Moving dynamic zones to new master+slave pair without interruptions

Peter Rathlev peter at rathlev.dk
Wed Jan 6 13:16:39 UTC 2016 

We currently have two internal DNS servers that are both authoritative
for a range of internal zones and caching resolvers for our clients. We
would like to split this so authorizative and caching roles exist on
different servers. And we would like to do this with as little down
time as possible, also for dynamic zones.

Moving static zones is of course trivial. Moving dynamic zones is what
I cannot quite wrap my head around.

I think I want to set up a new slave and AXFR from the existing master.
Then I can point delegations and "forwarders" at this new slave only,.
Together with having the configured "masters" pointing at a not yet
running master server this would make it "stand alone".

Next step in my head would be to re-create the master from this slave.
I thought that I could just copy the zone files from the slave, since
that slave would not have made any changes, seeing as it is only the
master that can do that. (I am fine with rejecting changes to the
dynamic zones during the move exercise.)

However, I see that the current slave also has ".jnl" files for the
dynamic zones and "rndc freeze <zone>" is invalid except on the zone
master. With journal files present I guess that I cannot trust the zone
files to actually be valid/complete.

So... What do I do then? Is there another way of committing the journal
to disk on a slave? Is there a "best practice" for re-creating a lost
master when dealing dynamic zones?

I may of course have started out completely wrong. If there are better
ways to acheive what I want then I am all ears! :-)

This is all a thought exercise right now, I have not actually tried to
move anything yet.

If BIND versions are relevant then we plan on using the CentOS 6
default which is BIND 9.8.2 (with some patches, so it's bind-9.8.2-
0.37.rc1.el6_7.5.x86_64) on the new servers. Building from sources is a
hassle we would rather avoid, but since we are already doing this with
ISC DHCP we could also do it with BIND if necessary.

Current master is _quite_ old, BIND 9.3.6 (bind-9.3.6-25.P1.el5_11.5).
So the setup is really in need of a refresh. :-)

Thank you in advance!

-- 
Peter Rathlev

More information about the bind-users mailing list