Newbie's BIND Questions on DNSSEC, HA and SD

David Li dlipubkey at
Wed Jan 20 01:51:44 UTC 2016

Hi Tony/Chris,

Thanks for the suggestion and pointers.

At this stage, my network design is still very fluid. However, the
basic architecture constrains call for at least three racks of
servers. Each is served by a TOR switch. One of the servers in each
rack is dedicated to DHCP/DNS services so there will be three of them
at least.

Each rack potentially is a subnet or VLAN by itself.  Every other
server in each rack should be able to reach any other servers in the
whole cluster. All names and addresses are internal private ones.

Questions are:

1. Does it make sense to have one DNS zone for the cluster?
2. Does it make sense to have one master authoritative DNS server and
two other slaves to cover the cluster and meet the HA requirement?



On Tue, Jan 19, 2016 at 10:14 AM, Chris Buxton <clists at> wrote:
> On Jan 16, 2016, at 9:33 PM, David Li <dlipubkey at> wrote:
>> Hi,
>> I am new to BIND. I am researching for a DNS server that can meet a
>> list of requirements to be used in  a distributed system. They are:
>> 1. Security (DNSSEC)
>> 2. High Availability (HA)
>> 3. Service Discovery (DNS-SD)
> Hello David,
> I think you’ll find 1 and 3 are easy to find. For 2, it depends on what you mean. Tony Finch has already given you several excellent options covering most of the use cases.
> The one thing that is most difficult is HA for the primary master name server, which is the target for dynamic updates and is therefore fairly important; even a few minutes of downtime of this server might cause outages for DHCP service, for example. There are several commercial offerings that include this sort of HA. I work for one of these vendors, BlueCat.
> Regards,
> Chris Buxton

More information about the bind-users mailing list