DNS push mechanism.

John Wobus jw354 at cornell.edu
Fri Oct 28 17:30:10 UTC 2005 

Use your rsync/ssh-type mechanism, making them all DNS masters.  This 
has been a
common practice among DNS admins for literally decades.  Elegance is in 
the eye of
the beholder: I happen to appreciate the beauty of "extra-BIND/DNS" 
assurance that
the zone data is indeed identical in all zone's authoritative servers,
despite update-cycle times, lost notifies, etc.  The scheme can also 
lend
elegance to appropriate handling of named.conf updates.

The DNS's mechanism is the notify/pull mechanism, that you are bound
to avoid.

John

On Oct 27, 2005, at 8:57 PM, Steven Hajducko wrote:

> Hi,
>
> Due to the nature of our environment and security concerns, I have to 
> come
> up with some way to push DNS zones from our master server to slave 
> servers
> in each of our environments.  Here's a better explanation.
>
> We have some typical environments in the sense of a 3-tier setup.  
> Front -
> Application - Backend Data.  We also have several clones of this
> environment.  In order to try and centralize management, we also have a
> management lan off to the side.  This management lan is where we host 
> our
> primary named server.  However, our security prevents us from allowing 
> the
> slave servers in each tier to pull zone information down from the 
> master in
> the management lan.  Because of this, I have to develop a mechanism to
> ensure that:
>
> a) The transaction of the zone is done over TCP.
> b) The master pushes the zone to the slave and not vice versa.
>
> We are, under no circumstances, allowed to have the slaves initiate a
> connection to the master in order to download zone files, be it 
> incremental
> or full zones.  I was curious if anyone else has come up with a 
> mechanism
> for doing this or knows of a utility to do this?  At this point, I'm 
> just
> considering using rsync over ssh ( ala djbdns ) to do the transfers 
> anytime
> an update is made, but I'd like to see if there is a more... elegant..
> solution.
>
> Any help would be appreciated.
>
> Thanks.
>
> --
> sh
>
>

More information about the bind-users mailing list