From owner-freebsd-questions Sun Aug 26 22:19:17 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 0058437B40F for ; Sun, 26 Aug 2001 22:19:03 -0700 (PDT) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f7R5Ihb70890; Sun, 26 Aug 2001 22:18:50 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Paul Richards" , "Len Conrad" , Subject: RE: Secondary DNS Transfers Date: Sun, 26 Aug 2001 22:18:42 -0700 Message-ID: <005901c12eb7$bcb8b900$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 In-Reply-To: <267430000.998879645@lobster.originative.co.uk> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Paul Richards >Sent: Sunday, August 26, 2001 7:34 PM >To: Ted Mittelstaedt; Len Conrad; freebsd-questions@FreeBSD.ORG >Subject: RE: Secondary DNS Transfers > > >--On Sunday, August 26, 2001 13:14:56 -0700 Ted Mittelstaedt > wrote: > >> >> Whatever it is, if your DNS resolution cannot survive with the primary >> nameserver offline, then you got a REAL problem. If your afraid of >> stopping the primary nameserver for a few days because you don't trust >> the secondary, then you've missed the entire point of having primary and >> secondary nameservers, I'm afraid. > >I think you've missed the point. > >You *are* afraid to switch the master nameserver off because you *don't* >trust the slave and the whole point of the exercise is to find out if the >slave really is working or not. > >Switching off the master in order to see if the slave is working is dumb >because if it turns out that the slave isn't working then you have no DNS. > And you can't then switch it back on? We ARE talking about a NEW installation here, not testing every time that he updates a record in his DNS. >Obviously if everything is working then you should be able to switch the >master off, but the purpose of this exercise is to safely determine that >everything's working in the first place. > But your suggestion simply won't do that. All it will do is answer that the secondary is indeed ansdering queries - to the person on the secondary that is issuing nslookup or dig or whatever he's issuing, at the particular moment he's issuing it. It simply does NOT answer the question of will anybody ELSE on the Internet indeed be able to use the secondary like they are supposed to do - to provide resolution for the domain should the primary go offline. >You're approach is like suggesting that you wipe your disk and try to >restore from your backup in order to prove that your backups are working >properly. > This isn't a parallel because wiping the disk is destructive. Switching off the primary DNS does not destroy anything. What YOU are saying is that if someone does a backup that simply running a compare on it is good enough, and that it's not necessary to do an actual restore (to a blank machine) to really test that the backup system is indeed working. Your also deliberately ignoring that the original poster indicated that he wasn't willing to pick up the phone and call the admin of the primary (or even e-mail the admin of the primary) to do it the right way. I made it clear in the original posting and subsequently that any kind of testing or instrumentation was inferior to actually verifying by voice with the other nameserver admin. You would probably continue to argue that once he's verified that things "work" through the inferior method of attempting to query the nameserver, that he should STILL not switch off the primary for a few days to make absolutely sure that things really do work. All I can say is that backup systems are NEVER properly tested if you don't actually cut over to them to make the test. It's like testing a UPS. APC makes a great line of UPS's that have all sorts of fancy "test" modes that claim to test the UPS - but if your going to put that UPS into a hospital and have it control some surgical equipment, you test it by pulling the plug. You don't trust someone's life to what some dumb $5.00 computer says in a UPS. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message