More on BIND 9.1, Views, and Zone Transfers
Kevin Darcy
kcd at daimlerchrysler.com
Mon Feb 12 22:21:12 UTC 2001
D. J. Bernstein wrote:
> On several previous occasions, Kevin has mentioned problems that are a
> pain to solve with zone transfers, and suggested server replication
> (via rsync, for example) as a superior solution. So I find it strange
> that Kevin is suddenly babbling about ``personality differences''
> andaccusing me of choosing standards subjectively.A
Allow me to set the record straight. *Most* of those situations involved
the replication of named.conf files, not actual zone files. The
presumption being that you'd create a "slave" copy of the master's
named.conf file (i.e. with all of the relevant "type master" declarations
changed to "type slave" and a list of masters provided for each zone), and
then use rsync-over-ssh to blast those out to all of the slaves. Note that
under this regime AXFR/IXFR is still used for the actual zone-data
replication. It just provides a somewhat convenient way to keep named.conf
files updated, since there is no IETF standard for synchronization of
nameserver configs. Note also that I have stated frequently that this is
*not* something I've actually implemented myself (my intranet slaves keep
their named.conf files up to date using a very different methodology).
What I usually say is "Dan Bernstein recommends..." and let people judge
the value of that recommendation for themselves.
According to my archives, there were also a couple of niche cases where
I mentioned using rsync-over-ssh for replication of zone data as well. In
one case, a poster wasn't satisfied with the speed of NOTIFY convergence
and was looking for something faster. In the other, a poster was trying to
implement "multi-master replication" (which could be approximated using
rsync-over-ssh and some scripting glue). But these are hardly typical
requirements. To be sure, unusual requirements sometimes require bypassing
standards. But DJBdns, as far as I can see, is selective/arbitrary about
which standards it honors even while claiming to be suitable for
*general* use. Which I think is quite unfortunate. AXFR is something that
BIND can use without having to install multiple software packages on the
box, generate and distribute keys, modify system files, etc., and is
perfectly suitable for the vast majority of situations. BIND's replication
options also include IXFR and/or TSIG authentication with a minimum of
additional configuration. I think DJBdns would be more palatable if it
offered similar options in tinydns.
- Kevin
More information about the bind-users
mailing list