Re: Enterprise IPAM/DNS Solutions
On Mon, Apr 28, 2014 at 04:31:28PM +, Baird, Josh wrote: Hi, We currently use the Men Mice DNS/IPAM/DHCP suite which is essentially a front-end wrapper for BIND. We deploy our own BIND boxes and simply install the Men Mice agent on them which allows us to centrally manage the zones from a GUI (or CLI) based interface. I'm curious about the other enterprise solutions that are on the market. Bluecat is the first one that comes to mind, but I'm completely unfamiliar with their product. Does their product run alongside native BIND (like MM) or do I need to purchase their own appliances and place them all over my network? Are there any other suggestions for products similar to Men Mice and Bluecat that I should be looking at? I'm looking for DNS and IPAM and central management. Thanks, Josh Josh, I'm curious what shortcomings you're finding with the MM suite? We've looked at BlueCat recently and my recollection is that it required their DNS appliances. Quite costly and in our case, overkill. MM has worked pretty well for us, but we're a corporate type use case, not a provider or ISP. Ray ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Enterprise IPAM/DNS Solutions
Ray, Overall, MM has worked quite nicely for us. The CLI leaves a lot to be desired though and we have found several bugs in the application throughout the past several years (who doesn't have bugs, though?). I have also had a hard time getting someone on their Sales team to answer my questions lately. I do really like the fact that it doesn't require some third party appliance and it can run alongside BIND. At this point - I'm just looking to see what else is available in this same space (Infoblox, Bluecat, etc). Any feedback from users of these various platforms is appreciated! (apologies for the top-post) Thanks, Josh -Original Message- From: Ray Van Dolson [mailto:rvandol...@esri.com] Sent: Monday, April 28, 2014 12:35 PM To: Baird, Josh Cc: bind-users@lists.isc.org Subject: Re: Enterprise IPAM/DNS Solutions On Mon, Apr 28, 2014 at 04:31:28PM +, Baird, Josh wrote: Hi, We currently use the Men Mice DNS/IPAM/DHCP suite which is essentially a front-end wrapper for BIND. We deploy our own BIND boxes and simply install the Men Mice agent on them which allows us to centrally manage the zones from a GUI (or CLI) based interface. I'm curious about the other enterprise solutions that are on the market. Bluecat is the first one that comes to mind, but I'm completely unfamiliar with their product. Does their product run alongside native BIND (like MM) or do I need to purchase their own appliances and place them all over my network? Are there any other suggestions for products similar to Men Mice and Bluecat that I should be looking at? I'm looking for DNS and IPAM and central management. Thanks, Josh Josh, I'm curious what shortcomings you're finding with the MM suite? We've looked at BlueCat recently and my recollection is that it required their DNS appliances. Quite costly and in our case, overkill. MM has worked pretty well for us, but we're a corporate type use case, not a provider or ISP. Ray ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Enterprise IPAM/DNS Solutions
Josh, In addition to the appliance-only vendor solutions you mention below, you may wish look into the BT Diamond IP product line. This is an enterprise and service provider IPAM solution with full support for DNS and DHCP. It is available as software-only, with a centralized management component and Agents that are installed on your DNS and/or DHCP servers. It is also available in a turnkey offering on hardened, proprietary Linux-based appliances. Lastly, it is also available as either a hosted or managed service. Please see http://btdiamondip.com for more information. Full disclosure -- I am the Principal Software Architect for BT Diamond IP. Regards, Greg -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Baird, Josh Sent: Monday, April 28, 2014 12:40 PM To: Ray Van Dolson Cc: bind-users@lists.isc.org Subject: RE: Enterprise IPAM/DNS Solutions Ray, Overall, MM has worked quite nicely for us. The CLI leaves a lot to be desired though and we have found several bugs in the application throughout the past several years (who doesn't have bugs, though?). I have also had a hard time getting someone on their Sales team to answer my questions lately. I do really like the fact that it doesn't require some third party appliance and it can run alongside BIND. At this point - I'm just looking to see what else is available in this same space (Infoblox, Bluecat, etc). Any feedback from users of these various platforms is appreciated! (apologies for the top-post) Thanks, Josh -Original Message- From: Ray Van Dolson [mailto:rvandol...@esri.com] Sent: Monday, April 28, 2014 12:35 PM To: Baird, Josh Cc: bind-users@lists.isc.org Subject: Re: Enterprise IPAM/DNS Solutions On Mon, Apr 28, 2014 at 04:31:28PM +, Baird, Josh wrote: Hi, We currently use the Men Mice DNS/IPAM/DHCP suite which is essentially a front-end wrapper for BIND. We deploy our own BIND boxes and simply install the Men Mice agent on them which allows us to centrally manage the zones from a GUI (or CLI) based interface. I'm curious about the other enterprise solutions that are on the market. Bluecat is the first one that comes to mind, but I'm completely unfamiliar with their product. Does their product run alongside native BIND (like MM) or do I need to purchase their own appliances and place them all over my network? Are there any other suggestions for products similar to Men Mice and Bluecat that I should be looking at? I'm looking for DNS and IPAM and central management. Thanks, Josh Josh, I'm curious what shortcomings you're finding with the MM suite? We've looked at BlueCat recently and my recollection is that it required their DNS appliances. Quite costly and in our case, overkill. MM has worked pretty well for us, but we're a corporate type use case, not a provider or ISP. Ray ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enterprise IPAM/DNS Solutions
