dns topology and zone transfer over wan links

Rob Kovic robkovicy at gmail.com
Wed Oct 15 21:40:46 UTC 2014

Hi folks,

I administrating two Data Centers in separate geographic locations.

The current DNS Bind set up I have is 1 master and 1 slave per DC on DMZ.
Slaves are publicly accessible.

The 2 masters in DC1 and DC2 do not communicate and there is no cross DC
DNS communication in regards to public zones, e.g. all changes on masters
must be identical and dual.

I believe the same is a good redundant model, saving on network traffic and
providing other benefits.

A colleague of mine is keen on changing this set up to having 1 master in
DC 1, one slave in DC1 and 2 slaves in DC2. His idea is to sign zones on
the master/slaves and transfer them over WAN links to DC2 slaves. He does
not accept the concept of having a VPN between the 2 DMZs either.

Can you suggest a good security article covering the topic and risks
associated with the same?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20141016/7a6fb69a/attachment.html>

More information about the bind-users mailing list