Binding to non-local interfaces

Terry Burton tez at terryburton.co.uk
Sat Oct 23 01:40:58 UTC 2010


On Sat, Oct 23, 2010 at 12:43 AM, Rob Foehl <rwf at loonybin.net> wrote:
> On Sat, 23 Oct 2010, Terry Burton wrote:
<...snip...>
>> I am a little apprehensive about having to prod BIND in case that
>> action compounds any problems, i.e. it would be embarrassing if the
>> very mechanism designed to gloss over a transient network problem
>> affecting one resolver were to clobber the remaining resolvers.
>> However, I hope that this will prove unfounded.
>
> I've been doing a lot of work around this lately.  The biggest caveat to
> reconfig is that it blocks the entire server (threaded or not) while it
> runs, which becomes something of a problem when the configuration includes
> more than a few thousand zones.  If you're below that scale, you should be
> fine; if not, well, I'm working on it... ;)

This setup is for the resolvers of a university campus /16 network
containing ~18,000 mixed hosts, a small number of large zones (for
which the resolvers are also authoritative, but not delegated to - for
rapid update purposes) with a moderate rate of DNS entry churn due to
device/service registration. At this scale, the pauses are practically
insignificant.

> Definitely consider running BIND under some sort of supervision, either an
> intelligent init replacement (upstart or systemd on Linux, Solaris SMF,
> launchd on OS X, etc.) or a shell script that's at least as complete as
> 'while :; do named -f; done' to try to keep it running if it dies for some
> transient reason, although this should be pretty rare.  I use something
> similar, along with an external process that actively runs queries and tries
> to kick the server progressively harder any time it goes silent, eventually
> giving up and yelling at us via monitoring as necessary.

We will shortly be enabling DNSSEC validation at which point I will be
looking at process supervision in more detail due to the additional
complexity, resource requirements and less mature code paths.

We have previously used daemontools (svscanboot via inittab) for such
process supervision from which I'm sure the author would take great
pleasure ;-)


Thanks again,

Terry



More information about the bind-workers mailing list