Cisco (apply liberal amounts of salt considering my FROM) has a product suite called Prime, one piece of which is CNR (unless it's been renamed again this week) -- Cisco Network Registrar, which handles the IPAM piece and has DHCP and DNS components as well. CNR can integrate with BIND (as well as other common DNS software), and is licensed from BT Diamond. I did a fairly extensive PoC of the IPAM, DNS and DHCP components a couple years back. Being completely honest, the downsides I've found during PoC are clunky UI (admittedly personal opinion, and based on little experience with other IPAMs -- experiment and decide for yourself), DHCP implementation geared more toward IT/cable operators (high performance, but lacking some options for PXE), and lack of true multi-tenant (you can make logical containers of address space mapped to tenants, but you can't have address space overlap across containers -- which for RFC1918 is a problem on any network which consists of numerous acquisitions ;-) ). DNS and DHCP I've continued solving myself with OSS ISC, but IPAM has still been useful -- especially adding sanity to IPv6 allocations and support of fully automated provisioning (API). I've got a few clusters deployed (easier to just run an instance per tenant for me), and rely on the capabilities more over time. Once you have real IPAM, it's hard to remember how you lived without it. cisco.com/go/cnr -Original Message- From: Baird, Josh jba...@follett.com Date: Monday, April 28, 2014 at 12:31 PM To: bind-users@lists.isc.org bind-users@lists.isc.org Subject: Enterprise IPAM/DNS Solutions Hi, We currently use the Men Mice DNS/IPAM/DHCP suite which is essentially a front-end wrapper for BIND. We deploy our own BIND boxes and simply install the Men Mice agent on them which allows us to centrally manage the zones from a GUI (or CLI) based interface. I'm curious about the other enterprise solutions that are on the market. Bluecat is the first one that comes to mind, but I'm completely unfamiliar with their product. Does their product run alongside native BIND (like MM) or do I need to purchase their own appliances and place them all over my network? Are there any other suggestions for products similar to Men Mice and Bluecat that I should be looking at? I'm looking for DNS and IPAM and central management. Thanks, Josh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enterprise IPAM/DNS Solutions
Are you running *other*, non-network-service functions on these boxes besides BIND/MM? If not, then you might find an appliance-based solution like Bluecat or Infoblox might be more cost-effective than adding a DNS-management layer to a generic server. Your security folks should love you too, since appliances are hardened (usually they don't even have a OS-like command line or a superuser function). Lastly, if you're planning to implement things like Anycast, HA clustering, IPv6, etc. these things are probably a lot easier for an appliance that already has these capabilities built in, than hacking the OS to support them. DNSSEC is likely to be a lot easier too. The argument for appliances becomes even stronger if you want to support other network services, e.g. DHCP, NTP, discovery. If, on the other hand, you're running other stuff on those servers, besides network services, or you just *have* to have that OS-level control down to the kernel, filesystems, devices, etc. it might make sense to stick with an agent- or wrapper-based solution like you already have (MM). I think IPControl (by British Telecom) is also a strong player in that space. - Kevin On 4/28/2014 12:31 PM, Baird, Josh wrote: Hi, We currently use the Men Mice DNS/IPAM/DHCP suite which is essentially a front-end wrapper for BIND. We deploy our own BIND boxes and simply install the Men Mice agent on them which allows us to centrally manage the zones from a GUI (or CLI) based interface. I'm curious about the other enterprise solutions that are on the market. Bluecat is the first one that comes to mind, but I'm completely unfamiliar with their product. Does their product run alongside native BIND (like MM) or do I need to purchase their own appliances and place them all over my network? Are there any other suggestions for products similar to Men Mice and Bluecat that I should be looking at? I'm looking for DNS and IPAM and central management. Thanks, Josh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Enterprise IPAM/DNS Solutions
Kevin, No - our DNS servers do only one thing depending on their role - either to serve internal clients (caching/recursive/override external authoritative) or to serve authoritative external clients. I used to cringe at these appliance based solutions because I want to be in control of BIND and the server's operating system - but, they are beginning to sound more attractive since they don't require someone with operating system knowledge run maintain the application. The bonuses would be things like DNSSEC an Anycast support out of the box. Thanks, Josh -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy Sent: Monday, April 28, 2014 12:50 PM To: bind-users@lists.isc.org Subject: Re: Enterprise IPAM/DNS Solutions Are you running *other*, non-network-service functions on these boxes besides BIND/MM? If not, then you might find an appliance-based solution like Bluecat or Infoblox might be more cost-effective than adding a DNS-management layer to a generic server. Your security folks should love you too, since appliances are hardened (usually they don't even have a OS-like command line or a superuser function). Lastly, if you're planning to implement things like Anycast, HA clustering, IPv6, etc. these