Re: Dynamic updates to multiple masters

[Matus UHLAR - fantomas]

On 02.08.23 11:53, Shailendra Gautam wrote:

I have four authoritative dns servers, all running in master mode for my
zone for high availability, currently they all pull a static zonefile. I'm
trying to implement dynamic updates but I am wondering if there is any way
to avoid sending an update to each of them, and send the update only once
and it should sync to all 4. Would like to know if anyone has faced this
problem before.


Microsoft's AD supports something like this, the domains are kind of 
synchronized between servers.


As a downside, when using AD server as primary for zones in AD, you can't 
use multiple servers as the zones are often not in sync.


I would either create hidden primary that would process dynamic updates.
For DNSSEC and inline signing, hidden primary looks as best option to me.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: TLS Statistics

[Richard T.A. Neal]

Hi Florian,

This feature doesn’t yet exist but is tentatively planned for the 9.19.x 
timeframe. You can see more about it here:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2748

Best,

Richard.

From: bind-users  On Behalf Of Ritterhoff, 
Florian
Sent: Wednesday, August 2, 2023 7:43 AM
To: bind-users@lists.isc.org
Subject: TLS Statistics

Hello everyone,


we have activated DoT and DoH for a few days. We would like to make a statement 
regarding the use.


Unfortunately, we are currently unable to find any explicit statistics or 
explicit log attribute or similar that would allow conclusions about the use of 
TLS.
Can someone possibly help here?


Best regards
Florian Ritteroff
--
Florian Ritterhoff - Zentrale IT
Hochschule München University of Applied Sciences
Lothstraße 34, 80335 München, G2.21a
T +49 89 1265-1745

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TLS Statistics

[Mark Elkins via bind-users]

Seems like an excellent idea.
I've added  an additional "Thumbs Up" to the ISC web page linked below. 
Perhaps others might do the same so this already two year old idea can 
be implemented a bit sooner?


On 2023/08/02 10:00, Richard T.A. Neal wrote:


Hi Florian,

This feature doesn’t yet exist but is tentatively planned for the 
9.19.x timeframe. You can see more about it here:


https://gitlab.isc.org/isc-projects/bind9/-/issues/2748 



Best,

Richard.

*From:*bind-users  *On Behalf Of 
*Ritterhoff, Florian

*Sent:* Wednesday, August 2, 2023 7:43 AM
*To:* bind-users@lists.isc.org
*Subject:* TLS Statistics

Hello everyone,



we have activated DoT and DoH for a few days.We would like to make a 
statement regarding the use.




Unfortunately, we are currently unable to find any explicit statistics 
or explicit log attribute or similar that would allow conclusions 
about the use of TLS.


Can someone possibly help here?



Best regards

Florian Ritteroff

--
Florian Ritterhoff - Zentrale IT
Hochschule München University of Applied Sciences
Lothstraße 34, 80335 München, G2.21a
T +49 89 1265-1745



--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 




-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic updates to multiple masters

[Fred Morris]

You have more than one hypothetical problem there.

On Wed, 2 Aug 2023, Shailendra Gautam wrote:

I have four authoritative dns servers, all running in master mode for my
zone for high availability,


Can you give me the justification for why this was chosen and why it works 
in 100 words or less? I expect at least 50 words each for why it was 
chosen, and why it works. Am I bad with math?


Isn't the DNS Way to secondary zones from a master to achieve this?


I'm
trying to implement dynamic updates but I am wondering if there is any way
to avoid sending an update to each of them


Good luck with that!


Would like to know if anyone has faced this
problem before.


Don't do that if it hurts... but I'm a plumber not a doctor.

You have multiple engineering problems here. You have eschewed the "DNS 
Solution" for zone management (zone transfers). Now you want to adopt the 
DNS Solution for updates (dynamic updates).


I have engineered a solution which switched masters in the case of 
failover and it wasn't too bad, although it required restarting BIND to 
reload the config file so that nodes would know that one of them was the 
new master. There were dynamic updates, although ironically my 
recollection is that the change in config somehow addressed that (it's 
been a few years).


As for the Dynamic Updates Generally problem, have you looked at 
idempotence as a paradigm? With this idea, updates are applied to converge 
with the "ideal image" that the updater holds; hopefully your updaters 
agree on that image, otherwise you have another problem related to 
conflict resolution (or in the parlance: distributed locking).


It's a wonderful world isn't it?

Anyway, the "way out" for us, even though the scenario was in someways 
different, was idempotence: the updaters would continue to attempt to 
update whatever the master was until it conformed to their ideal image, 
and their ideal image could change in consideration of what the zone held.


--

Fred Morris, internet plumber

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TLS Statistics

[Arsen STASIC]

Hi,

we stumbled over the same issue and we didn't want to wait for the change
request to be implemented so we run DoT as a separate process. Running two
or more named processes has a downside if they are operated in recursive
mode, the cache isn't shared and therefor provably not as hot. This
should also work with DoH by starting a third process.

cheers,
Arsen

* Richard T.A. Neal  [2023-08-02 08:00 (+)]:
> Hi Florian,
> 
> This feature doesn’t yet exist but is tentatively planned for the 9.19.x 
> timeframe. You can see more about it here:
> https://gitlab.isc.org/isc-projects/bind9/-/issues/2748
> 
> Best,
> 
> Richard.
> 
> From: bind-users  On Behalf Of Ritterhoff, 
> Florian
> Sent: Wednesday, August 2, 2023 7:43 AM
> To: bind-users@lists.isc.org
> Subject: TLS Statistics
> 
> Hello everyone,
> 
> 
> we have activated DoT and DoH for a few days. We would like to make a 
> statement regarding the use.
> 
> 
> Unfortunately, we are currently unable to find any explicit statistics or 
> explicit log attribute or similar that would allow conclusions about the use 
> of TLS.
> Can someone possibly help here?
> 
> 
> Best regards
> Florian Ritteroff
> --
> Florian Ritterhoff - Zentrale IT
> Hochschule München University of Applied Sciences
> Lothstraße 34, 80335 München, G2.21a
> T +49 89 1265-1745
> 
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TLS Statistics

[rainer]

Am 2023-08-02 08:43, schrieb Ritterhoff, Florian:

Hello everyone,

we have activated DoT and DoH for a few days. We would like to make a
statement regarding the use.

Unfortunately, we are currently unable to find any explicit statistics
or explicit log attribute or similar that would allow conclusions
about the use of TLS.
Can someone possibly help here?



In theory, you could probably use bro/zeek to generate these.

I haven't looked at this specifically, but I recently used it to make 
statistics about who still uses TLS 1.0 and 1.1 on our mailservers 
(before we shut it off).



Rainer
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users