On 8/23/2018 9:21 AM, Bob McDonald <bmcdonal...@gmail.com> wrote:
This may be an unpopular opinion, especially on the BIND-Users mailing
list (sometimes BIND is not the best answer).
It sounds like you might want something like multi-master DNS servers
that Active Directory (with AD integrated zones) provides.
Here's the Microsoft AD DNS explanation:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active-directory-integrated-dns-zones
This may be the time to start some dialogue around the way Bind processes
updates. While AD integrated DNS does process updates for multiple masters,
it does it outside the Bind-centric communications path. (I believe it uses
AD to forward updates from one master to the others). Bind needs some sort
of multi-master framework but there are a few issues if things stay the way
they are. There are obvious issues with serial number accounting and slave
notification. There are also issues with update processing (and
forwarding). Right now the only server that can accept updates is the
master. Forwarded updates are stamped as coming from the forwarding node.
That makes tracking updates almost impossible. (And that seems to be the
case for both signed and un-signed updates) I may be not seeing something
but from my point of view, that, above all else, must change if a
meaningful multi-master framework is to emerge.
Regards,
Bob
As I wrote many years ago when I had MS AD DNS Servers as slaves to my
BIND servers - See KB28286. With multi-master servers, it is not clear
what an updated zone serial number should be. Take this example:
A zone ad.example.com is mastered on two AD DNS Servers. Each one has
the same contents and serial number, say 100. Then, at the same time
one update comes in to each server. Each server performs the update
and updates the serial number to 101. But each server now has a
different version of the 101-serial zone. Somehow, under the covers,
AD synchronizes the zones so that they have the same content. What
should the serial number be for this combined zone? It can't be 102,
because during the synchronization process another update may have come
into one of those servers, causing the serial number there to have been
increased to 102. I have no idea what the new serial number should be.
That is why I chose ONE of the several MS AD DNS Servers as the "master"
to my BIND slave servers. And NO MS machine used the MS AD DNS Servers
as its DNS Servers; all were configured to use my BIND servers as their
DNS servers. That way I did not care what the serial number was on the
other AD DNS servers that were not the master for my BIND slaves.
And, as another related issue, there were times when the serial number
of an AD zone decreased during times when that Domain Controller was
being patched.
--Barry Finkel
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
