Slaving from DNS masters behind LVS

Mike Hoskins (michoski) michoski at cisco.com
Wed Feb 13 04:15:26 UTC 2013


Note: Removing cross-post, but feel free to forward.

-----Original Message-----

From: Nick Urbanik <nick.urbanik at optusnet.com.au>
Date: Tuesday, February 12, 2013 10:00 PM
To: "keepalived-devel at lists.sourceforge.net"
<keepalived-devel at lists.sourceforge.net>, "bind-users at lists.isc.org"
<bind-users at lists.isc.org>
Subject: Slaving from DNS masters behind LVS

>Dear Folks,
>
>We have a pair of DNS servers running BIND behind a direct routing LVS
>director pair running keepalived.  Let's call these two DNS servers A
>and B, and the VIP V.

We run a similar setup, so I'm looking forward to hearing the community's
answers.  My views below.

>They slave from a hidden master; let's call it M.
>
>I want to allow another machine S to slave from A and B, the pair of
>DNS servers that are behind LVS.
>
>Another machine F will forward to the DNS servers behind the load
>balancer, A and B.
>
>[There is another similar setup at another location, so there will
>be a V1 and V2, A1, A2, B1, B2; all of A1, A2, B1, B2 slave from M.]
>
>1. Should the machine in the SOA be V, or A or B?

I would use V.

Some will argue M if you are doing things like DDNS with DHCP...though
that's not clear here.  Even if you are, it should not require using M
with the right configuration.  I never publish my hidden master name in
public records.

>2. Should the NS records for the zones be A, B and V, or just V?

I think it depends on what you are trying to accomplish.

>From a Murhpy's Law perspective, where the VIP could go down (or need to
be taken down for maintenance), if the real servers are reachable by
clients in this case...listing A and B would be useful.

However you might accomplish the same thing with multiple VIPs hosted on
separate LVS clusters pointing to different sets of real servers, where
you only list V, V', etc.  This is similar to what we do.

If you really don't want any queries directed to the real servers
themselves (or network topology prevents this), then you would only list V.

>3, Should S slave from A and B, or should it slave from V?

Either way you achieve the primary goal of HA, via VIP or masters {}.  If
you use the VIP, you need to consider how much you care about the VIP
going down (maybe you don't if your expire time is high).  If you use
masters, you need to consider how often you add new servers and require
updates to your configuration.

>4. Should F forward to V, or to both A and B?

I would actually setup a couple VIPs in cases like this, and use those as
my forwarders, resolv.conf entries, etc.  If a DNS resolver tries a given
VIP, which gets a timeout from one real server, odd things might happen if
the client can't fail-over to a second VIP (it's retry logic will be tied
to the VIP address irrespective of # real servers).  Edge case for sure,
but something to consider when load balancing DNS.




More information about the bind-users mailing list