(BIND) Re: Change records in DNS slave if master is offline

Hugo Salgado hsalgado at nic.cl
Sun Dec 19 14:53:18 UTC 2021 

On 05:12 19/12, Richard Doty wrote:
> Having text files makes editing easier, but you still want to keep the
> slaves the same - making the identical edit multiple times is some work,
> but may not actually happen depending on circumstances (people make
> mistakes)
> 
> I like to make all the servers 'masters' - so whoever has the highest
> serial number wins.  Then if you update one slave, it is automatically
> synced to the others.  This might conflict with however you populate your
> true master.

An architecture that can be useful is that of the "hidden primary",
widely used in certain places.

The idea is to have one (or several) primary servers that are the
origins of the zone and of changes, that are only to serve to the
secondaries, and are not public nor published in NS records; and all
those that are public (those that appear as NS) are secondary to these
primary ones.

That way you separate the functions. You can have the primary ones as
a backup of each other, and synchronize the zone with some mechanism
outside of DNS. And you can protect them to only answer queries and
AXFR from the secondaries (since they are not public). In the secondary
ones you can use "multi-master" (or maybe it is called "multi-primary
now") so that they use any of the hidden ones.


Hugo


> 
> On Fri, Dec 17, 2021 at 6:30 AM Roberto Carna <robertocarna36 at gmail.com>
> wrote:
> 
> > Warren, thanks a lot....with the masterfile-format clause it works OK.
> >
> > Greetings!!!
> >
> > El jue, 16 dic 2021 a las 15:43, Warren Kumari (<warren at kumari.net>)
> > escribió:
> > >
> > >
> > >
> > > On Thu, Dec 16, 2021 at 10:37 AM Roberto Carna <robertocarna36 at gmail.com>
> > wrote:
> > >>
> > >> Dear all, I have one BIND9 server as master and 3 as slaves.
> > >>
> > >> The master and one slave are in a given site #1, and the other two
> > >> slaves are in a geographical different site #2.
> > >>
> > >> In case site #1 goes offline, I need to edit records in both slaves
> > >> from site #2, in order to point some services to other public IP's for
> > >> contingency.
> > >>
> > >> My question is:
> > >>
> > >> What is the recommended way to edit the records from a BIND9 slave?
> > >> Because the zone files are binary files
> > >
> > >
> > > Yup, if you are running (IIRC) > v9.9.x, the default is binary files.
> > > You can convert these beck to text with:
> > > named-compilezone -f raw -F text -o example.com.text example.com
> > example.com.binary
> > >
> > > You can also change the default in named.conf:
> > > options {
> > > // many many options
> > > masterfile-format text;
> > > //
> > > // many other options
> > > //
> > > }
> > >
> > > The raw (binary) zone files are good for large zones, but for small
> > zones, where speed isn't super important, text format works just fine...
> > > W
> > >
> > >
> > >>
> > >> and using the Webmin interface
> > >> is blocked.
> > >>
> > >> The only manner is changing the configuration from slave to master?
> > >>
> > >> Thanks in advance, greetings!!!
> > >> _______________________________________________
> > >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> > >>
> > >> ISC funds the development of this software with paid support
> > subscriptions. Contact us at https://www.isc.org/contact/ for more
> > information.
> > >>
> > >>
> > >> bind-users mailing list
> > >> bind-users at lists.isc.org
> > >> https://lists.isc.org/mailman/listinfo/bind-users
> > >
> > >
> > >
> > > --
> > > The computing scientist’s main challenge is not to get confused by the
> > > complexities of his own making.
> > >   -- E. W. Dijkstra
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > ISC funds the development of this software with paid support
> > subscriptions. Contact us at https://www.isc.org/contact/ for more
> > information.
> >
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >

> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20211219/b4fe17b5/attachment.bin>

More information about the bind-users mailing list