DNS delegation based on both location and organization

martinez_ja5 at tsm.es martinez_ja5 at tsm.es
Thu Sep 8 10:08:28 UTC 2005 

Hi there,

I know this is a quite common question, but I could not find it neither=

searching goolgle nor searching the mailing list archive. A read a few
howtos but none of them show anything else but configuration itself and=
 no
design details.

I am new to bind 9 but experienced on networking.

I am designing a DNS architecture for a corporate network with 5 locati=
ons
and 5 organizational independent groups. Here are more important the
organizational groups, so the secondary domain should be the group:
finance.corp.com. Supporting that higher priority is the fact that
finance.corp.com has a reserved IP subnet distributed among all locatio=
ns
(all other groups have the same, so, for example, 1.0.0.0/16 is assigne=
d to
finance, 10.1.0.0/16 to sales, etc, etc). The third domain level would =
be
the location: madrid.finance.corp.com (IP addressing is always the firs=
t
/24 within each group range, but that will not help DNS as far as I kno=
w).

I am not sure if I understood the diferences on server types, but I thi=
nk I
want all DNS servers to have full DNS records for the quickest response=

(plenty of RAM available). From that I understand DNS servers at Madrid=

office should be both primary servers of all Madrid local zones
(madrid.finance.corp.com, madrid.sales.corp.com, ...) and all other ser=
vers
(those in Barcelona, Valencia, etc) should be secondary (non-authoritat=
ive)
for Madrid zones. Of course, the same architecture would be applied for=
 all
other cities, two local primary servers and 4x2 secondary remote second=
ary
servers.

As an example for Madrid domain zones only:
- MADRID DNS 1 --> primary for (madrid.*.corp.com)
- MADRID DNS 2 --> primary for (madrid.*.corp.com)
- VALENCIA DNS 1 --> secondary of (madrid.*.corp.com)
- VALENCIA DNS 2 --> secondary of (madrid.*.corp.com)
- BARCELONA DNS 1 --> secondary of (madrid.*.corp.com)
- BARCELONA DNS 2 --> secondary of (madrid.*.corp.com)
- BILBAO DNS 1 --> secondary of (madrid.*.corp.com)
- BILBAO DNS 2 --> secondary of (madrid.*.corp.com)
- SEVILLA DNS 1 --> secondary of (madrid.*.corp.com)
- SEVILLA DNS 2 --> secondary of (madrid.*.corp.com)

To centralize management also I thought I would add another server prim=
ary
for all zones, hidden and behind a firewall to be a master of everythin=
g,
safe repository of data and source of all changes to sync into all othe=
r
servers. (This would be VitalQIP+oracle management).

It looks like a little overkill but:
- I do not want to use cache servers because cache misses get too long =
to
get resolved.
- I need centralized Oracle based management.
- I need local resolution and redundancy (I even need load balancers fo=
r
the quickest response time and highest availability)
- Second and third domain levels would be hardly adjustable to my needs=
 for
simpler DNS

Does this architecture look fine or is just a nerd mess? Aren't there t=
oo
many primary servers? Would make any difference if I set them all to
secondary but the centralized one?

Please, I need your advice (no funds for buying a book, but I am willin=
g to
read any online doc you could point me to).

Many thanks.

Jose Angel Martinez
CCIE 9230

--
Este mensaje puede contener informaci=F3n confidencial y/o privilegiada=
.
Si Vd. no es el destinatario de este mensaje o ha recibido este mensaje=

por error, por favor, informe inmediatamente al emisor y destruya este
mensaje. Est=E1 estrictamente prohibido por la legislaci=F3n vigente
realizar sin autorizaci=F3n cualquier copia, revelaci=F3n o distribuci=F3=
n de
este mensaje. Las opiniones expresadas en este correo son las de su
autor y Telef=F3nica M=F3viles Espa=F1a, S.A. no se responsabiliza de s=
u
contenido.


This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail
in error), please notify the sender immediately and destroy this
e-mail. Any unauthorised copying, disclosure or distribution of the
material in this e-mail is strictly forbidden by current legislation.
The points of view expressed in this e-mail are solely those of the
author and may not necessarily be from, or supported by, the company.
Telefonica Moviles S.A. neither assumes obligations nor accepts
liability for the content of this e-mail, unless that information is
subsequently confirmed by writing by a duly authorised representative.
=

More information about the bind-users mailing list