IP Address Management Tool (IPAM) for DNS and DHCP
Mark Pagulayan
We have a home grown tool that we use to manage our IPAM for DNS, DHCP
and other bits and pieces in the university. Unfortunately, the tool
does not support IPv6 IPAM in which the university is moving forward
to. We have thought of updating the tool but base on cost, time,
efficiency, support and maintenance; it would best to find a tool on the
market that would meet our requirements.
I am posting on this mailing list to ask for suggestions or referrals on
an IPAM Tool that would do meet the following requirements:
1. DHCP and DNS IPv4 Compliance
2. DHCP and DNS IPv6 compliance.
a. Able to manage stateless addresses.
b. Able to manage stateful addresses.
3. API
4. Support
Your help would be mostly appreciated.
Best regards,
Mark
Chris Buxton
Take a look at Men & Mice Suite.
http://menandmice.com
1. Men & Mice Suite supports DNS, DHCP, and IP Address Management for
IPv4. It supports ISC's BIND and DHCP services, and more.
2. Men & Mice Suite supports DNS management for IPv6. Support for DHCP
and IP Address Management for IPv6 will be available in Q2 of this year.
3. API: Yes
4. Support: Yes
If you want to discuss it, please contact me off-list.
Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone: +354 412 1500
Email: cbu...@menandmice.com
www.menandmice.com
Men & Mice
We bring control and flexibility to network management
This e-mail and its attachments may contain confidential and
privileged information only intended for the person or entity to which
it is addressed. If the reader of this message is not the intended
recipient, you are hereby notified that any retention, dissemination,
distribution or copy of this e-mail is strictly prohibited. If you
have received this e-mail in error, please notify us immediately by
reply e-mail and immediately delete this message and all its attachment.
Marc Manthey
> Take a look at Men & Mice Suite.
i did
and it ruined my configuration,
all my named.conf entries were removed and replaced into different
folders.
is there aby reason ?
> This e-mail and its attachments may contain confidential and
> privileged information only intended for the person or entity to which
> it is addressed.
sorry that i read this email , i erase it instantly;)
regards
another marc
--
"Imagination is more important than
Knowledge".
Marc Manthey - Hildeboldplatz 1a
D - 50672 Köln - Germany
Tel.:0049-221-3558032
Mobil:0049-1577-3329231
jabber :ma...@kgraff.net
web: http://www.let.de
https://stattfernsehen.com
Baird, Josh
Josh
Chris Buxton
Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone: +354 412 1500
Email: cbu...@menandmice.com
www.menandmice.com
Men & Mice
We bring control and flexibility to network management
This e-mail and its attachments may contain confidential and
privileged information only intended for the person or entity to which
it is addressed. If the reader of this message is not the intended
recipient, you are hereby notified that any retention, dissemination,
distribution or copy of this e-mail is strictly prohibited. If you
have received this e-mail in error, please notify us immediately by
reply e-mail and immediately delete this message and all its attachment.
Denis Laventure
> 1. Men & Mice Suite supports DNS, DHCP, and IP Address Management for
> IPv4. It supports ISC's BIND and DHCP services, and more.
>
We use Men and Mice and last time I checked DHCP was supported on
Windows (Microsoft's DHCP) but not ISC's DHCP services... We bought the
DNS/IP/DHCP modules to manage everything from one place (that was
version 5.0), but found out we couldn't use the DHCP management module
because it was only for Microsoft Windows DHCP service and we use
ISC's... Now it is specified on your web site but not when we bought...
Denis Laventure
Chris Buxton
This is really not a topic for the BIND Users list, so if you want to
reply, please do so off-list.
We've just added support for ISC DHCP, starting in version 5.7. It's
so recent that our website hasn't even been updated yet for the new
version, but if someone wants ISC DHCP support in Men & Mice Suite,
the installers are available already on the FTP server.
Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone: +354 412 1500
Email: cbu...@menandmice.com
www.menandmice.com
Men & Mice
We bring control and flexibility to network management
This e-mail and its attachments may contain confidential and
privileged information only intended for the person or entity to which
it is addressed. If the reader of this message is not the intended
recipient, you are hereby notified that any retention, dissemination,
distribution or copy of this e-mail is strictly prohibited. If you
have received this e-mail in error, please notify us immediately by
reply e-mail and immediately delete this message and all its attachment.
