Re: nscd: Was Re: long delays with LDAP nss/pam

To: debian-isp@lists.debian.org
Subject: Re: nscd: Was Re: long delays with LDAP nss/pam
From: Wouter Verhelst <wouter@grep.be>
Date: Fri, 29 Oct 2004 15:08:46 +0200
Message-id: <[🔎] 20041029130846.GA11101@grep.be>
In-reply-to: <[🔎] 20041029100451.GB7440@cirrus.madduck.net>
References: <[🔎] 20041027074344.GA2332@cirrus.madduck.net> <[🔎] 1098863704.1309.80.camel@schizo> <[🔎] 1098864469.1311.87.camel@schizo> <[🔎] 200410282320.46079.russell@coker.com.au> <[🔎] 20041028161033.GA22007@cirrus.madduck.net> <[🔎] 20041029091249.GE5842@grep.be> <[🔎] 20041029100451.GB7440@cirrus.madduck.net>

On Fri, Oct 29, 2004 at 12:04:51PM +0200, martin f krafft wrote:
> also sprach Wouter Verhelst <wouter@grep.be> [2004.10.29.1112 +0200]:
> > How is djbdns good? In that it doesn't correctly implement the
> > RFCs on some crucial parts of the DNS protocol?
> > 
> > (hint: search for 'AXFR' or 'IXFR', and see what mr. Bernstein has
> > to say about that. No, rsync is /not/ a suitable protocol to
> > synchronise DNS configuration!)
> 
> Neither AXFR nor IXFR are crucial, and instead of your proof by
> assertion, would you care to tell me why rsync is not suitable?

It assumes that all DNS servers use the same configuration format, or
that all DNS servers in a given zone run the same software, which simply
is an incorrect assumption.

> It works far better here. Anyway, with the confidence that boldly
> jumps out of your post, I am sure you know about axfrdns, which is
> part of djbdns.

Well, no. Seems my information was out of date; but the IXFR part
stands.

> That provides AXFR but not IXFR. I have yet to see an implementation
> of IXFR that works. If you now way BIND, I am just going to laugh at
> you.

Well, go ahead then. But make sure you don't laugh too hard.

Using BIND9, nsupdate, and domain keys, you have an IXFR implementation
that is complete, secure (at least as secure as BIND itself and the key
you're using), and that works:

wouter@folk:~$ dig ixfr=116 grep.be

; <<>> DiG 9.2.4 <<>> ixfr=116 grep.be
;; global options:  printcmd
grep.be.                86400   IN      SOA     folk.grep.be.
wouter.grep.be. 117 10800 3600 604800 86400
grep.be.                86400   IN      SOA     folk.grep.be.
wouter.grep.be. 116 10800 3600 604800 86400
grep.be.                86400   IN      SOA     folk.grep.be.
wouter.grep.be. 117 10800 3600 604800 86400
worldmusic.grep.be.     86400   IN      A       192.168.119.10
grep.be.                86400   IN      SOA     folk.grep.be.
wouter.grep.be. 117 10800 3600 604800 86400
;; Query time: 40 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Oct 29 15:03:35 2004
;; XFR size: 5 records

Yes, obviously this requires you to do some configuration first. So
what?

-- 
         EARTH
     smog  |   bricks
 AIR  --  mud  -- FIRE
soda water |   tequila
         WATER
 -- with thanks to fortune

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: nscd: Was Re: long delays with LDAP nss/pam
  - From: martin f krafft <madduck@debian.org>

References:
- long delays with LDAP nss/pam
  - From: martin f krafft <madduck@debian.org>
- Re: long delays with LDAP nss/pam
  - From: Donovan Baarda <abo@minkirri.apana.org.au>
- nscd: Was Re: long delays with LDAP nss/pam
  - From: Donovan Baarda <abo@minkirri.apana.org.au>
- Re: nscd: Was Re: long delays with LDAP nss/pam
  - From: Russell Coker <russell@coker.com.au>
- Re: nscd: Was Re: long delays with LDAP nss/pam
  - From: martin f krafft <madduck@debian.org>
- Re: nscd: Was Re: long delays with LDAP nss/pam
  - From: Wouter Verhelst <wouter@grep.be>
- Re: nscd: Was Re: long delays with LDAP nss/pam
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: additional dns search spaces
Next by Date: Re: nscd: Was Re: long delays with LDAP nss/pam
Previous by thread: Re: nscd: Was Re: long delays with LDAP nss/pam
Next by thread: Re: nscd: Was Re: long delays with LDAP nss/pam
Index(es):
- Date
- Thread