Newbie's BIND Questions on DNSSEC, HA and SD
Tony Finch
dot at dotat.at
Mon Jan 18 10:26:14 UTC 2016
David Li <dlipubkey at gmail.com> wrote:
>
> Another question I haven't quite figured out is the HA architecture.
> Is it possible to set up a cluster of BIND servers (> 2) for each VLAN
> subnet with one of them as master the rest as slaves?
Are these recursive or authoritative servers?
For recursive servers you only need a few per site. (Per VLAN would be
overkill unless your VLANs are very busy) The standard HA technique
is to use anycast - see for example
http://www.bortzmeyer.org/files/afrinic-dns-anycast.pdf
https://strobe.uwaterloo.ca/watitis/resources/2009/AnyCast%20DNS/AnyDNS.ppt
Where I work our core server network spans multiple sites at layer 2, so
I'm using keepalived which makes the coupling between the DNS servers and
the network a lot simpler.
For authoritative DNA HA, make your recursive servers authoritative for
your local zones, so your recursive servers still work when the rest of
your DNS is broken. Get third-party off-site secondary DNS service.
There's not much need to get more complicated than that.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Viking, North Utsire, South Utsire, Forties: Cyclonic becoming northerly 4 or
5, occasionally 6 in South Utsire and Forties. Slight or moderate, becoming
moderate. Wintry showers. Good, occasionally poor.
More information about the bind-users
mailing list