Larry Fahnoe
robust and easy to use. Since it is an appliance based solution it may be a
bit of a departure from what you are currently using, but it will
interoperate with stock bind servers. I replaced my bind and ISC dhcp
servers with the Infoblox solution and haven't looked back.
--Larry
On 3/3/08, Mark Pagulayan <m.pag...@auckland.ac.nz> wrote:
>
> Hi Guys,
>
>
> We have a home grown tool that we use to manage our IPAM for DNS, DHCP
> and other bits and pieces in the university. Unfortunately, the tool
> does not support IPv6 IPAM in which the university is moving forward
> to. We have thought of updating the tool but base on cost, time,
> efficiency, support and maintenance; it would best to find a tool on the
> market that would meet our requirements.
>
>
>
> I am posting on this mailing list to ask for suggestions or referrals on
> an IPAM Tool that would do meet the following requirements:
>
> 1. DHCP and DNS IPv4 Compliance
>
> 2. DHCP and DNS IPv6 compliance.
>
> a. Able to manage stateless addresses.
> b. Able to manage stateful addresses.
>
> 3. API
> 4. Support
>
>
>
>
>
> Your help would be mostly appreciated.
>
>
>
>
>
> Best regards,
>
>
>
>
> Mark
>
>
>
>
>
>
--
Larry Fahnoe, Fahnoe Technology Consulting, fah...@FahnoeTech.com
952/925-0744 Minneapolis, Minnesota www.FahnoeTech.com
Paul Vixie
> I've been happy with DNSone from Infoblox http://www.infoblox.com/. It
> is robust and easy to use. Since it is an appliance based solution it
> may be a bit of a departure from what you are currently using, but it
> will interoperate with stock bind servers. I replaced my bind and ISC
> dhcp servers with the Infoblox solution and haven't looked back.
> --Larry
can those who use ip address management tools rather than raw BIND9 servers
state some of their requirements here, so that we can make plans for BIND10?
--
Paul Vixie
Persiko, Mark
Thanks,
Mark
-----Original Message-----
From: bind-use...@isc.org [mailto:bind-use...@isc.org] On Behalf Of Paul Vixie
Sent: Tuesday, March 04, 2008 11:46 AM
To: bind-...@isc.org
Subject: Re: IP Address Management Tool (IPAM) for DNS and DHCP
"Larry Fahnoe" <fah...@fahnoetech.com> writes:
> I've been happy with DNSone from Infoblox http://www.infoblox.com/. It
> is robust and easy to use. Since it is an appliance based solution it
> may be a bit of a departure from what you are currently using, but it
> will interoperate with stock bind servers. I replaced my bind and ISC
> dhcp servers with the Infoblox solution and haven't looked back.
> --Larry
can those who use ip address management tools rather than raw BIND9 servers
Paul Vixie
> BIND-DLZ looks highly desirable as an augmentation to a DNS management
> tool (by that, I mean a database with DNS information could be seamlessly
> tied to BIND servers.) However, is that part of the standard
> distribution now, or would it need integration (and optimization) to work
> its way into BIND 10?
to the best of my knowledge, DLZ is a standard feature in late model BIND9.
equivilent functionality will almost certainly find its way into BIND10 (but
i hope we have hot-spot caches with SQL-triggered invalidation, and i hope we
can accept RFC2136 updates and back-propagate them into SQL, both of which
prevent me from running DLZ on my own zones.) we (ISC) love that BIND9 is
seen as a general DNS protocol engine for other folks' DNS storage systems.
what i'm looking for in this thread, though, is management features like
clustering, XML-based config, better support for GUI, or other reasons why
people aren't running raw BIND9 and instead pulling in something like
InfoBlox, M&M, etc. how can BIND10 better support this functionality, and/or
better support these vendors, than BIND9 does?
--
Paul Vixie
Persiko, Mark
I would submit that IPAM solutions help manage IP address and name spaces, as well as producing outputs (named.conf and zone files, in the case of BIND) to support DNS resolution.
IP address and name spaces could be seen, perhaps, as "inventory" of two types of network resource. While BIND 10 could be augmented to support inventory functions, one would want to be careful in how tight a coupling one makes between the two, and whether it would weigh BIND down in the process.
I would certainly like to see XML-based configurations. Many API's support XML output now, and conversely, can read XML input.
