Why no function to automatically add new zones to slave servers?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed Feb 13 14:25:21 UTC 2008
On Wed, Feb 13, 2008 at 10:10:02AM +0100,
Sam M <sam.m at servwise.com> wrote
a message of 29 lines which said:
> I was just wondering why there is no function in Bind to automaticly
> add/signal NEW zones to slave DNS servers?
No. There is currently no such function in the DNS protocol. So, it
would have to be done in a proprietary way, anyway.
There is a discussion at the IETF but no results yet:
http://www.bortzmeyer.org/files/draft-regnauld-ns-communication-00.html
> At the moment I have to add records to a slave zones file as well as
> a master zones file and transfer the slave zones file to my slave
> servers using a third-party transfer method e.g sftp, https
That's strange. Why transferring the zone files yourself when DNS zone
transfer is here?
> I've heard some mention security issues, but I don't see why that
> can't be overcome, surely it can't be as bad as having to resort to
> some third-party method which is probably more insecure than
> building a properly secure method within the bind program itself.
The main issue is control: most nameservers administrators certainly
do not want new zones to appear without any approbation from them.
The security issue is not a technical one: sure, we can design new
protocols, but it does not give us a trust model.
ns3.nic.fr is a slave for ".cl" and ".my". We certainly do not want
any of them to be able to suddenly be able to create new zones on this
machine.
More information about the bind-users
mailing list