Re: rsync vs. axfr-clarify (was: in support of axfr-clarify)

[Derek Atkins <derek@ihtfp.com>]

Dan,

Now I KNOW you're on crack.  EVERY single DNS server that I've set up
has used AXFR to do zone syncs.  The reason: each server hosts a
different set of zones.  My primary and secondary servers are not
mirrors of each other.  They are not administrated by the same set of
people.  Indeed, the BCP REQUIRES that DNS servers be
network-distributed to protect against single-point-of-failures.

Setting up axfr is simple.  I list my secondaries, and they just say
"master <my-ip-adderess>".  There.  Done.  End of configuration.  How
could setting up a secondary be any easier than that?

I would say that there is a LOT of demand for AXFR.  Everyone out
there than runs their own domain and actually follows the BCP needs
AXFR.  I'm certainly not willing to give my secondaries remote-access
(even for rsync) to my server.  Nor do I think the primaries for the
zones for which I secondary would give me similar access.

Dan, it's been a long time since our PGP V. X.509 discussions on the
bus from Morristown to Picataway (I presume you still remember that
conversation?  I certainly do!).  What I learned from that is the
notion that there are necessarily multiple ways of doing something and
not everyone agrees on the "right way".  So you need to come up with
some basic, minimal, in-band means to do what you want to do, and if
people want to do something different, out of band, you need to allow
them to do so.  In this case, you need to standardize the AXFR (the
simple in-band solution) but allow people to use the out-of-band
(rsync) method if they so choose.

However, since it is out-of-band, that implies it is out-of-scope and
therefore should be taken elsewhere.

Have a nice day,

-derek

"D. J. Bernstein" <djb@cr.yp.to> writes:

> > > My recommended use of rsync is to replicate complete _servers_. This has
> > > a simple meaning: the servers respond identically to every query.
> > A cool concept. And a fringe case at best.
> 
> In fact, even though BIND makes it unnecessarily difficult to set up,
> this is an extremely popular configuration. AXFR today has two main uses:
> 
>    (1) as a clumsy mechanism of replicating servers and
>    (2) as a clumsy mechanism of editing zone files remotely.
> 
> Except at companies that sell third-party DNS service, there's very
> little demand for any type of replication other than server replication.
> Yes, we can all point to examples such as arpa-vs.-root-servers.net, but
> those examples are the fringe case.
> 
> ---D. J. Bernstein, Associate Professor, Department of Mathematics,
> Statistics, and Computer Science, University of Illinois at Chicago
> 
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>