Slaving from DNS masters behind LVS

Chris Buxton clists at buxtonfamily.us
Wed Feb 13 17:54:13 UTC 2013 

On Feb 12, 2013, at 7:00 PM, Nick Urbanik wrote:
> We have a pair of DNS servers running BIND behind a direct routing LVS
> director pair running keepalived.  Let's call these two DNS servers A
> and B, and the VIP V.
> 
> They slave from a hidden master; let's call it M.
> 
> I want to allow another machine S to slave from A and B, the pair of
> DNS servers that are behind LVS.
> 
> Another machine F will forward to the DNS servers behind the load
> balancer, A and B.
> 
> [There is another similar setup at another location, so there will
> be a V1 and V2, A1, A2, B1, B2; all of A1, A2, B1, B2 slave from M.]
> 
> 1. Should the machine in the SOA be V, or A or B?
> 2. Should the NS records for the zones be A, B and V, or just V?
> 3, Should S slave from A and B, or should it slave from V?
> 4. Should F forward to V, or to both A and B?

Generally speaking, if you're going to use a load balancer, use it. Don't go around it. I assume your VIP will actually float between two load balancers, for redundancy.

Why is forwarding involved? Forwarding is a recursive server behavior, but your other questions relate to authoritative service. Mixing the two, especially in a high-traffic environment, is a recipe for disaster. (Not that I haven't implemented that for even very large customers -- the customer is always right unless you can convince them otherwise. Use of multiple views, with match-recursive-only enabled in one of them, can somewhat alleviate the problem.)

1. Your choice. Mine would be M. My second choice would be either V1 or V2, if there was some need to truly conceal the identity of M.
2. V1 and V2.
3. V1 and V2.
4. V1 and V2.

But as others have pointed out, unless you're getting huge numbers of queries, I wouldn't bother with load balancers for authoritative service. I would only start looking for this type of solution if 6 individual name servers were insufficient to handle the load. And in that case, my first choice would be anycast, because that also gives you geographic redundancy, routing redundancy, etc. That's how the root server clusters are set up, for the most part.

For recursive service, where clients can't be relied upon to effectively use any server beyond the first one they query, load balancers make good sense. But in that case, you (ideally) shouldn't have any zones configured on the name servers other than (possibly) RPZs, stub zones, and (if you really must) conditional forwarding zones.

Chris Buxton
BlueCat Networks

More information about the bind-users mailing list