True, BIND provides validation as a "protocol engine", as it's harder to write an RFC "rules engine!" :)
Mark
-----Original Message-----
From: bind-use...@isc.org [mailto:bind-use...@isc.org] On Behalf Of Paul Vixie
Sent: Tuesday, March 04, 2008 12:09 PM
To: bind-...@isc.org
Subject: Re: IP Address Management Tool (IPAM) for DNS and DHCP
"Persiko, Mark" <Mark.P...@Level3.com> writes:
> BIND-DLZ looks highly desirable as an augmentation to a DNS management
> tool (by that, I mean a database with DNS information could be seamlessly
> tied to BIND servers.) However, is that part of the standard
> distribution now, or would it need integration (and optimization) to work
> its way into BIND 10?
to the best of my knowledge, DLZ is a standard feature in late model BIND9.
David Nolan
--On Tuesday, March 04, 2008 19:09:02 +0000 Paul Vixie <Paul_...@isc.org>
wrote:
>
> what i'm looking for in this thread, though, is management features like
> clustering, XML-based config, better support for GUI, or other reasons why
> people aren't running raw BIND9 and instead pulling in something like
> InfoBlox, M&M, etc. how can BIND10 better support this functionality,
> and/or better support these vendors, than BIND9 does?
Paul,
That depends on what you mean by "running raw BIND9". Our IPAM system
(Carnegie Mellon's NetReg, previously mentioned) serves as a management
system for maintaining both the configuration and data of our BIND servers.
I can't imagine trying to maintain multiple server groups, with hundreds of
zones and thousands of records by hand. But NetReg does much more then
just manage BIND. (For some details I won't go into here, see
http://netreg-wiki.andrew.cmu.edu/twiki/bin/view/Netreg/BeyondNetReg)
There are many features that belong in an IPAM system that are outside of
scope for BIND. Features like:
- What IP space do I own, how is it subnetted, how utilized are those
subnets? (See http://www.net.cmu.edu/netreg/newpics/netreg-subnet-map.png
and http://www.net.cmu.edu/netreg/newpics/netreg-subnet-utilization.png )
- Who is responsible for machine X, or what machines does user Y control.
- Integration with non-BIND systems (dhcpd, RADIUS, incident tracking,
vulnerability scanning, PKI systems (for WPA2 / VPN), etc.)
Some things which could fall within scope for BIND include:
- Flexible fine-grained permissions for things like "Who can register
machines in domain X", "Who can request specific IP addresses for machines
in subnet X", "Who can create records of certain types in domain X", "Who
can create records with specific names in domain X"
Some features that would be beneficial in BIND10 for use by an IPAM system:
- dynamic configuration modification. add new zones programatically.
- redundant master servers for dynamic updates
-David Nolan
Network Software Designer
Computing Services
Carnegie Mellon University
Stephen John Smoogen
> "Persiko, Mark" <Mark.P...@Level3.com> writes:
>
> > BIND-DLZ looks highly desirable as an augmentation to a DNS management
> > tool (by that, I mean a database with DNS information could be seamlessly
> > tied to BIND servers.) However, is that part of the standard
> > distribution now, or would it need integration (and optimization) to work
> > its way into BIND 10?
>
> equivilent functionality will almost certainly find its way into BIND10 (but
> i hope we have hot-spot caches with SQL-triggered invalidation, and i hope we
> can accept RFC2136 updates and back-propagate them into SQL, both of which
> prevent me from running DLZ on my own zones.) we (ISC) love that BIND9 is
> seen as a general DNS protocol engine for other folks' DNS storage systems.
>
> clustering, XML-based config, better support for GUI, or other reasons why
> people aren't running raw BIND9 and instead pulling in something like
> InfoBlox, M&M, etc. how can BIND10 better support this functionality, and/or
> better support these vendors, than BIND9 does?
1) The ability to allow a reasonably trained person able to edit,
change, undo changes in a clearly defined methodology that can be
audited for some overall reason (ITIL for example). I need to make
sure that Joe who just got out of high school (or 2 year associates or
whatever is a minimal level of IT training these days) and has had a
couple of weeks of local IT training of what is allowed and not
allowed can enter and remove entries. I also need for it to make sure
he doesnt make mistakes.
2) The ability to limit such trained people to their sand-boxes. Joe
can edit with xy.zzy.com sub-zone but not plugh.zzy.com.
3) The ability to tie DNS and DHCP together. When he adds
dwarf.xy.zzy.com it is able to create an associated entry in DHCP or
tell him that he can't add it because the zone is full with DHCP.
