Date: Sun, 26 Aug 2001 13:14:56 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Len Conrad" <LConrad@Go2France.com>, <freebsd-questions@FreeBSD.ORG> Subject: RE: Secondary DNS Transfers Message-ID: <002901c12e6b$c5f79500$1401a8c0@tedm.placo.com> In-Reply-To: <5.1.0.14.0.20010825143818.037e8cd8@mail.Go2France.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Len Conrad >Sent: Saturday, August 25, 2001 5:48 AM >To: freebsd-questions@FreeBSD.ORG >Subject: RE: Secondary DNS Transfers > > > >>This won't guarentee that the zone actually was loaded by the secondary, >>just that it transferred to it. > >Ted, you disappoint me. :))) > >When the slave transfers the zone file, AND loads it (I´ve never heard of >the two operations NOT occurring in conjunction, have you?), named will log >the name of the zone and the new serial number as it loads into >authoritative memory. Can´t get much better guarantee than that. Right - but you have no guarentee that the admin doesen't have BIND misconfigured and that you don't have a situation where the slave transfers the zone file but then refuses to write it to disk. I've sat there and watched secondaries that I've managed do this - the latest version of BIND seems to like to refuse to write out the secondary if there's an error in it (like a CNAME record wrong) Meanwhile the primary nameserver reports a successful zone transfer. > >>The very best way to test that the secondary is in operation WITHOUT >>calling the admin is to simply shut down the primary namserver for a >>couple of days. > >you´re having a bad day, Ted!! :)) > >After looking in the slave´s named.run log file to confirm the zone has >transferred and loaded, doubting Thomases can do this: > >dig @slave.dns zone.in.question SOA > >and see immediately if the SOA s/n is same as on the master. Using the >"readable" ccyymmddxx format for the serial number facilitates checking. No - because once again you can answer queries out of the cache even though the zone has not been written to disk. > >>If at the end of it the secondary is still properly answering queries >>then your good to go. Of course, you want to be testing this from a 3rd >>system >>elsewhere. This duplicates the Real Life environment almost exactly. > >Taking down a DNS primary for some days to see if the slave is answering is >not an efficient validation. I agree - which is why I specifically said this WITHOUT calling the admin. The way I always do things is with a brand-new secondary or primary is to call the admin and while he's on the phone I have him increment the serial number then reload his nameserver then I reload mine. (Or vis-versa if he's the secondary) then I confirm that the changed physical secondary file has been written to disk. From that point on I trust DNS replication, but I don't blindly set up secondaries that are remote or primaries that are remote and just trust to the Net Faries to make it happen. It seems to me that this should be the most obvious answer, but I know that some people seem to be afraid of actually talking to the other admin, and prefer to do things electronically. And anyway, the slave will answer with >whatever copy of the zone file it has, which is not necessarily the >master´s version. > If this is happening then basically the secondary nameserver is worthless. The entire point of having a secondary is so that if the unattended primary goes down then the secondary picks up. There's a lot of other things that can happen. Maybe the secondary admin has some rediculous firewalling going on that is blocking DNS queries to his nameserver from everyone but you. Maybe something else. Also, people are starting to use a lot of very weird programs out there anymore for DNS, not everyone is using BIND anymore. Some of those DNS programs - like the Win2K one, permit names that are NOT RFC compliant. I cannot help it that the remote admin doesen't know anything about DNS and is using some piece-o-crap program that is not BIND. But I can help by not assuming that everyone is doing things right. Whatever it is, if your DNS resolution cannot survive with the primary nameserver offline, then you got a REAL problem. If your afraid of stopping the primary nameserver for a few days because you don't trust the secondary, then you've missed the entire point of having primary and secondary nameservers, I'm afraid. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002901c12e6b$c5f79500$1401a8c0>