Re: fixed rrset ordering - is this still a thing?
On 02/03/2024 11:36, Greg Choules wrote: Please don't encourage using "search" in resolv.conf or the Windows equivalent. Search domains make queries take longer, impose unnecessary load on resolvers and make diagnosis of issues harder because, when users say "it doesn't work" you have no idea what it was that didn't work. This is not necessarily the case. If you are running your own recursive resolvers that hold mirrors of the root zone, and if you only have a few search domains, the impact will be negligible. Then it is a question of ergonomics. I tried using separate subdomains for different interfaces on devices once and ran into exactly that problem. There's also the overhead of maintaining more zones than you really need. Using sub-domains doesn't mean you have to create separate zones. All the example names I gave could be included in the "example.com" zone. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: fixed rrset ordering - is this still a thing?
Please don't encourage using "search" in resolv.conf or the Windows equivalent. Search domains make queries take longer, impose unnecessary load on resolvers and make diagnosis of issues harder because, when users say "it doesn't work" you have no idea what it was that didn't work. I tried using separate subdomains for different interfaces on devices once and ran into exactly that problem. There's also the overhead of maintaining more zones than you really need. My suggestion would be to replace the dot with a hyphen. That is, instead of: firewall1.example.com = Internet IP address firewall1.dmz.example.com = IP address on DMZ network firewall1.management.example.com = IP address on out-of-band management network do: firewall1-internet.example.com = Internet IP address firewall1-dmz.example.com = IP address on DMZ network firewall1-management.example.com = IP address on out-of-band management network You could even CNAME firewall1 to firewall1-management as this is (presumably) the interface that users and monitoring/management tools will want to reach by default. The hostname of the box is "firewall1" but each interface on it has a unique name, derived from the hostname plus a "-" suffix. Select a set of well known and used suffixes for your environment. If someone really wants to try and SSH to the Internet interface (though I don't understand why you would), they know the hostname and they know the suffix, so it's a simple matter of combining them. On Fri, 1 Mar 2024 at 21:11, Nick Tait via bind-users < bind-users@lists.isc.org> wrote: > On 02/03/2024 03:42, Mike Mitchell via bind-users wrote: > > Our networking team is in the habit of entering the IP address of every > network interface on a router under one name. The very first address > entry is their out-of-band management interface. "rrset-order fixed" is > used on their domain for address records, so they can ssh to the router > by name reliably and not have to worry about interfaces that are down > or that filter SSH. > > I wonder if an alternative (cleaner?) solution to your use case could be > to use different sub-domains for the different networks (network > interfaces)? For example: > > firewall1.example.com = Internet IP address > firewall1.*dmz*.example.com = IP address on DMZ network > firewall1.*management*.example.com = IP address on out-of-band management > network > > If you did this you could make use of DNS search domains to allow > different parts of the network to resolve the unqualified name "firewall1" > differently. E.g. If you "ssh firewall1" from a management host it could > expand that to firewall1.*management*.example.com? > > Nick. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: fixed rrset ordering - is this still a thing?
On 02/03/2024 03:42, Mike Mitchell via bind-users wrote: Our networking team is in the habit of entering the IP address of every network interface on a router under one name. The very first address entry is their out-of-band management interface. "rrset-order fixed" is used on their domain for address records, so they can ssh to the router by name reliably and not have to worry about interfaces that are down or that filter SSH. I wonder if an alternative (cleaner?) solution to your use case could be to use different sub-domains for the different networks (network interfaces)? For example: firewall1.example.com = Internet IP address firewall1./dmz/.example.com = IP address on DMZ network firewall1./management/.example.com = IP address on out-of-band management network If you did this you could make use of DNS search domains to allow different parts of the network to resolve the unqualified name "firewall1" differently. E.g. If you "ssh firewall1" from a management host it could expand that to firewall1./management/.example.com? Nick. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: fixed rrset ordering - is this still a thing?
Our networking team is in the habit of entering the IP address of every network interface on a router under one name. The very first address entry is their out-of-band management interface. "rrset-order fixed" is used on their domain for address records, so they can ssh to the router by name reliably and not have to worry about interfaces that are down or that filter SSH. We also have cases where redundancy is being configured but is not yet complete. In that case only the first IP is active. If we don't use "rrset-order fixed" we get complaints that connections take too long and there must be a network error. Mike Mitchell -Original Message- From: bind-users On Behalf Of Ondrej Surý Sent: Thursday, February 29, 2024 4:40 PM To: BIND Users Mailing List Subject: fixed rrset ordering - is this still a thing? EXTERNAL Hey, BIND 9 supports a fixed rrset ordering (that is keeping the order of the RRSets from the zone file). It has to be configured at the compile time, it takes more memory (to record that order) and it's a #ifdef all over the places. So, henceforth, my question - does anyone still uses that? And if yes, what are the use cases? I think BIND is the only server that actually supports this, so it doesn't feel like the DNS can't function without it. Thanks, Ondřej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: fixed rrset ordering - is this still a thing?
On 29 Feb 2024, at 21:39, Ondřej Surý wrote: > Hey, > > BIND 9 supports a fixed rrset ordering (that is keeping the order of the > RRSets from the zone file). It has to be configured > at the compile time, it takes more memory (to record that order) and it's a > #ifdef all over the places. > > So, henceforth, my question - does anyone still uses that? And if yes, what > are the use cases? > > I think BIND is the only server that actually supports this, so it doesn't > feel like the DNS can't function without it. I know that Solaris distribution enables it, but purely to be backward compatible. With what I don't know! -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: fixed rrset ordering - is this still a thing?
On Fri, Mar 1, 2024 at 12:38 AM Matt Nordhoff wrote: > On Thu, Feb 29, 2024 at 9:40 PM Ondřej Surý wrote: > > Hey, > > > > BIND 9 supports a fixed rrset ordering (that is keeping the order of the > > RRSets from the zone file). It has to be configured > > at the compile time, it takes more memory (to record that order) and it's a > > #ifdef all over the places. > > > > So, henceforth, my question - does anyone still uses that? And if yes, what > > are the use cases? > > > > I think BIND is the only server that actually supports this, so it doesn't > > feel like the DNS can't function without it. > > For what it's worth, Knot DNS is fixed by default. I know because the > first setting in my knot.conf file is "answer-rotation: on". :-) Correction: It's fixed but sorted, rather than fixed in the original zone file order. Which is not necessarily the same as any of BIND's settings? I'll go hide in a cave and wish emails could be edited now. :-) > NSD also has a "round-robin" setting, which is also off by default. > > So other nameservers do support fixed order, but I personally don't > use it and don't mind if you remove it. > > > Thanks, > > Ondřej -- Matt Nordhoff -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: fixed rrset ordering - is this still a thing?
On Thu, Feb 29, 2024 at 9:40 PM Ondřej Surý wrote: > Hey, > > BIND 9 supports a fixed rrset ordering (that is keeping the order of the > RRSets from the zone file). It has to be configured > at the compile time, it takes more memory (to record that order) and it's a > #ifdef all over the places. > > So, henceforth, my question - does anyone still uses that? And if yes, what > are the use cases? > > I think BIND is the only server that actually supports this, so it doesn't > feel like the DNS can't function without it. For what it's worth, Knot DNS is fixed by default. I know because the first setting in my knot.conf file is "answer-rotation: on". :-) NSD also has a "round-robin" setting, which is also off by default. So other nameservers do support fixed order, but I personally don't use it and don't mind if you remove it. > Thanks, > Ondřej -- Matt Nordhoff -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
