[nsd-users] Feature request: nsd-control

W.C.A. Wijngaards wouter at nlnetlabs.nl
Tue Apr 8 07:58:51 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mauro, Johan,

On 04/06/2014 11:42 PM, Johan Ihrén wrote:
> Hi,
> 
> On 05 Apr 2014, at 00:36 , Mauro Trajber <mauro at registro.br>
> wrote:
> 
>> I work at NIC.br and I'm implementing NSD support on DNSSHIM (our
>> secure hidden master). In order to add and remove zones
>> dynamically we use tools like rndc and nsd-control, that fits
>> perfect. We already have bind support and NSD support is almost
>> done.
>> 
>> But on a Master-Slave architecture using NSD as slaves and
>> nsd-control to add and remove zones it's impossible to find out
>> when a zone already exists. The remote controller (nsd-control)
>> only returns success or failure. It would be nice if it returns
>> something like "zone already exists" messages, that would make it
>> easier to know if the master can retry later or not.
> 
> I agree with the need for this.
> 
> I remember that Stephane and I and some others discussed similar
> things a couple of weeks ago and one of the issues that came up was
> the "non-atomicity" of adding (and removing) zones from masters and
> slaves. I haven't looked at your patch, but based on the prior
> discussion I wonder whether what we would really need is
> 
> a) a "test" operation, to check whether a zone is configured or
> not, i.e.
> 
> nsd-control testzone foo.example
> 
> with some reasonable semantics for return values.

The 'zonestatus example.com' command may be just what you are looking for.

> 
> b) a "test-and-set" operation. This we sort of already have, in the
> sense that "addzone" will not add a zone if it is already there
> (but as you point out, on error we don't know what really
> happened). So to make it a more useful test-and-set the return
> values should be sorted out, which is what your patch is about.
> 
> I'd like (a) to be able to "scan" my slaves to verify that there
> are no inconsistencies in the configured zones, and if there are,
> then I want to use (b) to fix them.

Yes some sort of consistency report is useful.  I have implemented a
different patch that prints if the zone already exists.  (I did not
want to modify rbtree_insert).

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTQ6w7AAoJEJ9vHC1+BF+NL0EQAKWgHTw8As2g5lykUU2/bTEB
dCtGV4JpPmK/sQxaCxkj6k7dW59ceqU4VIwdQQgdGY/Th1PxCQGg7vupSedvicua
RQul2yC/Z/WoCFBCF1aP2Xyz1BnY1+q/qmMu6eVdpRpBbbCuEC3wXqOwujVX1JkQ
fXjJACg+zn6g+VsaMM4HWYKQCnDadZr5ONsSvkovld1BFJfZWaaWB4M+cS5hpxVB
88DPsfq6aaN+Wq6WkhZ3NIHaAVbuAz8BCV2uqA1b/ASyWZlsEZpNHPrcBzaMGyB1
4pw7/EZj1C0XStHhX37FJ6x4+IitRfJbb28DUjtQDagaIgwlgFmTqrihigYrkI5X
AAAJFmogeEBlwrTtrwrFdqBYydSSBC1tbVGliJaBJCTlcTc6aW22TGUZelqG33kI
XnbEpJJSSuhwymV6eo8o6+L6CKv1Y9yu18lgNbmCawhGLdb3uHtT/+b595BcoM9I
RjdLXIgNEFypoOcyEbgw+yhfLUu8XglfwGW8ZSgABhccsHqCI1FYpuBP5A3z3JEF
BBFSTTn9bbqGKKB4e8RC0oPwElQKlV3ADI9vgfrkVNw+Y4HjT/e79uxGdiR88J0g
8sI17PO46H2i4fo8HfTcGiY/5UF1ggJbOOFNL6Hg0+1WL3bgWXNHeYVmhrcQCyQt
Cj/2NJSquEgowHjEuAR/
=X+DL
-----END PGP SIGNATURE-----



More information about the nsd-users mailing list