deploying DNS in large ISP

Brad Knowles brad.knowles at skynet.be
Wed Jul 4 21:52:43 UTC 2001 

At 10:51 AM -0400 7/4/01, ray at doubleclick.net wrote:

>  Hm, perhaps Mr. Powers was asking about authoritative nameservice (and
>  not caching resolvers)?

	Could be.

>                           I setup the authoritative DNS system for my
>  employer. We used a lot of smaller Sun systems (e.g. Netra T-1, E220R,
>  etc.) with stripped-down O/S and running a single instance of BIND
>  8.2.x per node; in front of each cluster of nameservers, we use a
>  hardware load-balancer capable of handling UDP "transactions". The
>  theory of operation: to use enough nodes per cluster, such that the
>  failure of 1 or even 2 nodes would not render the cluster unusable
>  (overloaded). So, each child node should be sized to handle 200% load,
>  with a minimum cluster size of 4 nodes.

	For authoritative nameservice, I do not believe that this kind of 
operation is necessary.  Most recursive/caching nameservers out there 
seem to handle failure of authoritative nameservers pretty well. 
With BIND 8 on DEC Alpha hardware in 1996, you could easily sustain 
2000 queries per second (which is about what the root nameservers 
were sustaining, and IIRC, the DEC Alpha configuration was the 
genesis for RFC 2010 "Operational Criteria for Root Name Servers"), 
and this was more than enough for most applications.

	Yes, today if you're running a root nameserver or a gTLD 
nameserver or are running the authoritative nameservice for one of 
the largest ISPs or Online Service Providers, then you might want to 
be a bit more extreme and consider load-balancing applications, or 
today you might want to consider signing up for secondary nameservice 
with Nominum and their GNS (which exceeds the capabilities of even 
root or gTLD nameservers).

	However, even today, I do not feel that this kind of extreme 
configuration is necessary for most sites.  Two or three 
authoritative-only nameservers that are properly managed, and located 
on independent geographically diverse networks, etc... should be 
plenty.  If you're really concerned, then I'd suggest talking to 
Nominum about secondary nameservice.

>  At first we tried to use a software product like Resonate Central
>  Dispatch, but CD cannot load-balance UDP (so no good for DNS). Later,
>  we tested Alteon equipment, but for some reason could not get this to
>  work. Finally we settled on ArrowPoint CS-100/CS-200's (the company
>  has since been acquired by Cisco, you can get the CS-200 or CS-800
>  still, I believe). No problems with the CS-* series, except if you
>  don't like IOS. Make sure to keep-up with the IOS updates!

	Right.  Arrowpoint.  We tried those at Skynet.  There's a reason 
why we had two of them sitting on the shelf as of the time I left.  A 
friend/former co-worker of mine at AOL also did some testing on them. 
His comment after just a few hours of testing was that "Oh, it has an 
internal hard disk that it depends on for booting and operating -- 
poor switch.  RIP."

	I would encourage anyone who is serious about looking into L4 
switches to take a close look at the Load Balancing Resources web 
site at <http://www.vegan.net/lb/>, and the archives of the 
load-balancing mailing list.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'

More information about the bind-users mailing list