PCS, Corosync, Pacemaker, and Bind

Graham Clinch g.clinch at lancaster.ac.uk
Wed Mar 16 18:06:15 UTC 2016

> Please confirm that if a DNS query is sent to the virtual address, the reply
> will be sourced from the virtual address. The reason for restricting BIND to
> a single address was mostly for firewall and administrative simplicity, but
> that's not a big deal as long as the same address is used both directions.

Yes, the correct source address is used (the source of a response is the
destination of the inbound query).  However, onward queries that bind
makes on behalf of a client (eg if recursing) will use whatever address
(or presumably query-source/query-source-v6).  The default query source
always seems to be the primary address of an interface, as far as I've seen.

> The documentation for keepalived isn't very good, but as near as I can tell
> it does not support bringing up an application like BIND along with a VRRP
> address. Maybe I'm wrong? The cluster.org package works great except for the
> lack of an interface, so I've posted over there also to see if it's possible
> to build a virtual interface for the IP, but I doubt it.

Our recursive servers run keepalived to juggle the two service addresses
that we advertise, and we don't set query-source, listen-on or
notify-source.  I don't see any benefit in moving the query/notify
source addresses between hosts, especially since it makes it hard to
test/monitor a host that isn't in service at the moment.

Keepalived calls 'rndc scan' to nudge the already-running named when
addresses appear/disappear, but I think this might be a historical thing
now that bind can watch the routing socket.


> -----Original Message-----
> From: Tony Finch [mailto:dot at dotat.at] 
> Sent: Tuesday, March 15, 2016 5:40 PM
> To: Mike Bernhardt
> Cc: bind-users at lists.isc.org
> Subject: Re: PCS, Corosync, Pacemaker, and Bind
> Mike Bernhardt <bernhardt at bart.gov> wrote:
>> I'm setting up a new CentOS 7 DNS server cluster to replace our very 
>> old CentOS 4 cluster. The old one uses heartbeat which is no longer 
>> supported, so I'm now using pcs, corosync, and pacemaker.
> I suggest having a look at keepalived: it's significantly simpler.
>> I want BIND to listen on, query from, etc on a particular IP address, 
>> which is virtualized. The options currently used are:
>> query-source address
>> listen-on
>> notify-source
>> listen-on isn't a big deal, but the source address options are.
> Why do you care about the query source address?
> I don't set any of those options and just let BIND pick whatever source
> address it wants; it might choose the server admin address or the advertised
> service address, and that doesn't matter because everything else is
> configured to accommodate this.
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/ Shannon, Rockall:
> Southeast 4 or 5, increasing 6 at times in Shannon. Moderate or rough. Fair.
> Mainly good.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list