4) The ability to make reports for auditing purposes and projections.
In the case where I have existing report tools.. the ability to export
what data I need out in csv etc format.
5) The ability to report issues via SNMP or similar tools to give
alerts on DHCP zones full, or
the level of expertise of the person entering and editing data should be lower.
6) The ability to script commands in a 'higher' level language so that
items can be automated to business methods. Shipping gets computer,
puts on rfid/etc tag on computer and enters whatever data about the
system into database. When local systems admin gets the computer, they
then enter MAC/owner/etc and the data is all able to 'tracked'
together. While DNS is not the place to store all of it.. being able
to script that when I click on this web page, a DHCP item(s) and a DNS
item(s) are done quickly because the data can be injected via a
scripting ABI is good. [And the same for the opposite.]
I think that is about the major things..
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
Gordon A. Lang
reservation, allocation, assignment, ... dns and dhcp spontaneously
expands into managing other network resources such as network device
ports and physical plant components. And similarly the slope is
slippery in the direction of managing virtual entities and groups
such as things established by firewalls and load balancers. And a
step away would be keeping track of all network attached devices in
terms of hardware, software, location, administrators, and application
owners. Such a utopian management tool that ties together network
security, disaster recovery, asset management, revision control, and
so forth would be the ultimate goal of expanding the capabilities of
an IPAM system.
A complete infrastructure database system that is directly tied to
ISC BIND, ISC DHCP, Cisco PIX, Cisco CSS, etc...... please don't
wake me up from my day dream.....
....well, whatever you do to BIND, please keep it open and flexible.
A good API, accompanied by some starter code, would be nice....not
that I might personally do any coding any more.
By the way, we use "IP Control" from "BT - Diamond IP," and it works very
well with ISC BIND and ISC DHCP.
--
Gordon A. Lang
----- Original Message -----
From: "Paul Vixie" <Paul_...@isc.org>
To: <bind-...@isc.org>
Sent: Tuesday, March 04, 2008 2:09 PM
Subject: Re: IP Address Management Tool (IPAM) for DNS and DHCP
> "Persiko, Mark" <Mark.P...@Level3.com> writes:
>
>> BIND-DLZ looks highly desirable as an augmentation to a DNS management
>> tool (by that, I mean a database with DNS information could be seamlessly
>> tied to BIND servers.) However, is that part of the standard
>> distribution now, or would it need integration (and optimization) to work
>> its way into BIND 10?
>
> to the best of my knowledge, DLZ is a standard feature in late model BIND9.
> equivilent functionality will almost certainly find its way into BIND10 (but
> i hope we have hot-spot caches with SQL-triggered invalidation, and i hope we
> can accept RFC2136 updates and back-propagate them into SQL, both of which
> prevent me from running DLZ on my own zones.) we (ISC) love that BIND9 is
> seen as a general DNS protocol engine for other folks' DNS storage systems.
>
> what i'm looking for in this thread, though, is management features like
> clustering, XML-based config, better support for GUI, or other reasons why
> people aren't running raw BIND9 and instead pulling in something like
> InfoBlox, M&M, etc. how can BIND10 better support this functionality, and/or
> better support these vendors, than BIND9 does?
> --
> Paul Vixie
>
Mark Pagulayan
Thanks for the answers and interesting notes that you posted in this
forum.
I got some interesting solutions that I will be looking upon in the
following days.
Best Regards,
Mark
-----Original Message-----
From: bind-use...@isc.org [mailto:bind-use...@isc.org] On
Behalf Of Gordon A. Lang
Sent: Wednesday, 5 March 2008 10:14 a.m.
To: bind-...@isc.org; Paul Vixie
Subject: Re: IP Address Management Tool (IPAM) for DNS and DHCP
--
Gordon A. Lang
Sent: Tuesday, March 04, 2008 2:09 PM
Subject: Re: IP Address Management Tool (IPAM) for DNS and DHCP
> "Persiko, Mark" <Mark.P...@Level3.com> writes:
>
>> BIND-DLZ looks highly desirable as an augmentation to a DNS
management
>> tool (by that, I mean a database with DNS information could be
seamlessly
>> tied to BIND servers.) However, is that part of the standard
>> distribution now, or would it need integration (and optimization) to
work
>> its way into BIND 10?
