Re: Mirror Masters
On Apr 24, 2013, at 2:21 PM, Manson, John wrote: > Works great. Got the conf file down to about 12 lines (only transferring 1 > zone file for test). > Only problem is the file is in slave format. > Is the master going to have a problem sending the db.x.bak to slaves? > When a slave receives the transferred file, will it do the slave conversion > to the file which is already in slave format? Please explain what you mean by "slave format". Do you mean binary (raw) format, or just formatted differently as a text file? (Different versions of BIND behave differently.) Please keep in mind that a zone transfer between DNS servers is not a file transfer. The master does not send a file to the slaves. It sends DNS records, in binary (DNS protocol) format. Chris Buxton___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
- Original Message - > > In our case it would be impossible for the University's public web > presence and the AD domain controllers to be the same machines. It > is > conceivable that we could do some magic in load balancers to divide > traffic appropriately, but I'd rather not do that if I don't have to. > > Sam > > -- > The University of Edinburgh is a charitable body, registered in > Scotland, with registration number SC005336. > ___ But, assuming that your web presence is on the load balancer...there wouldn't be any trick to putting AD controller(s) on the same IP...since AD controllers listen to ports other than 80/443. At our university (www.)ksu.edu is 129.130.8.49 and (www.)k-state.edu is 129.130.8.50on this IP, the load balance has port 80 mapped to a pool of webservers handling http, and port 443 is mapped to a different pool of webservers handling https (they should be the same servers now, but there was a time when the webteam was switching webserver apps, that SSL continued to be handled by the old servers since the private keys were internal to that application.) The instability of our web presence was attributed the high activity content that was largely http. until about 2.5 years ago, we were still using Netscape Enterprise Server v4.1! And, there were things specific to that version that precluded moving to newer NES/iPlanet/SunOneWS finally with to apache when a mod was written to recreate those featuresand bugs. Though our AD controllers are not behind our load balancer, but someday the windows group mightnow that they want to be considered an enterprise server tech groupand cause all sorts of confusion with the already existing enterprise server tech group (unix/linux)...and shed their old name of lantech, from when they were the netware group What we do have on this IP, is ports 5222 and 5223 being sent to another pool. OTOH, I am doing some magic on the load balancers...because different URI paths are going to different pools, because some important section was mocked up using technology that is not our standard webserver but then is announced to the world as a path under our main web site. The web team is has been talking about replacing our main web presence with varnish caches, which would give them the ability to do this themselves...rather needing me to maintain the TCL file that makes the magic. But, its been taking them a long time for some reason(years). I have a personal setup, which is a pair nginx servers reverse proxying to various other servers that's working pretty slick The use of separate IPs for ksu.edu & k-state.edu is a left over from how things used to be donebut the site now uses a multiname cert with those 4 names and others... since it was cheaper to cram as many different names into a single cert (and we're doing SSL proxy on our load balancer -- so the load balance can works its magic...) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article , Dave Sparro wrote: > On 4/6/2013 12:46 AM, Lawrence K. Chen, P.Eng. wrote: > > So, up until a couple years ago...our webmail address had always been, and > > only "webmail.ksu.edu". But, under the new directionit has to work as > > "webmail.ksu.edu", "www.webmail.ksu.edu", > > "webmail.k-state.edu","www.webmail.k-state.edu". and SSL certs to work for > > all those. > Sounds like it is time to have some fun with recursion... > You should mention that since "www.webmail.ksu.edu" exists, > "www.www.webmail.ksu.edu" should work too. :D We once wondered about obtaining an EDU domain, and pondered on what domain our Faculty of Education might want to use. The University of Edmonton may have had similar thoughts. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article , Doug Barton wrote: > On 04/08/2013 06:54 AM, Sam Wilson wrote: > > In article , > > Doug Barton wrote: > >> On 04/05/2013 11:53 PM, Novosielski, Ryan wrote: > >> > >> | It is funny you should mention that... my questions about using views > >> | to create a situation where one single record is different happens to > >> | be exactly for this reason. The Active Directory administrators were > >> | saying that not having umdnj.edu point to an Active Directory server > >> | was bothering the AD servers in some fashion. The solution we're going > >> | to test is telling the AD servers that umdnj.edu are them, but telling > >> | everyone else on the planet that it's www. We think this will do it, > >> | but haven't tested yet. > >> > >> Much better to put the AD stuff in its own subdomain, like ad.umdnj.edu. > >> AD DNS is only really happy when it runs the whole show for its "home" > >> domain. It's possible to do otherwise, but really painful and fragile. > > > > We've been running our main domain with the underscore domains delegated > > to AD for well over a decade and it's been neither painful nor fragile, > > You apparently missed the context of the response. :) > > I didn't say "impossible," and I've set it up the way you describe in > the past. But it assumes both an initial and ongoing level of clue that > is not always available. Whereas, "put all the AD stuff in its own > subdomain" is both pain-less, and has other advantages. It would not have been painless for us. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article , Phil Mayers wrote: > On 04/08/2013 06:59 PM, Novosielski, Ryan wrote: > > > Someone can correct me if I'm wrong, but I think they'd be right if > > and only if the webserver they're adding the A record for happens to > > also be the AD server. > > In principle that's correct. > > In practice, running a publicly accessible webserver on your AD > controllers is a bad move IMO. The security implications are gruesome. > > I think I almost dislike the idea so much that I'd suggest split DNS > before this. And given how much I dislike split DNS, that's saying > something. > > But hey, to each their own. In our case it would be impossible for the University's public web presence and the AD domain controllers to be the same machines. It is conceivable that we could do some magic in load balancers to divide traffic appropriately, but I'd rather not do that if I don't have to. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article , "Barry S. Finkel" wrote: > On 4/8/2013 9:10 AM, bind-users-requ...@lists.isc.org wrote: > > In article , Phil > > Mayers wrote: > >> >Sam Wilson wrote: > >> > > >>> > >[adding an A record for ed.ac.uk.] > >>> > > > >> > > >> >If your AD realm is also called ed.ac.uk then adding an A record will > >> >definitely affect things. > > Which is exactly the opposite of what our AD guys said, but not with > > such great conviction.:-) > > > > Sam > > AD clients, if they do not know about SRV records for finding the > LDAP servers, will use the "A" records for the AD domain to locate > the Domain Controllers. ... Can you identify any such clients? Phil Mayers has already mentioned non-MS DFS clients and other things (MS?) which might try SMB and WebDAV to an A record at the AD domain name. Are there others? > ... Where I used to work we did not segregate > AD, so internally, > > example.com > > pointed to the Domain Controllers. Externally, > > example.com > > had no IP address because the DCs were not accessible from the > external Internet. When we had the DC addresses externally, then > AD clients would see the addresses, try to authenticate to the AD, > experience timeouts, and get frustrated. Without an external > address, AD clients do not try to access the DCs. The drawback > is that we can not have > > example.com > > externally have the same address as > > www.example.com > > to aid browser users. Which is exactly where I came in - the people who manage our corporate image feel that this is unacceptable and reflects badly on the University. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article , Phil Mayers wrote: > On 08/04/13 14:46, Sam Wilson wrote: > > In article , > > Phil Mayers wrote: > > > >> Sam Wilson wrote: > >> > >>> [adding an A record for ed.ac.uk.] > >>> > >> > >> If your AD realm is also called ed.ac.uk then adding an A record will > >> definitely affect things. > > > > Which is exactly the opposite of what our AD guys said, but not with > > such great conviction. :-) > > Off the top of my head the two most recent issues we've had. > > 1. If you don't have a domain controller A record at your AD realm name, > you'll experience sporadic timeouts and slowness if you ever want to > roll out DFS, particularly if your domain members include non-Microsoft > clients such as Macs > > 2. If you put something else at that place, you'll see SMB connection > attempts and if they fail but port 80 is open, you'll see Windows trying > to do WebDAV requests (!) to it. > > Both these and other issues make me wish we'd chosen a sub-domain for > our AD realm when we migrated from NT4. But we had no way of knowing at > the time :o( Thank you (belatedly) for that information. As I think I remarked elsewhere we wished to retain the existing structure of our DNS, with some domains delegated to others (as well as a lot that we delegate to ourselves) which needed to be in the same AD thingy[*]. Forcing another layer of DNS naming between the institution and the department seemed inappropriate. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
