Re: Is it possible to move a zone between catalogs on the same secondary? It is.

[Petr Špaček]

On 30. 04. 23 13:04, Aram Sargsyan wrote:

Hello, Jan-Piet,
 > however, when I stop and restart the consumer server, I have 
sometimes (not always) seen

 >
 > catz: catz_addmodzone_cb: zone 'z10.aa' will not be added because 
another catalog zone already contains an entry with that zone

 >
 >which is true, but it doesn't _seem_ to cause issues.

That's just working as designed. If a member zone exists in both catz1 
and catz2 catalog zones, and catz1 has a defined "coo" change of 
ownership property allowing a given member zone to be transferred to 
catz2, then there are two scenarios when a catalog zone consumer starts up:
1. It loads the member zone from catz1 first, then it sees the member 
zone exists also in catz2, and the "coo" property allows that, then the 
zone will be transferred from catz1 to catz2.
2. It loads the member zone from catz2 first, then it sees the member 
zone exists also in catz1, and there is no "coo" property allowing it to 
transfer from catz2 to catz1, so it emits the log message that you have 
seen, and continues serving the member zone from catz2.
That's why it's recommended to remove the transferred member zone from 
catz1, once it is established that all the consumers have successfully 
processed the change of ownership operation.


Wondering out loud:
Maybe it should skip loading that particular member zone if the "coo" 
proproperty already points to different catalog? Would that be more 
resilient against race conditions when named is restarted?


--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to move a zone between catalogs on the same secondary? It is.

[Aram Sargsyan]

> Wondering out loud:
> Maybe it should skip loading that particular member zone if the "coo" 
> proproperty already points to different catalog? Would that be more 
> resilient against race conditions when named is restarted?

That's an interesting suggestion, and I agree that it can solve the race 
between the two catalog zones in that particular case, but I think it should be 
acceptable for the operator that a member zone, which is in transition from 
catz1 to catz2, can be served by either of the catalog zones until the 
transition is over, and the entry with its "coo" property is removed from 
catz1. Skipping to load a member zone based only by the existence of a "coo" 
property can potentially leave the zone unloaded if it is still not added in 
the successor catalog zone. I.e. the "coo" property can be added into the old 
catalog zone in preparation, for example, hours before the member zone is added 
into the new catalog zone. 
  
Aram 
 
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

gss-tsig for zone transfers

[Richard Feltstykket via bind-users]

Hello,

I have gss-tsig running for authenticating dynamic DNS update requests for a small MIT Kerberos realm, which is working fine.   Is it possible to further use gss-tsig for zone transfers instead of shared keys?  


Thanks,
Richard

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

enabling TLS communication between primary and secondary

[Vikas Sharma]

Hi Team,

I am trying to encrypt all communication between primary and secondary bind
servers.

There are two tls related configuration
on primary
- listen-on
- also-notify
on secondary
- master block - tls tlsblockname

is it possible to configure primary so that it litens on tls and also
notifies to secondary using tls.
like below, as if i use this configuration i am getting "named[21834]:
loading configuration: failure"
either i can use tls  in listen-on or in also-notify but not in
both at the same time.

 listen-on port  853 tls tlsbolckname{ 127.0.0.1; };
 also-notify {
 214.7.78.109 port 853 tls tlsblockname;
 };

also how is it possible configure secondary to listen on port 853 over tls?
because on secondary we can use tls block name with primaries block only
and not with listen-on option.



*Best Regards,*

*Vikas Sharma*
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users