On Mon, 2011-12-19 at 11:24 +0100, Marco Pizzoli wrote: > > You caught the point. > In the past we used to have all Linux production systems use the dns > server. In our business dns servers are managed by a different office. > During normal operations we faced occasional problems that prevented > us to guarantee our service level agreement: > - the dns server having a bad configuration following a configuration > upgrade: his forwarding policies went messes and we had a lot of delay > in serving requests > - the dns server solves every system in the network: when network > isolation is not achievable, we limited the "visibility" of system by > not enable them to be found in searching by names. This helped a lot > also when some colleagues make a mistake by forgetting to change the > configuration of web applications from test to production (db > connection strings, and so on...). > > We decided to not use the dns server and put in the /etc/hosts file > only the hosts we were aware that particular system had need to > communicate to. >
Might I suggest that this is a very bad way to go about this? I think you'd have much better luck (as well as better maintainability) if you just stood up your own DNS server that you talked to. You could then choose to set the forwarder to your standard DNS servers. For any zone that you know would be mishandled, you can configure it in your private DNS server as "authoritative" so that it won't forward to the broken servers. This has a lot of advantages (not least that you don't have to manage client configuration of /etc/hosts everywhere).
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
