Thanks very much for the various responses to my question; both on and off-list. I'm very much liking the idea of only letting the outside world see bind and then AXFR'ing the data from an easier-to-manage internal database backed solution. Whether that be myDNS, Microsoft or whatever. Bit of initial config work and then, in theory, an easy job to administer. Actually feel a bit dumb for not considering that in the first place. Cheers again, Ben -----Original Message----- From: Peter Hicks [mailto:peter.hicks@poggs.co.uk] Sent: 01 June 2009 12:42 To: Ben Matthew Cc: nanog@nanog.org Subject: Re: In a bit of bind... Ben, Ben Matthew wrote:
I have six servers in total, two multi-homed servers for ordinary DNS and four servers running an Anycast network (2 x master and slave).
For DNS, you may find it easier to outsource hosting to another provider who has geographically diverse DNS services. This doesn't necessarily mean loss of control. It also separates your nameserver hosting from your servers - suppose your network were to be under attack, or a configuration error dropped you offline. If DNS were somewhere else, you could log in, change A records, point somewhere else.
Anyway I've recently been investigating other options for DNS as, like many companies currently, we've laid off a bunch of staff and the overhead for maintaining BIND is quite high if done, like us, unassisted and you are editing zone files in a text editor.
Revision control systems - CVS, Subversion - are your friend here. What about wrapping up your DNS change procedure through perl or shell scripts which automatically roll back if bind doesn't reload, or some critical hosts suddenly disappear from the file. Also, ask yourself what the cost of operating the service without changes is, and what the cost of each change is. How often are you making changes? How often do you need to make a change in an absolute emergency? If changes are being done frequently, a technical or semi-technical member of staff will get to know the procedure. If changes are being made rarely, can the changes wait for you to apply them if you don't feel comfortable with others doing it?
Ultimately for our simple zones (non-Anycast, basic web forwarders) I want to create a web-app to do this for me, probably in PHP. I could create something that... Herein lies a problem - you want to create a web front-end to a DNS server. You're going to have to do a lot of testing to make this play nicely, and you could introduce your own security holes or gotchas. What is the cost of creating something yourself?
How about one of the following? * Outsource DNS hosting, use another provider's interface to manage * BIND9 slaves, Windows-based master (hidden) which already has a GUI and it isn't difficult to change zones * Stick to what you have and document it, wrapping the 'apply' process in some simple shell or perl Peter ________________________________________________ DISCLAIMER This e-mail message, including any attachments, is intended solely for the use of the addressee and may contain confidential information. If it is not intended for you, please inform the sender and delete the e-mail and any attachments immediately. Any review, retransmission, disclosure, copying or modification of it is strictly forbidden. Please be advised that the views and opinions expressed in this e-mail may not reflect the views and opinions of TIML Radio Limited or any of its parent and subsidiary companies. Whilst we take reasonable precautions to ensure that our emails are free from viruses, we cannot be responsible for any viruses transmitted with this e-mail and recommend that you subject any incoming e-mail to your own virus checking procedures. Use of this or any other e-mail facility signifies consent to any interception we might lawfully carry out to prevent abuse of these facilities. ________________________________________________ TIML Radio Limited (trading as Absolute Radio) Registered office: One Golden Square, London. W1F 9DJ Registered in England No 02674136 VAT No 927 2572 11
I've been using powerdns for quite a while and I've found it to be solid and stable. It'll use quite a few different backends includeing BIND zone files, but its claim to fame is that it uses mysql. a list of different backends can be found at: http://en.wikipedia.org/wiki/PowerDNS#Backends I saw bind and bind2, db2, geo, gmysql, gpgsql, goracle, gsqlite, ldap, odbc, opendbx, pipe and xdb. Pipe is interesting because you can write a backend in anything that talks to anything. There is documentation and examples on the website. The "g" stands for generic. I've been using poweradmin for management. register.com and tucows both use it. Cheers, Curtis Ben Matthew wrote:
Thanks very much for the various responses to my question; both on and off-list.
I'm very much liking the idea of only letting the outside world see bind and then AXFR'ing the data from an easier-to-manage internal database backed solution. Whether that be myDNS, Microsoft or whatever. Bit of initial config work and then, in theory, an easy job to administer.
Actually feel a bit dumb for not considering that in the first place.
Cheers again,
Ben
-----Original Message----- From: Peter Hicks [mailto:peter.hicks@poggs.co.uk] Sent: 01 June 2009 12:42 To: Ben Matthew Cc: nanog@nanog.org Subject: Re: In a bit of bind...
Ben,
Ben Matthew wrote:
I have six servers in total, two multi-homed servers for ordinary DNS and four servers running an Anycast network (2 x master and slave).
