shadedecho
Programmer
I am setting up a slave DNS server. I am using Bind for both the master server(s) and the slave server.
What I want is this... I want a slave-only DNS server that I can basically set up to automatically be a slave to multiple master servers for whatever zones those master servers have.
In other words, I wouldn't mind configuring one time the slave to "know" about and be authorized to get all zones from a specific master, but I don't want to have to configure each new zone from each master on the slave as well.
Is there a way to do this?
I've considered using a database-based DNS system (which a few of my master servers are using), or a common file system (NFS), or even some cron-job/script based mechanism for replicating data into the slave file(s). All of this is an attempt to have a single source for data. While this *could* be a solution, in my situation, it most likely won't work.
However, the master servers will be running on various different hosts, some local, some remote, and some in entirely different setups (OS, etc). The goal here is that my slave DNS server (or servers) can act like transparent backups to any number of master DNS servers in case they ever go down.
********************
One method I've considered is to just run a caching-only name server which is "aware of" (by simple internet connectivity/resolution) those master servers, such that requests against the slave would initiate a request to the master, and then cache that response from then on.
This solves *part* of the problem, in that a cached record could hold up while the master is down. But if the request has never been made, or hasn't been made since the cache record was made stale (beyond TTL), and the master is down, then the slave won't be useful.
So then I thought that perhaps I could just have a script on each master which runs as a cron job and initiates a request on the slave for each of its own domains, thereby forcing all domains into the cache regularl, so the slave would "always" have complete information.
Of course, this recursion would need to be controlled so my server was not just a fully open DNS server. So the slave could be configured to allow recursion only to the IP addresses of the configured master servers. The master servers of course would block recursion already (since they are properly configured), so allowing the slave to do restricted one-level recursion to its configured masters would not generally be considered nearly as dangerous as a true open server.
So, the million dollar question is, would the cached records on the slave server be less "authoratative" or functionally complete as opposed to a true slave DNS server? In other words, what are the reasons I would not want to go in this direction?
What I want is this... I want a slave-only DNS server that I can basically set up to automatically be a slave to multiple master servers for whatever zones those master servers have.
In other words, I wouldn't mind configuring one time the slave to "know" about and be authorized to get all zones from a specific master, but I don't want to have to configure each new zone from each master on the slave as well.
Is there a way to do this?
I've considered using a database-based DNS system (which a few of my master servers are using), or a common file system (NFS), or even some cron-job/script based mechanism for replicating data into the slave file(s). All of this is an attempt to have a single source for data. While this *could* be a solution, in my situation, it most likely won't work.
However, the master servers will be running on various different hosts, some local, some remote, and some in entirely different setups (OS, etc). The goal here is that my slave DNS server (or servers) can act like transparent backups to any number of master DNS servers in case they ever go down.
********************
One method I've considered is to just run a caching-only name server which is "aware of" (by simple internet connectivity/resolution) those master servers, such that requests against the slave would initiate a request to the master, and then cache that response from then on.
This solves *part* of the problem, in that a cached record could hold up while the master is down. But if the request has never been made, or hasn't been made since the cache record was made stale (beyond TTL), and the master is down, then the slave won't be useful.
So then I thought that perhaps I could just have a script on each master which runs as a cron job and initiates a request on the slave for each of its own domains, thereby forcing all domains into the cache regularl, so the slave would "always" have complete information.
Of course, this recursion would need to be controlled so my server was not just a fully open DNS server. So the slave could be configured to allow recursion only to the IP addresses of the configured master servers. The master servers of course would block recursion already (since they are properly configured), so allowing the slave to do restricted one-level recursion to its configured masters would not generally be considered nearly as dangerous as a true open server.
So, the million dollar question is, would the cached records on the slave server be less "authoratative" or functionally complete as opposed to a true slave DNS server? In other words, what are the reasons I would not want to go in this direction?