Dynamic DNS (was Re: h2n 2.38)

Brad Knowles brad.knowles at skynet.be
Fri Jun 15 19:16:20 UTC 2001 

At 2:43 PM -0400 6/15/01, Kevin Darcy wrote:

>>  Lack of proper audit trails,
>
>  This problem is not specific to the use of DDNS. In fact, at least with
>  DDNS you have an idea in named's logs of what was changed. With a
>  non-DDNS-based maintenance system, like one which spews out zonefiles
>  from an external database e.g. an SQL database, you have no inkling in
>  named's logs as to what has changed in the zone, if anything. Any logging
>  that is done has to be done in the maintenance system itself.

	Of course you build in those kinds of things when you're 
designing a "real" database-driven solution.  The problem is that 
attempting to use DDNS for this means you have no possibility of 
these kinds of controls, unless you do so through wrappers to the 
nsupdate program, and you sock it away somewhere so that no one else 
can find it or use it.

>>  weak
>>  change controls,
>
>  Ditto. This problem is not specific to the use DDNS.

	No, but the DDNS makes it impossible to implement, without a wrapper.

>>  scaling,
>
>  Not sure what is meant here. If anything, DDNS would seem to scale better
>  because the changes are made incrementally. Most non-DDNS maintenance
>  systems I've seen -- including my old legacy system that I replaced with
>  a DDNS-based one -- reload a whole zone (or even the whole nameserver!)
>  after each update. That's not very scalable for a high frequency of
>  updates.

	Trust me, an Oracle Parallel Server application can be made to 
scale to levels of performance that you could only *dream* about with 
BIND.

>>  security,
>
>  I don't understand this criticism. DDNS updates can be secured with
>  TSIG (or I presume, with DNSSEC in BIND 9) *in*addition*to* whatever
>  security mechanisms you have embedded in the maintenance system itself.

	You don't have fine-grained authentication and control over who 
can update what.  With a proper database solution, you can have 
precisely that, on a per-record and per-field basis, along with 
having it automatically fill in the change log information of who did 
what when, having trivial rollback capability, etc....

	With a pure DDNS solution, you may know what happened and when, 
but you don't know why, by whom, or have any kind of rollback 
capability.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'

More information about the bind-users mailing list