip/index.html

	I've heard about these two products, but I don't really know much 
of anything about them.  I've heard comments on the list that QIP can 
be used to manage on the order of about a million DNS records in an 
ISP setting, but I also know that it had been tried at AOL and found 
desperately wanting.

>   Quick DNS
>  http://www.miceandmen.com/

	The current version of QuickDNS is really aimed at a much smaller 
environment.  It doesn't allow you to delegate authority for 
different aspects of operations, so anyone who has access to the tool 
can make any change they want to any part of your DNS that is managed 
with it.

	For the SOHO user who doesn't really need to understand much of 
anything about the DNS, it's probably a very good choice (and 
QuickDNS Manager can now be used with a server-side tool to manage a 
BIND nameserver on a *nix platform).

	However, for any kind of a real company, the person who manages 
the DNS should really understand what it is they're managing, and 
using a crutch like QuickDNS is not a good way to do that.  For 
larger enterprises, it would be fine for the main Domain 
Administrator to have deep knowledge of the DNS, while others working 
for him/her could be allowed to use tools like QuickDNS, but since 
QuickDNS doesn't have any sense of partial delegation of authority, 
this really isn't appropriate.


	I would expect that future versions of QuickDNS will fully 
incorporate their DNS Expert tool, and will either outright prevent 
you from doing anything that would cause DNS Expert to squawk, or 
will at least give you a strong warning before allowing you to do 
anything potentially dangerous.


	QuickDNS has a lot of potential, and in the limited niche where 
it currently fits, I think it's a very good tool.  But it's not quite 
there yet.

>  Adonis
>  http://www.bluecatnetworks.com/
>
>  3-dns
>  http://www.3dns.com/f5products/3dns/index.html
>
>  Ganymede
>  http://www.arlut.utexas.edu/gash2/

	I knew that F5 Labs had some sort of a DNS management tool, but I 
had never heard the name before.  I do not believe that I have heard 
of these other products, however.

>  djbdns
>  http://cr.yp.to/djbdns.html

	I won't comment much on this program, except to say that you 
should do searches on the archives of this list to see what various 
people are saying about it.  Myself, I'm working on a list of things 
that I believe are inherently broken with this program, and so far 
I've gotten up to number nineteen (and I think I saw number twenty 
come across the list within the last few days).


	I think that there are a few other products that are available 
which you have not listed above.  See 
<http://www.isc.org/products/BIND/vendorware.html> and 
<http://www.dns.net/dnsrd/servers/> for more information.

-- 
Brad Knowles, <brad.knowles at skynet.be>

H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA

More information about the bind-users mailing list