DNS delegation based on both location and organization

Kevin Darcy kcd at daimlerchrysler.com
Thu Sep 8 21:34:01 UTC 2005 

A lot of good advice below, but one thing Brad didn't mention was 
NOTIFY. One can control how quickly changes propagate to stealth slaves 
via "also-notify", and if one really wishes to, one can 
minimize/optimize change-propagation even to published slaves via BIND 
9's "notify explicit" modifier...

- Kevin

Brad Knowles wrote:

>At 12:08 PM +0200 2005-09-08, martinez_ja5 at tsm.es wrote:
>
>  
>
>> I am not sure if I understood the diferences on server types, but I think
>> I want all DNS servers to have full DNS records for the quickest response
>> (plenty of RAM available).
>>    
>>
>
>	A full-mesh network is one way to make sure that you have maximum 
>availability and speed of resolution, but it is not necessarily 
>always the best solution.
>
>  
>
>>                             From that I understand DNS servers at Madrid
>> office should be both primary servers of all Madrid local zones
>> (madrid.finance.corp.com, madrid.sales.corp.com, ...) and all other
>> servers (those in Barcelona, Valencia, etc) should be secondary
>> (non-authoritative) for Madrid zones.
>>    
>>
>
>	Secondary != non-authoritative.
>
>	If a server is secondary for a zone, then it is fully 
>authoritative for that zone.
>
>  
>
>>                                        Of course, the same architecture
>> would be applied for all other cities, two local primary servers and
>> 4x2 secondary remote secondary servers.
>>    
>>
>
>	Generally speaking, you usually want only one primary server for 
>a zone, and a set of secondaries.  All changes to the zone are made 
>only on the primary, and then when you reload the zone on the 
>primary, that information will automatically be distributed to the 
>secondaries.
>
>	If you need two nameservers for each city, make one of them 
>primary and the other secondary.  Keep in mind that you can have as 
>many secondaries as you want for a zone, but you don't necessarily 
>have to list them all as official authoritative servers within the 
>zone content itself.  The extras would be "stealth" secondaries -- 
>they get a copy of the data, they answer authoritatively for anyone 
>who asks them, but since they're not advertised they should get 
>relatively few queries for that zone.
>
>  
>
>> To centralize management also I thought I would add another server
>> primary for all zones, hidden and behind a firewall to be a master
>> of everything, safe repository of data and source of all changes to
>> sync into all other servers. (This would be VitalQIP+oracle management).
>>    
>>
>
>	This isn't the way primaries work.  Primaries don't share out 
>data to other primaries, they instead share out data to secondaries. 
>You could do your own out-of-band communication method to share data 
>between primaries, but that would be outside the scope of DNS and 
>BIND.
>
>	You can have a stealth primary and have all other servers be 
>secondary to that primary, and all advertised servers within the zone 
>are actually secondaries and not primary.  Since either primary or 
>secondary would answer authoritatively, the clients don't care.
>
>	If you want to make all your changes in a centralized location, 
>that's fine.  But you're getting confused on the terminology between 
>primary and secondary.
>
>  
>
>> It looks like a little overkill but:
>> - I do not want to use cache servers because cache misses get too
>>      long to get resolved.
>>    
>>
>
>	I don't think that this would really be too much of an issue, but 
>I'm willing to take this as a given.
>
>  
>
>> - I need centralized Oracle based management.
>>    
>>
>
>	No problem.  The primary can be whatever you want, and use 
>whatever back-end technology you want.  The secondaries don't care, 
>since they'll get their data via zone transfers and then store that 
>content locally in the format of their choice.  You just have to make 
>sure that the primaries support zone transfers, and you're fine.
>
>  
>
>> - I need local resolution and redundancy (I even need load balancers
>>      for the quickest response time and highest availability)
>>    
>>
>
>	Load-balancing switches are definitely a good idea for HA, but 
>they generally don't contribute much of anything on the performance 
>side of the equation unless you're doing tens to hundreds of 
>thousands of DNS queries per second.  I built what was the world's 
>largest caching nameserver farm at AOL, and that whole cluster of 
>machines was capable of handling at least 32,000 DNS queries per 
>second (our testing tools weren't able to push the system hard enough 
>to find out what the real top-end was), but now you can get 
>reasonably low-cost individual boxes that can provide performance 
>approaching or even exceeding those levels.
>
>  
>
>> - Second and third domain levels would be hardly adjustable to my needs
>>      for simpler DNS
>>
>> Does this architecture look fine or is just a nerd mess? Aren't there too
>> many primary servers? Would make any difference if I set them all to
>> secondary but the centralized one?
>>    
>>
>
>	Having all of them be secondaries to the single central primary 
>would definitely be the way to make the system easier to manage, but 
>you will have to keep in mind that you will have to push out 
>/etc/named.conf changes to each of those machines if you add or 
>delete any zones that they should be secondaries for.  Zone content 
>changes will be no problem -- that will be handled automatically.
>
>	Of course, this does give you a Single Point of Failure (SPOF), 
>which will hurt your overall system availability percentage, due to 
>the single central management system.  However, since this is a 
>stealth primary, and it wouldn't be advertised anywhere within any of 
>the zones it serves, this would only prevent updates to the zone 
>contents -- the existing zone contents would continue to be served by 
>the secondaries.
>
>
>	The bigger issue for you is going to be determining which 
>machines at each site need to be advertised as authoritative for the 
>zones, and which ones can be stealth secondaries.  That choice is 
>entirely up to you.
>
>	But keep in mind that you don't want to list too many 
>authoritative servers (typically no more than four or five), because 
>you don't want to cause the responses you hand out to exceed the 
>512-byte limitation of typical DNS responses via the UDP protocol. 
>Trust me, you do *not* want to know what kind of weirdness tends to 
>manifest itself when you start causing truncation, which results in 
>DNS queries having to be re-tried with TCP, etc....
>
>  
>

More information about the bind-users mailing list