Why no function to automatically add new zones to slave servers?

Jeff Reasoner jeff.reasoner at mail.hccanet.org
Wed Feb 13 14:26:51 UTC 2008 

On Wed, 2008-02-13 at 10:10 +0100, Sam M wrote:
> Please excuse if this is a subject that has been covered in depth before,
> but I needed to vent some frustration so here goes.
> 

Probably covered many times over.

I can't tell form the post specifically whether you're referring to
adding new zones to the server config, or if you mean to the propagation
of changes in-zone data between existing servers.

> I was just wondering why there is no function in Bind to automaticly
> add/signal NEW zones to slave DNS servers?

Here it sounds like you have configured zones on your master and want
them to be automatically added to the slave's config. This doesn't, and
I imagine never would happen automatically in "off the shelf" bind.

I am certain that people have written out-of-band (scripted) solutions.
I would also imagine something like this is built into DNS management
solutions and possibly also DLZ.

> 
> At the moment I have to add records to a slave zones file as well as a
> master zones file and transfer the slave zones file to my slave servers
> using a third-party transfer method e.g sftp, https or configure the slave
> servers to transfer the slave zone file from the master server at regular
> intervals.

Here it sounds like you mean the actual zone data. And for that a couple
of options come to mind.

Simply properly configuring zone transfers between servers in the first
place (along with write permissions for the named process owner in the
directory where zonefiles are stored) will prevent ever having to
manually copy zonefiles to the slave.

For faster replication of changes to zone data, you need to enable and
properly configure notify. 

Update is an option too for getting data from DHCP enabled clients into
the zonefile on the master in the first place, if adding RRs in your
zone files manually is not feasible or desired.

> 
> It seems to me this really makes things far more complex than they need to
> be. It does seem strange that such a vital part of the DNS setup
> (Redundency) has been left to be bolted on in such a haphazzard way.
> 
> I've heard some mention security issues, but I don't see why that can't be
> overcome, surely it can't be as bad as having to resort to some third-party
> method which is probably more insecure than building a properly secure
> method within the bind program itself.
> 
> Maybe im missing something and it can already be done like this. I know that
> some DNS server software can do this e.g. SimpleDNS on Windows.

Now that you've vented, posting an actual config might be useful.

> 
> Yours, lost and confused.
> 
> Sam
> 
> 
-- 
Jeff Reasoner
HCCA
513 728-7902 voice

More information about the bind-users mailing list