things are probably a lot easier for an appliance that already has these capabilities built in, than hacking the OS to support them. DNSSEC is likely to be a lot easier too. The argument for appliances becomes even stronger if you want to support other network services, e.g. DHCP, NTP, discovery. If, on the other hand, you're running other stuff on those servers, besides network services, or you just *have* to have that OS-level control down to the kernel, filesystems, devices, etc. it might make sense to stick with an agent- or wrapper-based solution like you already have (MM). I think IPControl (by British Telecom) is also a strong player in that space. - Kevin On 4/28/2014 12:31 PM, Baird, Josh wrote: Hi, We currently use the Men Mice DNS/IPAM/DHCP suite which is essentially a front-end wrapper for BIND. We deploy our own BIND boxes and simply install the Men Mice agent on them which allows us to centrally manage the zones from a GUI (or CLI) based interface. I'm curious about the other enterprise solutions that are on the market. Bluecat is the first one that comes to mind, but I'm completely unfamiliar with their product. Does their product run alongside native BIND (like MM) or do I need to purchase their own appliances and place them all over my network? Are there any other suggestions for products similar to Men Mice and Bluecat that I should be looking at? I'm looking for DNS and IPAM and central management. Thanks, Josh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enterprise IPAM/DNS Solutions
I misspoke a bit about DNSSEC. That's not an OS-level thing (unless you want to hook in an HSM or something like that), so there's no reason to think that an appliance-based solution would be better at it than an agent/wrapper-based solution. - Kevin On 4/28/2014 12:57 PM, Baird, Josh wrote: Kevin, No - our DNS servers do only one thing depending on their role - either to serve internal clients (caching/recursive/override external authoritative) or to serve authoritative external clients. I used to cringe at these appliance based solutions because I want to be in control of BIND and the server's operating system - but, they are beginning to sound more attractive since they don't require someone with operating system knowledge run maintain the application. The bonuses would be things like DNSSEC an Anycast support out of the box. Thanks, Josh -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy Sent: Monday, April 28, 2014 12:50 PM To: bind-users@lists.isc.org Subject: Re: Enterprise IPAM/DNS Solutions Are you running *other*, non-network-service functions on these boxes besides BIND/MM? If not, then you might find an appliance-based solution like Bluecat or Infoblox might be more cost-effective than adding a DNS-management layer to a generic server. Your security folks should love you too, since appliances are hardened (usually they don't even have a OS-like command line or a superuser function). Lastly, if you're planning to implement things like Anycast, HA clustering, IPv6, etc. these things are probably a lot easier for an appliance that already has these capabilities built in, than hacking the OS to support them. DNSSEC is likely to be a lot easier too. The argument for appliances becomes even stronger if you want to support other network services, e.g. DHCP, NTP, discovery. If, on the other hand, you're running other stuff on those servers, besides network services, or you just *have* to have that OS-level control down to the kernel, filesystems, devices, etc. it might make sense to stick with an agent- or wrapper-based solution like you already have (MM). I think IPControl (by British Telecom) is also a strong player in that space. - Kevin On 4/28/2014 12:31 PM, Baird, Josh wrote: Hi, We currently use the Men Mice DNS/IPAM/DHCP suite which is essentially a front-end wrapper for BIND. We deploy our own BIND boxes and simply install the Men Mice agent on them which allows us to centrally manage the zones from a GUI (or CLI) based interface. I'm curious about the other enterprise solutions that are on the market. Bluecat is the first one that comes to mind, but I'm completely unfamiliar with their product. Does their product run alongside native BIND (like MM) or do I need to purchase their own appliances and place them all over my network? Are there any other suggestions for products similar to Men Mice and Bluecat that I should be looking at? I'm looking for DNS and IPAM and central management. Thanks, Josh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enterprise IPAM/DNS Solutions
On Apr 28, 2014, at 9:31 AM, Baird, Josh jba...@follett.com wrote: Hi, We currently use the Men Mice DNS/IPAM/DHCP suite which is essentially a front-end wrapper for BIND. We deploy our own BIND boxes and simply install the Men Mice agent on them which allows us to centrally manage the zones from a GUI (or CLI) based interface. I'm curious about the other enterprise solutions that are on the market. Bluecat is the first one that comes to mind, but I'm completely unfamiliar with their product. Does their product run alongside native BIND (like MM) or do I need to purchase their own appliances and place them all over my network? Josh, You probably remember me from my days at Men Mice. I've been at BlueCat Networks now for more than four years. If you have any questions about BlueCat's product line, I'd be happy to help. If you prefer, you can contact me directly at my company email address, cbux...@bluecatnetworks.com. To answer one question you posed here, we offer an appliance-based solution. They are hardened Linux systems that offer DNSSEC and anycast support out of the box, just as others have hinted in this thread. And unlike some of our competitors, we do allow ssh access if you need it. Best regards, Chris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users