DNS and keepalived

Grant Taylor gtaylor at tnetconsulting.net
Thu Aug 9 19:35:02 UTC 2018

On 08/06/2018 08:14 AM, Leroy Tennison wrote:
> As previously posted, I just added a slave of a master for disaster 
> recovery and now need to know how to promote it should the master be 
> offline too long.

Please see the reply that I just sent for details about how I handled 
this problem in the past.

> An additional complicating factor is that the master and slave exist on 
> a failover pair managed by keepalived.

Okay.  My opinion is that keepalived should be used between two 
identical servers.  Thus between two masters or two slaves.  I would not 
want to try to cross the role between two servers managed by keepalived.

> My web search has found a few references to this situation but they have 
> either used slave servers or were veery light on the details of bind 
> configuration.

I've not dealt with keepalived in a long time, so I can't say for sure. 
But I believe that most of the configurations I've seen work between two 
slaves that share a common (optionally hidden) master server.  This 
allows both servers to be identical and a backup for each other and 
avoids the need for keepalived to significantly reconfigure BIND's 

> I'm converting and existing situation where there was a single server for 
> almost totally non-DHCP clients (servers).


> I would prefer to not roll out a different DNS resolver configuration to 
> all those non-DHCP clients

I do not see any reason to change the client configuration.

Ideally the DNS server's VIP / functional IP will stay the same.  Thus 
no need to reconfigure clients.

The change will be in the servers that are capable of hosting said VIP.

Aside from potential SOA / MNAME issues (see my other reply) I don't see 
any issues in adding additional servers; 1 (optionally hidden) master 
and an additional slave to participate in the keepalived configuration 
with the existing server.

> the environment size is sort of "in between"  (not small or large).

The environment size is immaterial to the BIND configuration.  (It may 
be applicable to you for motivation to doing things.)

> The issues I see are in the SOA, with keepalived I could leave the SOA 
> the same on both since the IP address for the DNS server (and other 
> functions) moves.

I don't think the SOA / MNAME actually need to be the same.  They just 
need to be accessible.  (See my other reply.)

> The question is "Am I missing something?" which will come back to haunt 
> me later?

It's hard to say.  I don't see anything obvious jumping out at me.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180809/74caabcd/attachment.bin>

More information about the bind-users mailing list