Issue or best practice with resolution via hardware load balancer

__ __ MAILER-DAEMON at eu.uu.net
Thu Mar 25 10:53:27 UTC 2004


Hi

I'm looking for some info regarding a scenario I've recently been given.
Apologies if part of the question is regarding Windows 2000 DNS, but it's
really the BIND implementation I want to get right, and where the question
really is.

The DNS infrastructure is run on a hybrid environment - the top of the
internal hierarchy is run on BIND (on Solaris) v8.2.3. The main domain used
by most devices (desktop and mid-tier servers) is in a delegated domain run
on Windows 2000 AD-integrated DNS.

The top-level DNS domain is also partially delegated (the _ AD zones that
tend to be required for an AD domain to be happy), largely for historical
reasons (implemented before the main DNS infrastructure was on BIND
revisions supporting dynamic updates and SRV records), now. As the top-level
/ placeholder AD domain is also at the top-level of the DNS space, but these
AD machines aren't authoritative for all of that domain.

We also use hardware load balancer devices that provide access to redundant
app (web) servers. These hardware load balancers actually do the pseudo-name
resolution for the host names used for the servers. These devices are all,
really, in the top-level DNS domain.

To achieve this, so far, delegation records have been added to the top level
DNS domain, for names resolved by the hardware devices.

So for example, if the top level: acme.com, then servers notionally known as
webname1 are dealt with thus:-

webname1 IN NS lb1.acme.com
webname1 IN NS lb2.acme.com

And as lb1 and lb2 are valid hosts within acme.com, they also have A
records.

However, webname1 isn't truly a domain - it's only used as a host record,
but when resolved, returns a valid, dynamically resolved address record via
lb1 or lb2 - when queried from the top-level domain acme.com

This configuration is something of a fait accomplis at the moment, so I'm
trying to establish whether it's valid or not.

The problem being that most of the internal hosts are on the sub DNS domain
(eg: corp.acme.com - which is delegated to Windows 2000 DNS run in an AD
integrated DNS infrastructure. This DNS domain (corp.acme.com) is set to
forward to acme.com (and as it's Windows 2000, it won't deal with
conditional forwarding). And in turn, acme.com forwards to our ISPs DNS
servers.

When requesting the same name (webname1) from corp.acme.com I just get
timeouts. If I specify to request NS records, I get the correct resolution,
but A record resolution doesn't happen - yet it does if request using the
top-level DNS domain, and it's DNS servers.

So to get to the crux if my question, I'm not convinced that it's truly a
valid configuration to delegate what really is only a host, as a domain
delegation, although it seems to work from the top-level DNS domain. What
I'm wondering is how that really should be configured in the top-level
domain (ie delegation actual resolution for names in the top-level domain,
to the hardware load-balancers). I've been considering conditional
forwarding, or stub zones, and tried to research what really is the best way
of achieving this?

Thanks in advance for any help.




More information about the bind-users mailing list