Firewall Wizards mailing list archives
Re: DNS behind a firewall with multiple domains?
From: Joseph S D Yao <jsdy () cospo osis gov>
Date: Wed, 17 Mar 1999 12:58:30 -0500 (EST)
1999-03-15-18:40:47 Joseph S D Yao:Previously, somebody had tried a "universal secondary", but it got stale and corrupted the DNS supply - sites were getting new designated baby seals that didn't know to update serial numbers when they updated their DNS.I may be about to reveal to the world that I don't completely understand DNS, but... how does the "universal secondary" make the problem of improperly-maintained DNS data worse? What with cacheing servers (which should be in widespread use anywhere people are rolling out DNS) and serious secondaries for redundancy, I'd think that a universal secondary (or, if I were setting it up, a couple of them) wouldn't make things any worse.
Within the firewall, all name servers forward to trusted caching servers, some of which used to be [the current problem] on the periphery and could look both out and in. Those name servers that forwarded to the "universal secondary" got corrupted, and all of the many populations that followed them got confused. As did I, for a while, trying to sort out this mess.
If you've got people administering DNS who can't do it right, perhaps they need a helper script. Besides bumping the serial number, it could do some really really aggressive error-checking, then maybe check the zone file into RCS or CVS before letting bind see it. Heck, for serious clever, could you maybe even teach it to watch named's logfile after a checkin, while running some test queries, and back out the upgrade if named is whining?
I've written scripts like that. The real problem here is ... _I_ have nobody doing anything. For the Network/Firewall, it's just li'l ol' me. The sites are supposed to have personnel who are, under their management's orders, doing DNS and other stuff. Some sites have new military folks rotated in who always thought that DNS just magically happened, and now have to learn the incantations. Some sites have MSW-NT, and who knows what that really does? Both .mil and non-.mil sites have contractors who lose the bid to less expensive contractors, who then supply their less expensive people, and no notes are left about what procedures to use - and nobody wants to ask, that might be showing that they don't know something. But nobody reports to me, and I can't make anybody do anything. Whine, whine, whine. ;-} In all fairness, there are some sites who have truly excellent, long-term support. [Some of them read this list - now they won't be all over me. ;->] These sites are actually least likely to use my "dummy" scripts, but dissect them by hand and use the information. [I know who you are by what you change. My scripts are watching your scripts.] The "universal secondary" ["star slave"] was a good idea, but after some thought it requires too much social prodding - which can't be left to the vendor [remember, that's another consideration]. But, yesterday, BIND 8.2 was released. When the bug-fixed 8.2.1 is released, that should give us all the capabilities we need. I think. ;-) Thanks for the thoughts. -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-A/B ----------------------------------------------------------------------- PLEASE ... send or Cc: all "COSPO/OSIS Computer Support" mail to sys-adm () cospo osis gov ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
Current thread:
- DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 12)
- Re: DNS behind a firewall with multiple domains? Leonard Miyata (Mar 13)
- Re: DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 16)
- Re: DNS behind a firewall with multiple domains? Leonard Miyata (Mar 16)
- Re: DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 16)
- Re: DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 16)
- Re: DNS behind a firewall with multiple domains? Leonard Miyata (Mar 13)
- Re: DNS behind a firewall with multiple domains? Don Turnbull (Mar 13)
- Re: DNS behind a firewall with multiple domains? Tim Kramer (Mar 15)
- Re: DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 16)
- Re: DNS behind a firewall with multiple domains? Bennett Todd (Mar 17)
- Re: DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 17)
- Re: DNS behind a firewall with multiple domains? Tim Kramer (Mar 15)
- <Possible follow-ups>
- RE: DNS behind a firewall with multiple domains? Burgess, John (EDS) (Mar 19)