DDNS Registration behind Load Balancer

[Mark Andrews]

> On Jun 26, 2008, at 4:05 PM, Kevin Darcy wrote:
> > Chris Buxton wrote:
> >> On Jun 26, 2008, at 1:53 PM, Linux Addict wrote:
> >>
> >>> Greeting!!
> >>>
> >>> I am configuring a DNS setup where its mix of Linux and Windows  
> >>> hosts.
> >>> I decided to go with BIND rather than MS DNS Server. I have Windows
> >>> hosts doing dynamic registration to the BIND Master Server.
> >>>
> >>> The next step on my project is add Load Balancer with 3 servers. I  
> >>> was
> >>> thinking of one master and 2 slaves initially. Then it struck me  
> >>> that
> >>> when a Windows Host does DDNS registration against the Load Balancer
> >>> VIP, and when the Load Balancer redirects the traffic to one of the
> >>> slave server, it will not accept the changes as its only secondary.
> >>>
> >>
> >> Not true. 'allow-update-forwarding { any; };'.
> >>
> >>
> > That'll work as long as the OP only has masters and slaves, but  
> > doesn't
> > allow the flexibility to add caching-only resolvers in the future.
> >
> > I still think the best approach is to have the DHCP server(s), rather
> > than the clients themselves, register the client names in DNS. It also
> > raises less security issues.
> 
> I completely agree. I was just pointing out to the OP that one of his  
> assertions was untrue.
> 
> Chris Buxton
> Professional Services
> Men & Mice

	Caching only name servers are a authorgonal issue.  Your
	load balancer may be able to look at the DNS OPCODE and
	redirect all UPDATE requests to one machine.

	I am unsure if GSS-TSIG requests will work with configuration
	you are describing.  At a minimum the load balancer will
	need to send the multiple requests involved to the same
	back end.

	If you are doing address based authentication then you need
	to specify it in allow-update-forwarding.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org