Tuning for lots of SERVFAIL responses
John Miller
johnmill at brandeis.edu
Fri Feb 19 01:54:35 UTC 2016
On Thu, Feb 18, 2016 at 5:06 PM, Mark Andrews <marka at isc.org> wrote:
> For some reason people are afraid to slave internal zones. Back
> when I was working for CSIRO I used to slave all the internal zones
> for all of the sites the division had. Each site administered its
> own zones but all sites slaved all of them. That way local and
> inter site lookups always succeeded even when the external links
> were down.
It wasn't so much a fear thing for us as a configuration thing: we
previously were using a pair of nameservers for everything under the
sun. Not being sure if we would do BIND for recursive DNS (or
authoritative, for that matter), it was far easier to migrate things
piecemeal. Using stub zones on the resolvers makes configuration far
simpler as well. We're also in an interesting place where our
internal zones aren't _really_ internal: everything for the most part
has a .brandeis.edu FQDN, and the world sees largely the same set of
records that we do locally. We have to keep everything synced up
somehow.
Is slaving internal zones like this feasible with other DNS products
(NSD, PowerDNS)? Both of those run different binaries for their
authoritative and recursive functions, so this seems like a
BIND-specific (or BIND9, at least) way of doing things.
We'll definitely be increasing recursive-clients (likely to something
~10k). I'd imagine that we'll also start slaving our own zones
again--we just need to figure out the config management piece of
things. Shouldn't take more than a day or two, though. Thanks for
the advice, Mark.
John
More information about the bind-users
mailing list