>
Jonathan Petersson
dyndns support), I don't know if there's any RFC covering this but it
would be nice to have.
Revision control (fallback with dyndns or similar)
Btw, when is NSEC3 being integrated?
Thx
/Jonathan
Paul Vixie wrote:
> "Larry Fahnoe" <fah...@fahnoetech.com> writes:
>
>
>> I've been happy with DNSone from Infoblox http://www.infoblox.com/. It
>> is robust and easy to use. Since it is an appliance based solution it
>> may be a bit of a departure from what you are currently using, but it
>> will interoperate with stock bind servers. I replaced my bind and ISC
>> dhcp servers with the Infoblox solution and haven't looked back.
>> --Larry
>>
>
Jonathan Petersson
> Built in support for dual-masters using raw files would be great (with
> dyndns support), I don't know if there's any RFC covering this but it
> would be nice to have.
More intelligent dual-master support where 2 masters could sync up and
talk to each other natively.
> Revision control (fallback with dyndns or similar)
>
> Btw, when is NSEC3 being integrated?
>
> Thx
>
> /Jonathan
>
> Paul Vixie wrote:
>> "Larry Fahnoe" <fah...@fahnoetech.com> writes:
>>
>>
>>> I've been happy with DNSone from Infoblox http://www.infoblox.com/. It
>>> is robust and easy to use. Since it is an appliance based solution it
>>> may be a bit of a departure from what you are currently using, but it
>>> will interoperate with stock bind servers. I replaced my bind and ISC
>>> dhcp servers with the Infoblox solution and haven't looked back.
>>> --Larry
>>>
>>
Paul Vixie
> > > servers state some of their requirements here, so that we can make plans
> > > for BIND10?
>
> > dyndns support), I don't know if there's any RFC covering this but it
> > would be nice to have.
>
> Well this was a stupid comment, let me elaborate,
>
> More intelligent dual-master support where 2 masters could sync up and talk
> to each other natively.
i think you mean what some people call "multi-master". i'm intrigued by your
characterization of it as "native", though. isn't it the case that if two or
more servers could automatically synchronize their list of zones, and the
content of those zones, based on some kind of clustering commandments by the
installer/operator, that you wouldn't mind if this were done in an open,
standard, interoperable way, perhaps based on features from RFCs 1035, 1995,
1996, 2136, 2671, and 2845?
that is, you're not actually counting on the synchronization method being
private to BIND, as long as it doesn't require endless config file jiggering,
happens mostly in the background and mostly painlessly?
> > Revision control (fallback with dyndns or similar)
something like "rndc revert vix.com 2008030603" to discard all zone changes
to vix.com since serial number 2008030603?
> > Btw, when is NSEC3 being integrated?
i suspect it's 9.6.0 fodder. would NSEC3 change your life in some way, like,
make you willing to deploy DNSSEC, meaning, you want to deploy DNSSEC but you
can't until you get NSEC3? if so that's very useful information and i urge
you to tell us more.
Bischof, Ralph F. (MSFC-NNM04AA02C)[SAIC]
> From: bind-use...@isc.org
> [mailto:bind-use...@isc.org] On Behalf Of Gordon A. Lang
> Sent: Tuesday, March 04, 2008 3:14 PM
> By the way, we use "IP Control" from "BT - Diamond IP," and
> it works very well with ISC BIND and ISC DHCP.
>
> --
> Gordon A. Lang
Ditto. It met our requirements and I liked the ability to use "stock"
ISC products.
Thank you,
--
Ralph F. Bischof, Jr.
UNITeS/SAIC IT Security
NASA Agency DNS and IPAM
Desk: (256) 544-3982
Cell: (256) 682-9145
PGP Key - http://pgpkeys.hq.nasa.gov
Mauricio Rabello
The networks contracted to the AS, here is the problem and attitudes held,
I would like obtain information where to set the bind9 to do the reverse of a network
/20 mask 255.255.240.0 and
/18 mask 255.255.192.0
See what we have done, and details of the problem:
Configured to bind to the other side for a network / 20
(X.X.48.0/20), but it did not work,
For the resolution of the same and work, divided into various networks / 24,
Tried on the net, the site of the bind (http://www.isc.org/sw/bind/add-doc.php)
And in my draft of the course, but not thought much about it,
For configuration I
Named.conf put in the following way
zone "48-63.168.192.in-addr.arpa" {
type master;
file "/var/named/48-63.168.192.in-addr.arpa.zone";
};
But not satisfied,
After initial changed to ip / masks and also not satisfied
zone "48-20.168.192.in-addr.arpa" {
type master;
file "/var/named/48-20.168.192.in-addr.arpa.zone";
};
And the files of zones are thus:
$TTL 86400
@ IN SOA XXXXXXXXX. root.XXXXX. (
2008030406 ; Serial
28800 ; Refresh
14400 ; Retry
2592000 ; Expire
86400 ) ; Minimum
@ IN NS ns2.XXXXXXX.
