Multi Master/Primary Authoritative DNSSEC DNS Nameserver With Synced/Replicated COMMON Dir/Vol For BIND
Ondřej Surý
ondrej at isc.org
Fri Sep 27 03:13:04 UTC 2024
Hi Erik,
whatever you did below is complicated, unnecessary, and prone to break.
Just create one hidden primary that will do the signing and two to three public secondaries that are independent of each other.
Then setup DNSSEC in a way that it’s ok for the primary to be down for a specified period of time, so you don’t have to wake up in the middle of the night, e.g. the signatures should be long enough and be resigned at least a weak before expiration.
The DNS itself can handle a failure of the secondaries itself.
Sure, if you want to be fancy, you can do a local VRRP at each secondary site, or use anycast for each primary, but since you are hosting “example.com” I don’t think it matters much.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
> On 27. 9. 2024, at 4:27, TErik Ashfolk <aterik at outlook.com> wrote:
<snip>
More information about the bind-users
mailing list