Best practices, relative numbers of masters, slaves, caching only servers?

Tue Jul 6 22:15:29 UTC 2004

>>>>> "Joe" == Joe Bloggs <JBloggs at acme.com> writes:

    Joe> Can anyone here offer comments/suggestuion inre what's
    Joe> considered Best practice,, inre relative numbers of masters,
    Joe> slaves, caching-only servers?

    Joe> We have three sites across the country, and a small number of
    Joe> systems (30-40).  the DNS is for intenal use only.

    Joe> but we could possibly have extended outages on the site to
    Joe> site links, and/or reasons to take systems offline for long
    Joe> periods.

    Joe> Would one (or 2) masters at each site (the rest slaves) work best?

    Joe> any disavantage/advantage to making all systems which are not
    Joe> the masters into slaves?

    Joe> or conversely, apart from the masters, perhaps configure just
    Joe> a few slaves at each site, with the rest, caching-only.

    Joe> or, fi we're talking small numbers of systems (30-40) does it
    Joe> matter much?

It's impossible to answer these questions meaningfully from the data
you've provided. RFC2182 gives valuable information on server
placement and name server operations. You should pay attention to
RFC2870 too. Although that's aimed at Internet root servers, this has
lots of advice that should be applied to any important (authoritative)
name server.

After reading these RFCs, you should ask yourself questions like "what
is the business and service impact of DNS downtime?", "what are the
threats to reliable DNS service in my organisation and what defensive
measures are in place to counteract them?", "how reliable are the
internal and external links at each location?", "is there a naming
standard?", "who needs to update zone data and how do they do this?",
"how is the DNS administration going to operated and supported?",
"who's responsible for fixing problems (at each site)?" and "how
quickly should changes be propagated?". The answers will help you to
decide how your DNS infrastructure should be organised.

As a general rule, you should make all your name servers authoritative
for every zone in your organisation (within reason). Authoritative
servers should be separated from caching-only servers. Recursive
service on the caching-only servers should only be provided to local
IP addresses. And of course forwarding set-ups should be avoided at
all costs.

Bear in mind the advice you get here is worth exactly what you pay for
it. [Including this message.] So it might be an idea to get a clueful
consultant in to go through all this stuff and come up with a set of
recommendations. That investment now could save a lot of pain and real
money later.