[114949] in North American Network Operators' Group
RE: In a bit of bind...
daemon@ATHENA.MIT.EDU (Ben Matthew)
Mon Jun 1 09:58:18 2009
From: Ben Matthew <Ben.Matthew@timlradio.co.uk>
To: 'Peter Hicks' <peter.hicks@poggs.co.uk>
Date: Mon, 1 Jun 2009 14:58:01 +0100
In-Reply-To: <4A23BE84.5030404@poggs.co.uk>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Thanks very much for the various responses to my question; both on and off-=
list. =0D=0A=0D=0AI'm very much liking the idea of only letting the outside =
world see bind and then AXFR'ing the data from an easier-to-manage internal =
database backed solution. Whether that be myDNS, Microsoft or whatever. B=
it of initial config work and then, in theory, an easy job to administer=
.=0D=0A=0D=0AActually feel a bit dumb for not considering that in the first =
place. =0D=0A=0D=0ACheers again,=0D=0A=0D=0ABen=0D=0A=0D=0A=0D=0A-----Origi=
nal Message-----=0D=0AFrom: Peter Hicks [mailto:peter.hicks@poggs.co.uk]=
=0D=0ASent: 01 June 2009 12:42=0D=0ATo: Ben Matthew=0D=0ACc: nanog@nanog.or=
g=0D=0ASubject: Re: In a bit of bind...=0D=0A=0D=0ABen,=0D=0A=0D=0ABen Matth=
ew wrote:=0D=0A> I have six servers in total, two multi-homed servers for or=
dinary DNS and four servers running an Anycast network (2 x master and slave=
).=0D=0A> =0D=0AFor DNS, you may find it easier to outsource hosting to an=
other provider =0D=0Awho has geographically diverse DNS services. This does=
n't necessarily =0D=0Amean loss of control. It also separates your nameserv=
er hosting from =0D=0Ayour servers - suppose your network were to be under a=
ttack, or a =0D=0Aconfiguration error dropped you offline. If DNS were some=
where else, =0D=0Ayou could log in, change A records, point somewhere else=
.=0D=0A> Anyway I've recently been investigating other options for DNS as, l=
ike many companies currently, we've laid off a bunch of staff and the overhe=
ad for maintaining BIND is quite high if done, like us, unassisted and you a=
re editing zone files in a text editor.=0D=0A> =0D=0ARevision control syst=
ems - CVS, Subversion - are your friend here. What =0D=0Aabout wrapping up =
your DNS change procedure through perl or shell =0D=0Ascripts which automati=
cally roll back if bind doesn't reload, or some =0D=0Acritical hosts suddenl=
y disappear from the file.=0D=0A=0D=0AAlso, ask yourself what the cost of op=
erating the service without =0D=0Achanges is, and what the cost of each chan=
ge is. How often are you =0D=0Amaking changes? How often do you need to ma=
ke a change in an absolute =0D=0Aemergency? If changes are being done frequ=
ently, a technical or =0D=0Asemi-technical member of staff will get to know =
the procedure. If =0D=0Achanges are being made rarely, can the changes wait=
for you to apply =0D=0Athem if you don't feel comfortable with others doing=
it?=0D=0A> Ultimately for our simple zones (non-Anycast, basic web forwarde=
rs) I want to create a web-app to do this for me, probably in PHP. I could =
create something that...=0D=0AHerein lies a problem - you want to create a w=
eb front-end to a DNS =0D=0Aserver. You're going to have to do a lot of tes=
ting to make this play =0D=0Anicely, and you could introduce your own securi=
ty holes or gotchas. =0D=0AWhat is the cost of creating something yourself=
?=0D=0A=0D=0AHow about one of the following?=0D=0A=0D=0A * Outsource DNS ho=
sting, use another provider's interface to manage=0D=0A * BIND9 slaves, Win=
dows-based master (hidden) which already has a GUI =0D=0Aand it isn't diffic=
ult to change zones=0D=0A * Stick to what you have and document it, wrappin=
g the 'apply' process =0D=0Ain some simple shell or perl=0D=0A=0D=0A=0D=0A=0D=0A=
Peter=0D=0A=0D=0A=0D=0A_______________________________________________=
_=0D=0ADISCLAIMER =0D=0AThis e-mail message, including any attachments, is i=
ntended solely for the use of the addressee and may contain confidential inf=
ormation. If it is not intended for you, please inform the sender and delete=
the e-mail and any attachments immediately. Any review, retransmission, dis=
closure, copying or modification of it is strictly forbidden. Please be advi=
sed that the views and opinions expressed in this e-mail may not reflect the=
views and opinions of TIML Radio Limited or any of its parent and subsidiar=
y companies.=0D=0AWhilst we take reasonable precautions to ensure that our e=
mails are free from viruses, we cannot be responsible for any viruses transm=
itted with this e-mail and recommend that you subject any incoming e-mail to=
your own virus checking procedures. Use of this or any other e-mail facilit=
y signifies consent to any interception we might lawfully carry out to preve=
nt abuse of these facilities.=0D=0A_________________________________________=
_______=0D=0ATIML Radio Limited (trading as Absolute Radio)=0D=0ARegistered =
office: One Golden Square, London. W1F 9DJ=0D=0ARegistered in England No 026=
74136 VAT No 927 2572 11=0D=0A=0D=0A=0D=0A
