Re: DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)

To: debian-edu@lists.debian.org
Subject: Re: DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)
From: "Andreas B. Mundt" <andi.mundt@web.de>
Date: Mon, 10 Jan 2011 20:12:08 +0100
Message-id: <[🔎] 20110110191208.GA7691@flashgordon>
Mail-followup-to: debian-edu@lists.debian.org
In-reply-to: <[🔎] 20110109214018.GW553@login1.uio.no>
References: <[🔎] 20110105175842.GA4276@flashgordon> <[🔎] 20110109205430.GA17103@flashgordon> <[🔎] 20110109214018.GW553@login1.uio.no>

Hi Petter,

I don't want to discuss the technical points, but:

On Sun, Jan 09, 2011 at 10:40:18PM +0100, Petter Reinholdtsen wrote:
> [Andreas B. Mundt]
> > So I conclude, that the current DNS setup, as a mixture of ldap
> > objects prepared for bind with extra attributes to make powerDNS
> > (sort of) work, is broken.
> 
> It is not quite as you expect it to be, but I would not go as far as
> claiming it is broken.  It was broken and the installation failed
> completely (DNS failed to look up any info in LDAP) after you replaced
> the original powerdns tree with the gosa dns setup tree, but as you
> have noticed, I adjusted the gosa tree to get it to work again with
> powerdns.
> 

I have the greatest respect for your work and experience, and all the
time you have devoted to debian-edu. Without that, skolelinux would
not be where and what it is today. By calling the setup "broken", I
did in no way want to decry the quality of your work. 

However, you blame me here for breaking stuff and caring a shit about
it. The changes you probably mean can be found here, committed on
2010-11-10: 
http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/ldap-tools/?rev=71084&sc=1

Two days before that commit, on 2010-11-09, we had an irc meeting where
we discussed how to proceed. http://lists.debian.org/debian-edu/2010/11/msg00090.html
(The discussion/decision that we continue with GOsa was even earlier
around 2010-10-20). 
In the meeting I clearly stated: "and1bm  I do not have the time to
work on the pdns issue (and I am not sure if it's that easy)."

Already on 2010-10-29, about two weeks before the commit, I provided
the solution to solve the DNS problem with packages available in
Debian and minimal modifications as repeated yesterday:
http://lists.debian.org/debian-edu/2010/10/msg00209.html

What should I have done instead of committing the changes? 
Waiting for the implementation of powerDNS in general? 
Doesn't the commit also pave the way to start with the powerDNS
implementation on the problem itself and on other improvements?

[...]

> > With such a system, it's extremely hard to stay motivated, because
> > you waist your time fixing things that are "known not to work
> > properly" instead of really being able to test new things.
> 
> Yes, but I managed to stay motivated anyway, even if you broke the
> installation by inserting a DNS LDAP tree that did not work with the
> packages we install.  

If this is taken as an argument, I hope debian-edu does not evolve
into some kind of "intellectual masochism-club".

Please compare with my comment above. The solution was provided way in
advance. If it's not acceptable and technical arguments are not really
convincing (at least not for the temporary solution, if not at all), I
don't see it as my job (and I clearly expressed that, see also above)
to provide the solution that suits you. 

> I hope you will manage the same, and keep up
> your good work while testing changes and ensuring that the
> installation keep working.

Well, I have to say that in my daily work (that started today again,
btw), I have already a sufficiently high frustration potential, and I
don't think it's a good idea to further increase that in my spare
time. (It's already above the point where it can be seen as a good
exercise to push that level).

[...]

> Part of the reason we went with powerdns is that it fetches
> information directly from LDAP, so changes done to LDAP take effect
> imediately.  A reason we moved the DNS from files to LDAP is to allow
> dynamic updates of DNS information without having to edit other
> packages conffiles to easy upgrades and stay within the Debian policy
> requirements.  

I don't see the need for immediate updates. In most schools the system
will be set up and not changed that often.
The Debian Policy is a rather funny argument. There is a directory
full of cf-rules that violates this policy. But we pick probably one
of the minest issues (adding a line in a config-file that includes
another file; isn't that almost .d-directory-like?) and use it to
promote source-code modification of packages. Or the use of modified
extra packages not in Debian. 

I whished we could use the time and energy spent for these discussions
to work on technical problems the violation of Debian Policy (and
that's the reason for the Policy) causes.

However, I am looking forward to the time where powerDNS works nicely
in combination with GOsa. 

Best regards,

     Andi

Reply to:

References:
- NFS4 and Kerberos: A-records for same IP inflate the need for service principals
  - From: "Andreas B. Mundt" <andi.mundt@web.de>
- DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)
  - From: "Andreas B. Mundt" <andi.mundt@web.de>
- Re: DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: You have 1 new message from Ann !!!
Next by Date: Your Bugzilla buglist needs attention.
Previous by thread: Re: DNS broken
Next by thread: Re: DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)
Index(es):
- Date
- Thread