IETF Logo Mail Archive

[DNSOP] Differences between one view and two in BIND when slaving a zone

Paul Hoffman <paul.hoffman@vpnc.org> Sat, 22 November 2014 02:12 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E41F1A9231 for <dnsop@ietfa.amsl.com>; Fri, 21 Nov 2014 18:12:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.647
X-Spam-Level:
X-Spam-Status: No, score=-3.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5L3Z8JQ6spNy for <dnsop@ietfa.amsl.com>; Fri, 21 Nov 2014 18:12:08 -0800 (PST)
Received: from proper.com (Hoffman.Proper.COM [207.182.41.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80D691A902A for <dnsop@ietf.org>; Fri, 21 Nov 2014 18:12:08 -0800 (PST)
Received: from [10.20.30.90] (142-254-17-143.dsl.dynamic.fusionbroadband.com [142.254.17.143]) (authenticated bits=0) by proper.com (8.14.9/8.14.7) with ESMTP id sAM2C31q050152 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 21 Nov 2014 19:12:04 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 142-254-17-143.dsl.dynamic.fusionbroadband.com [142.254.17.143] claimed to be [10.20.30.90]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <546E41DF.9050405@dougbarton.us>
Date: Fri, 21 Nov 2014 18:12:02 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <40C65D2E-3DC4-4EAE-A9E3-B378806569A1@vpnc.org>
References: <20141117071250.GA55492@isc.org> <546A73B6.2060005@dougbarton.us> <20141117225045.GA35924@isc.org> <546A873F.8060402@dougbarton.us> <546E2287.7080909@dougbarton.us> <DCE8D121-A9D7-40A6-9567-39DF6811A50F@vpnc.org> <CA+nkc8A2nnMWfOt=8w0waG0BDpR=qRBjB098fzDaU31Cv4fJ5Q@mail.gmail.com> <CF7CA3A5-6C2A-459C-8DFB-32DC3807DADE@vpnc.org> <CA+nkc8CpPvtvFqnnoTun5qds7H_nxTft2umFwznaZ2C7_-QQkg@mail.gmail.com> <546E3D66.6090402@dougbarton.us> <20141120192713.GB55365@isc.org> <546E41DF.9050405@dougbarton.us>
To: IETF DNSOP WG <dnsop@ietf.org>
X-Mailer: Apple Mail (2.1990.1)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/dYdSu3C15PVHO_shM86yxv0x-6k
Cc: Evan Hunt <each@isc.org>
Subject: [DNSOP] Differences between one view and two in BIND when slaving a zone
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Nov 2014 02:12:10 -0000

Clearly, different people view the "advantages" and "disadvantages" separately. The wording below tries to make the comparisons neutral while still fully stating what the differences are. Note that I made this wording specific to BIND: when we have other multi-view servers  in the examples, I'll write specific wording for them. Is the following (re-)wording correct and complete? 

==========
BIND handles both DNSSEC validation and caching of changed authoritative information differently depending on the whether the configuration is to use two separate views (one for the authoritative zone, one for recurison) or to use the same view for both servers.

Validation:
When using separate views, the DS records in the slaved zone will be validated as the zone is refreshed or updated. When using the same view, this validation does not occur for the slaved zone.

Caching:
When using separate views, the recursive server will cache all of the queries it looks up, just as it would using the traditional root hints method. Thus, as the zone in the other view is refreshed or updated, changed information will not appear in the recursive server until the TTL of the old record times out; currently the TTL for DS and delegation NS records is two days. When using the same view, as the zone is refreshed or updated, all zone data in the recursive server will be updated as soon as it receives its copy of the zone.
==========

--Paul Hoffman

v2.31.3 | Report a Bug | By Email | System Status