DNS migration and folks that don't play nice

Paul Lussier p.lussier at comcast.net
Mon Apr 10 20:36:02 EDT 2006 

Bruce Dawson <jbd at codemeta.com> writes:

> That explains it! Older versions of BIND had problems - they were
> especially vulnerable to attacks, and "fell down" in pathologically bad
> ways. It got to the point where I was restarting BIND every two days
> until they (ISC) started coming out with security fixes.
[...]
> I would not be surprised at all if it looked like a BIND server was
> operating correctly for a few zones, and not others.
>
> Add to this the fact that most BIND servers operate using UDP instead of
> TCP, and its easy to understand how BIND servers could become corrupt.
> Add to this the amount of malware on the Internet, and its surprising
> that things are working at all!

We just migrated to a new BIND server and finally retired our very old
and tired NetBSD machine.  The NetBSD machine was 5+ years old, and
was already tired when I inherited 2.5 years ago.  

As people have probably suspected for a while, the network I currently
manage is, ahm, a little on the irregular side of things :) For
"Directory Services", we run Hesiod, which is essentially nothing more
than using DNS TXT and CNAME records to wrap around your /etc/passwd
file and serve them up using a DNS server.  It's quite lightweight,
and very fast.  However, our primary DNS server was our slave Hesiod
server, and vice versa.  For some reason, whenever we updated the
records on the Hesiod server we had to actually kill off the named
running on the primary dns server for it to update it's copy of the
hesiod domain.  I have no idea why, but nothing else would update the
primary servers cache of the domain except a hard restart of named.

The only (ONLY he says, as if this is a *small* thing when discussing
BIND :) was that the primary was running BIND9 and the Hesiod servers
are running BIND8.  This really *shouldn't* matter, and indeed, the
new server we're running as our primary is also running BIND9 with
nothing changing on the Hesiod servers, and the update "just works"
with no restart necessary on the new BIND9 server.

So, yeah, BIND can be wacky at times :)

Oh, an as far as the original question goes, I usually just shorten
the TTLs leading up to the event, make the switch, and wait for the
rest of the world to catch up.  I've never bothered to maintain
forwarders for any length of time, but then again, I've only had these
events happen 3 or 4 times over the past decade and it's just never
been a problem.  If I were running a big site where I might miss one
in 2 billion e-mails comming in, or a trading site or something, I
might be more cautious :)


-- 

Seeya,
Paul

More information about the gnhlug-discuss mailing list