@ IN NS ns3.XXXXXXX.
1.48 IN PTR 192-168-48-1.cliente.com.br.
2.48 IN PTR 192-168-48-2.cliente.com.br.
3.48 IN PTR 192-168-48-3.cliente.com.br.
...
...
...
253.63 IN PTR 192-168-63-253.cliente.com.br.
254.63 IN PTR 192-168-63-254.cliente.com.br.
255.63 IN PTR 192-168-63-255.cliente.com.br.
Used to test
$dig -x ip @ns
$host ip
--
Mauricio Rabello
Analista de Redes
<----------------->
Interjato: Único Provedor do RN com Disco Virtual no E-mail
Assine Já! 4008-4000
Mark Andrews
> Hello? I doubt with a setup for Reverse to
> The networks contracted to the AS, here is the problem and attitudes held,
>
>
> I would like obtain information where to set the bind9 to do the reverse of a
> network
> /20 mask 255.255.240.0 and
Just set up the 16 reverse zones that make up the /20.
> /18 mask 255.255.192.0
Just set up the 4 reverse zones that make up the /18.
RFC 2317 is for /25 - /32. It was designed to alleviate the
need to create up to 128 zones, along with their delegations,
which each of which was like:
@ SOA <soa details>
@ NS <server1>
@ NS <server2>
@ PTR <name>
RFC 2317 gives you 1 zone for up to 128 hosts rather than
1 zone per host.
For /17-/24 you have 1 zone per 256 hosts with traditional
delegation.
For /9-/16 you have 1 zone per 65536 hosts with traditional
delegation.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_A...@isc.org
Mark Andrews
>
> > Hello? I doubt with a setup for Reverse to
> > The networks contracted to the AS, here is the problem and attitudes held,
> >
> >
> > I would like obtain information where to set the bind9 to do the reverse of
> a
> > network
> > /20 mask 255.255.240.0 and
>
> Just set up the 16 reverse zones that make up the /20.
>
> > /18 mask 255.255.192.0
>
> Just set up the 4 reverse zones that make up the /18.
Just set up the 64 reverse zones that make up the /18.
Greg Chavez
> "Larry Fahnoe" <fah...@fahnoetech.com> writes:
>
> > is robust and easy to use. Since it is an appliance based solution it
> > may be a bit of a departure from what you are currently using, but it
> > will interoperate with stock bind servers. I replaced my bind and ISC
> > dhcp servers with the Infoblox solution and haven't looked back.
> > --Larry
>
> state some of their requirements here, so that we can make plans for BIND10?
Whatever you do, don't aspire to be like Infoblox and rule the Network
Information roost with the GUI to end all GUIs. Managers crave
integration and one-stop-shopping and big fat GUIs with blinking
lights and service contracts and, of course, pie charts. But even
with appliances that run BIND under the hood, like Infoblox, this tidy
arrangement comes with a terrible cost to the admins who are tasked
with running the show.
In a nutshell, you are limited by whatever capabilities the appliance
company has seen fit to provide. Allow-query-cache? No, not for you.
Named-xfer? Great Scott, what do you want that for! $GENERATE? Get
lost. What zones have the IP address in their rdata? Who knows! I
could go on, but suffice it to say, we finally convinced our managers
to return to the straight-BIND fold after two years of pulling our
hair with Infoblox. Praise be.
I should say that, to their credit, Infoblox does a lot of neat things
and I can imagine being in certain situations where I might recommend
it for my employer or client; it just doesn't do straight DNS very
well. But what I would like to see most from BIND is a sustained
commitment to RFC compliance and configuration simplicity. One thing
that would help in the latter regard is a tighter marriage with
BIND-DLZ, which we are currently trying to get working with a MySQL
backend. Our named.conf looks horrific and there seems to be an
absence of best practices and advice in the overlap area between BIND
and BIND-DLZ.
