DNS Administration Automation

[Kevin Darcy]

Marc.Thach at radianz.com wrote:

> Kevin wrote:
> > And what if the database gets out of synch with what's
> > in DNS (shouldn't be an issue if you use BIND 9's
> > capability of loading zone data directly from a backend
> > database, but it's a big issue if you use BIND 8 or
> > anything other than the standard mechanism for getting
> > BIND to load from a database)? I see no reason why a
> > separate database should be necessary
>
> Kevin,
> I'd assumed (never a good idea I guess) that you did use a backend database
> for your scheme, and I'd been meaning to fire off a mail to you asking that
> very question, how do you verify the consistency of the DNS vs the database
> and rebuild if required?  Now clearly you don't, but then your master data
> is the DNS itself, so how do you backup correctly, or is it a stealth
> master which you just take off-line for backups?

Yes, it is more-or-less a "stealth master", in the sense that I don't point
regular stub resolvers at it. If it's down, the only real impact is that
no-one can make changes for a while. I could, I suppose, take it off-line
occasionally to run backups.

But, why bother? The slaves are the backups. I can easily and quickly
reconfigure any of the published slaves to become the new master. True, there
is a risk of losing updates that hadn't propagated yet. But there's *always* a
risk of losing updates which occur between "backups", regardless of whether
the "backup" in question is a zone-transfer, a tape backup, flushing a disk
buffer to a RAID, or whatever. With NOTIFY, my slaves aren't ever out-of-synch
for very long. And it's not like we do many thousands of updates a day.

I suppose I'll have to automate the reconfigure-slave-as-master process when
Dynamic Update becomes more mission-critical (e.g. when we deploy Active
Directory for real)....


- Kevin