On Mon, Dec 19, 2011 at 1:29 PM, Stephen Gallagher <sgall...@redhat.com>wrote:
> On Mon, 2011-12-19 at 11:24 +0100, Marco Pizzoli wrote:
> >
> > You caught the point.
> > In the past we used to have all Linux production systems use the dns
> > server. In our business dns servers are managed by a different office.
> > During normal operations we faced occasional problems that prevented
> > us to guarantee our service level agreement:
> > - the dns server having a bad configuration following a configuration
> > upgrade: his forwarding policies went messes and we had a lot of delay
> > in serving requests
> > - the dns server solves every system in the network: when network
> > isolation is not achievable, we limited the "visibility" of system by
> > not enable them to be found in searching by names. This helped a lot
> > also when some colleagues make a mistake by forgetting to change the
> > configuration of web applications from test to production (db
> > connection strings, and so on...).
> >
> > We decided to not use the dns server and put in the /etc/hosts file
> > only the hosts we were aware that particular system had need to
> > communicate to.
> >
>
> Might I suggest that this is a very bad way to go about this? I think
> you'd have much better luck (as well as better maintainability) if you
> just stood up your own DNS server that you talked to. You could then
> choose to set the forwarder to your standard DNS servers. For any zone
> that you know would be mishandled, you can configure it in your private
> DNS server as "authoritative" so that it won't forward to the broken
> servers.
>
> This has a lot of advantages (not least that you don't have to manage
> client configuration of /etc/hosts everywhere).
>
Hi Stephen,
I agree with you about the principle. We were aware of this and we took it
in consideration but fortunately our deployment is not so big and, most of
all, it does not change frequently. The burden of keep the /etc/hosts
updated is not so frequent (twice a year on average) and however it
involves only the systems which need access to the new system deployed.
As I told before, it has been a weighted decision.
The idea to switch to use a in-house dns server has been in the air for a
while... it could be that if we will adopt FreeIPA, then we will put again
the dns in the chain. Since I'm not the decision maker of the office, my
question was led by the need of a plan B to possibly fall back.
Thanks a lot,
Marco
--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