For DNS, you may find it easier to outsource hosting to another provider who has geographically diverse DNS services. This doesn't necessarily mean loss of control. It also separates your nameserver hosting from your servers - suppose your network were to be under attack, or a configuration error dropped you offline. If DNS were somewhere else, you could log in, change A records, point somewhere else.
Anyway I've recently been investigating other options for DNS as, like many companies currently, we've laid off a bunch of staff and the overhead for maintaining BIND is quite high if done, like us, unassisted and you are editing zone files in a text editor.
Revision control systems - CVS, Subversion - are your friend here. What about wrapping up your DNS change procedure through perl or shell scripts which automatically roll back if bind doesn't reload, or some critical hosts suddenly disappear from the file.
Also, ask yourself what the cost of operating the service without changes is, and what the cost of each change is. How often are you making changes? How often do you need to make a change in an absolute emergency? If changes are being done frequently, a technical or semi-technical member of staff will get to know the procedure. If changes are being made rarely, can the changes wait for you to apply them if you don't feel comfortable with others doing it?
Ultimately for our simple zones (non-Anycast, basic web forwarders) I want to create a web-app to do this for me, probably in PHP. I could create something that...
Herein lies a problem - you want to create a web front-end to a DNS server. You're going to have to do a lot of testing to make this play nicely, and you could introduce your own security holes or gotchas. What is the cost of creating something yourself?
How about one of the following?
* Outsource DNS hosting, use another provider's interface to manage * BIND9 slaves, Windows-based master (hidden) which already has a GUI and it isn't difficult to change zones * Stick to what you have and document it, wrapping the 'apply' process in some simple shell or perl
Peter
________________________________________________ DISCLAIMER This e-mail message, including any attachments, is intended solely for the use of the addressee and may contain confidential information. If it is not intended for you, please inform the sender and delete the e-mail and any attachments immediately. Any review, retransmission, disclosure, copying or modification of it is strictly forbidden. Please be advised that the views and opinions expressed in this e-mail may not reflect the views and opinions of TIML Radio Limited or any of its parent and subsidiary companies. Whilst we take reasonable precautions to ensure that our emails are free from viruses, we cannot be responsible for any viruses transmitted with this e-mail and recommend that you subject any incoming e-mail to your own virus checking procedures. Use of this or any other e-mail facility signifies consent to any interception we might lawfully carry out to prevent abuse of these facilities. ________________________________________________ TIML Radio Limited (trading as Absolute Radio) Registered office: One Golden Square, London. W1F 9DJ Registered in England No 02674136 VAT No 927 2572 11
On Jun 1, 2009, at 2:37 PM, Curtis Maurand wrote:
I've been using powerdns for quite a while and I've found it to be solid and stable. It'll use quite a few different backends includeing BIND zone files, but its claim to fame is that it uses mysql.
a list of different backends can be found at: http://en.wikipedia.org/wiki/PowerDNS#Backends
I saw bind and bind2, db2, geo, gmysql, gpgsql, goracle, gsqlite, ldap, odbc, opendbx, pipe and xdb. Pipe is interesting because you can write a backend in anything that talks to anything. There is documentation and examples on the website. The "g" stands for generic.
I've been using poweradmin for management.
We've been using it as well in what I would consider a very small setup: 150 domains, most with almost no traffic to speak of, but 3 or 4 with decent traffic (the high traffic ones serving over 50k end-user CPE for VoIP traffic with very short TTLs ). The MySQL back-end really is a claim to fame - it makes administration really easy to integrate into whatever you want. We have also been using poweradmin for basic management for things not under programmatic MySQL management. It's basic and a bit kludgy, but definitely adequate, and easy enough to hack into your own idea of what it should be. Daryl
Once upon a time, whilst working for a fairly well-known UK domain registration company, I put together a system built on an early version of the BIND-DLZ patchset against BIND 9.2.5 (If I recall correctly). It used MySQL as the backend database (because that's what the registration system used for CRM purposes) and worked very nicely, thankyou, for well in excess of a million zones and a query rate which I forget but was of the order of several thousand per second, maybe higher at times. We had a custom-written web management toolbox, part of which was exposed to customers through their control panel so they could manage their zones by themselves. The "frontend" nameservers - those actually answering queries - had a "read only" one-way replicated copy of the tables being managed by the CRM system, so all changes were near instantaneous. Copious caching options and indexing in MySQL gave the DB pretty good performance. The frontend servers themselves were load balanced and fault-tolerant and in theory at least a single machine could handle the overall system load. Unfortunately, after I moved on from that job the system broke in some spectacular way (I don't know why) and has since been significantly changed from the original spec, but I couldn't say how... DLZ worked for us - but the DB and management tools were built "in house"; I don't think there's an ideal off-the-shelf solution built around it (yet). Graeme
participants (4)
-
Ben Matthew
-
Curtis Maurand
-
Daryl G. Jurbala
-
Graeme Fowler