![]() Their prices are way too high for simply tracking IPs/Prefixes in a database which as all we really need it for. We spoke with Infoblox about an IPAM system as well. My past experience with BlueCat has been less than stellar. Plus you get the ability to tag up metadata which is good to recall why something was done. ![]() I prefer Infoblox but both can administrate BIND and Microsoft DNS servers. Do yourself and everyone that comes after you a favor and invest in a legit IPAM solution from either Infoblox or Bluecat. > Depending on the size of your organization, editing zone files to add remove resource records by hand is a painful existence if there is daily changes. This is what we were currently planning on as the current setup does not have the master in the zone itself. > Using a hidden master either for external or internal or both is a good plan to defend against cache poisoning (we do) but only enable DNSSEC on your external zone(s). Simply telling someone to chunk it and not have any experience with it is a little misguided IMO. Since it sounds like you have not had much experience with, I urge you to check it out should you have anything in your environment that could benefit from automation. It has not once done anything we have not told it to do on any platform we have tested it on, plain and simple. > In the absence of more detailed design goals I would recommend that you all chunk the ansible plan and go with what works and is proven.Īnsible does work and has been proven in our environment over the course of several months use starting in the lab and then moved to production. I honestly couldn’t tell you either way as I have not even begun to start to dive into DNSSEC. They dont know what they are talking about. When I read that they called DNSSEC an authentication method I checked out. And bind itself on each server is 9.(9-11) which are also EoL so we need to get these up to date and spec. The problem is that they are running on Centos 5/6 which is no longer maintained. They have been good for the organization so far which is why we are staying with bind. (slightly different phrasing) What problem does this plan solve? Assuming the existing DNS servers are doing the job for the organization and running the current BIND release why change? It works well, is very extendable, and also has a very good active developer community being Red Hat folks maintain it. We have also test driven it for all of our network infrastructure ( originally a network architect ), linux server instances, and hypervisor clusters. ![]() Ansible was chosen because I have reviewed the source code for most of it as it was written in python which is something I understand. We are starting to automate everything in our network that makes sense to automate. Why is the decision being made to go with a "solution" using ansible? Is it because software devs are being asked to do double duty as DDI admins? I know that "devops" is what all the cool kids are talking about these days but are you all honestly willing to trust a core infrastructure to automation? Any defaults that are not wanted/needed will be over ridden with exactly what we want. I am well aware of all of the under the hood components and have reviewed this entire role for exactly what it does under the hood, so no worries there. However with ansible, I would put myself closer to an expert as I have written a couple of my own modules for the lack of it being it in the included in the base modules of ansible. The laws of unintended consequences apply. What is your/teams plan B to fix this type of ansible environment should it get horked up? There is a ton of stuff that is being configured for you all under the hood and by your own admission your a novice. Next message (by thread): securing bind in todays hostile environment.Previous message (by thread): securing bind in todays hostile environment.Securing bind in todays hostile environment N. Securing bind in todays hostile environment
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |