Thirty years ago, we had a pretty simple DNS configuration; a couple of AIX servers configured as dual-purpose authorities and resolvers. Once it was set, the configuration didn't change much. But when it did, with two hosts, it was simple to rlogin to each and make similar mods to the config on each.

Today, we have many servers (currently on flavors of linux), offering split-horizon DNS for many zones through several views, across several networks. We've been doing fairly well keeping the configuration files clean and consistent, but 'private dns' is driving us to the breaking point. I'm looking for some way to to make this simpler and safer.

The issue is 'stub' and 'forward' zones. We are inundated with requests from developers who have created solutions which rely on us being able to resolve secret names (which can not be found from the roots), or to receive special values for public names (by querying specific, secret servers). I won't mention names, but one of the big offenders has the initials "Microsoft".

We can use catalog-zones to define secondary zones on our authorities. But AFAIK, catalog-zones can not define 'stub' or 'forward' zones on our resolvers, and must be defined in the .conf. There has got to be a safe and effective way to define a stub/forward zones across several resolvers.

I'm looking for your ideas. What works? What doesn't work?

Are you leveraging your existing configuration management tools (e.g. Puppet, Ansible, Chef)?

Have you rolled your own using git or rync?

Do you have a script to base64 an 'included' .conf into a TXT record, so it can be consumed elsewhere?


--
--
Do things because you should, not just because you can.

John Thurston    907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to