Re: DNS behind a firewall with multiple domains?

[Joseph S D Yao <jsdy () cospo osis gov>]

> 1999-03-15-18:40:47 Joseph S D Yao:
> > Previously, somebody had tried a "universal secondary", but it got stale and
> > corrupted the DNS supply - sites were getting new designated baby seals that
> > didn't know to update serial numbers when they updated their DNS.
>
> I may be about to reveal to the world that I don't completely understand
> DNS, but... how does the "universal secondary" make the problem of
> improperly-maintained DNS data worse? What with cacheing servers (which
> should be in widespread use anywhere people are rolling out DNS) and serious
> secondaries for redundancy, I'd think that a universal secondary (or, if I
> were setting it up, a couple of them) wouldn't make things any worse.

Within the firewall, all name servers forward to trusted caching
servers, some of which used to be [the current problem] on the
periphery and could look both out and in.

Those name servers that forwarded to the "universal secondary" got
corrupted, and all of the many populations that followed them got
confused.  As did I, for a while, trying to sort out this mess.

> If you've got people administering DNS who can't do it right, perhaps they
> need a helper script. Besides bumping the serial number, it could do some
> really really aggressive error-checking, then maybe check the zone file into
> RCS or CVS before letting bind see it. Heck, for serious clever, could you
> maybe even teach it to watch named's logfile after a checkin, while running
> some test queries, and back out the upgrade if named is whining?

I've written scripts like that.

The real problem here is ... _I_ have nobody doing anything.  For the
Network/Firewall, it's just li'l ol' me.  The sites are supposed to
have personnel who are, under their management's orders, doing DNS and
other stuff.  Some sites have new military folks rotated in who always
thought that DNS just magically happened, and now have to learn the
incantations.  Some sites have MSW-NT, and who knows what that really
does?  Both .mil and non-.mil sites have contractors who lose the bid
to less expensive contractors, who then supply their less expensive
people, and no notes are left about what procedures to use - and nobody
wants to ask, that might be showing that they don't know something.
But nobody reports to me, and I can't make anybody do anything.

Whine, whine, whine.  ;-}  In all fairness, there are some sites who
have truly excellent, long-term support.  [Some of them read this list
- now they won't be all over me.  ;->]  These sites are actually least
likely to use my "dummy" scripts, but dissect them by hand and use the
information.  [I know who you are by what you change.  My scripts are
watching your scripts.]

The "universal secondary" ["star slave"] was a good idea, but after
some thought it requires too much social prodding - which can't be left
to the vendor [remember, that's another consideration].

But, yesterday, BIND 8.2 was released.  When the bug-fixed 8.2.1 is
released, that should give us all the capabilities we need.

I think.  ;-)

Thanks for the thoughts.

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                                     EMT-A/B
-----------------------------------------------------------------------
        PLEASE ... send or Cc: all "COSPO/OSIS Computer Support"
                     mail to sys-adm () cospo osis gov
-----------------------------------------------------------------------
      This message is not an official statement of COSPO policies.