--
--Greg Chavez
--
Mauricio Rabello
Problem Solved
--
Mauricio Rabello
Analista de Redes
<----------------->
Interjato: Único Provedor do RN com Disco Virtual no E-mail
Assine Já! 4008-4000
------- End of Original Message -------
Danny Mayer
> can those who use ip address management tools rather than raw BIND9 servers
> state some of their requirements here, so that we can make plans for BIND10?
I suspect that, even though no one has mentioned it, IPv6 address space
will be a big problem for most people, mainly figuring out what the
reverse addresses look like, how to set up the zones correctly and
creating proper forward addresses, etc.. Getting it right will be a
*big* issue.
Danny
Hospedagem Interjato
The networks contracted to the AS, here is the problem and attitudes held,
I would like obtain information where to set the bind9 to do the reverse of a network
/20 mask 255.255.240.0 and
/18 mask 255.255.192.0
Kevin Darcy
> Hello? I doubt with a setup for Reverse to
> The networks contracted to the AS, here is the problem and attitudes held,
>
>
> I would like obtain information where to set the bind9 to do the reverse of a network
> /20 mask 255.255.240.0 and
>
> /18 mask 255.255.192.0
>
That's 64 /24's
>
> See what we have done, and details of the problem:
>
> Configured to bind to the other side for a network / 20
> (X.X.48.0/20), but it did not work,
> For the resolution of the same and work, divided into various networks / 24,
>
> Tried on the net, the site of the bind (http://www.isc.org/sw/bind/add-doc.php)
> And in my draft of the course, but not thought much about it,
>
>
> For configuration I
> Named.conf put in the following way
>
> zone "48-63.168.192.in-addr.arpa" {
> type master;
> file "/var/named/48-63.168.192.in-addr.arpa.zone";
> };
>
>
> But not satisfied,
> After initial changed to ip / masks and also not satisfied
>
> zone "48-20.168.192.in-addr.arpa" {
> type master;
> file "/var/named/48-20.168.192.in-addr.arpa.zone";
> };
>
>
encode the CIDR information into the zone name. Neither assumption is
correct. BIND treats the in-addr.arpa namespace hierarchy the same way
it treats any other namespace hierarchy and has no knowledge of CIDR.
> And the files of zones are thus:
>
> $TTL 86400
> @ IN SOA XXXXXXXXX. root.XXXXX. (
> 2008030406 ; Serial
> 28800 ; Refresh
> 14400 ; Retry
> 2592000 ; Expire
> 86400 ) ; Minimum
>
> @ IN NS ns2.XXXXXXX.
> @ IN NS ns3.XXXXXXX.
>
> 1.48 IN PTR 192-168-48-1.cliente.com.br.
> 2.48 IN PTR 192-168-48-2.cliente.com.br.
> 3.48 IN PTR 192-168-48-3.cliente.com.br.
> ...
> ...
> ...
> 253.63 IN PTR 192-168-63-253.cliente.com.br.
> 254.63 IN PTR 192-168-63-254.cliente.com.br.
> 255.63 IN PTR 192-168-63-255.cliente.com.br.
>
>
>
Any netblock equal to or larger than /24 can be delegated normally as
single or multiple delegations of /24's, /16's, or /8's.
E.g
48.168.192.in-addr.arpa delegated from 168.192.in-addr.arpa
49.168.192.in-addr.arpa delegated from 168.192.in-addr.arpa
50.168.192.in-addr.arpa delegated from 168.192.in-addr.arpa
and so forth, through
63.168.192.in-addr.arpa delegated from 168.192.in-addr.arpa
- Kevin
Stephane Bortzmeyer
Kevin Darcy <k...@chrysler.com> wrote
> RFC 1918 is really only applicable to delegations smaller than a
> /24.
You mean RFC 2317?
Kevin Darcy
(Been doing too much NAT stuff lately, it's affecting my brain)
- Kevin
Hospedagem Interjato
--
Mauricio Rabello
Analista de Redes
<----------------->
Interjato: Único Provedor do RN com Disco Virtual no E-mail
Assine Já! 4008-4000
---------- Original Message -----------
From: Kevin Darcy <k...@chrysler.com>
To: bind-...@isc.org
Sent: Tue, 11 Mar 2008 17:04:37 -0500
Subject: Re: Bind9 - Reverse net /20 mask 255.255.240.0