Re: BIND requirement ???
- From: Dan Williams <dcbw redhat com>
- To: "jth.net" <list jth net>
- Cc: networkmanager-list gnome org
- Subject: Re: BIND requirement ???
- Date: Fri, 12 May 2006 09:56:24 -0400
On Mon, 2006-05-08 at 23:54 +0200, jth.net wrote:
> http://www.gnome.org/projects/NetworkManager/developers/design_goals.html
>
> "NetworkManager should not be doing things users don't expect."
>
> Nevertheless the installation in Fedora Core 5 destroyed my custom BIND
> installation by pulling it in as a prerequisite inspite of the fact, that BIND
> was not installed according to the RPM base.
>
> Why a product like this needs a DNS server installed locally is beyond me.
And here's why: the glibc resolver and nscd aren't flexible enough to
do split DNS and other fancy stuff. And the glibc guys (who also do
nscd) have said that they are not going to add that fancy stuff either.
Which is fine; but that means that you either (a) run a local caching
nameserver, of (b) not use the fancy stuff.
The fancy stuff right now includes "split DNS" and is mainly for the VPN
support. Here, _only_ queries for the domain that your VPN is for will
go to the VPN's nameserver. All other queries will continue to go to
your normal, non-VPN nameserver. glibc simply cannot do this.
The other problem is that more than a few applications out there don't
expect the nameservers to change. Unfortunately, this happens _every
time_ you switch networks, wireless or wired. The application must
explicitly execute the res_init() function to re-read /etc/resolv.conf,
otherwise they will not notice changes. This leads to applications that
must be quit and re-launched before they can do anything after a network
change has occurred. A local caching nameserver doesn't have this
problem, since every application thinks the nameserver is 127.0.0.1, all
the time.
Furthermore, if we're going to need a local caching nameserver, it might
as well be one that's (a) well understood, (b) widely used, and (c) has
fast response time to security issues. More than that, the local copy
of bind isn't even running with any ports open on any interface other
than 127.0.0.1. Yes folks, that means that only processes on the
_local_ machine can talk to the local caching nameserver. No other
computer, even on your LAN, can talk to it because it's not serving on
any interface other than "lo0".
As a side note, just don't run BIND if you hate it. Yes, there's the
RPM dependency. But that's not likely to go away in Fedora soon. NM
will dynamically switch between a running BIND and
plain /etc/resolv.conf based on whether or not the 'named' process is
running.
Dan
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
