Correct response to NS request in case of dual delegation when one delegation returns REFUSED
Marki
bind-users at lists.roth.lu
Wed May 18 07:36:26 UTC 2022
Hello,
We are currently working with a product called Superna Eyeglass which
can be used for DR purposes on Powerscale (Dell storages).
Quick background: Powerscale leverages DNS to create redundant and
load-balanced frontend access. Without going into many details,
Powerscale replies to DNS requests on a service IP (SSIP) indicating
which node of the cluster should be used for the incoming connection. To
that end, it requires you to delegate one (or more) zones to that SSIP.
Now Eyeglass (the DR product) recommends using "dual delegation" for
failover purposes (there are two distinct clusters (active/passive)
which are not necessarily in-sync at any given moment in time).
What they tell you to do is: Create a service name with two
delegations/NS records pointing to both storages' SSIPs, the one
currently not active will return REFUSED.
i.e. you have
cluster IN NS storage1
cluster IN NS storage2
Now they have "readiness" checks where they try to determine if that
dual delegation is set up correctly.
However, Bind only seems to return one of those nameservers when asked
for it. Example:
1) client asks Bind: what is NS for "cluster"?
2) Bind seems to issue requests to both "storage1" and "storage2" for
"NS cluster", one of which always returns "REFUSED"
3) Answer of Bind to client does not contain the one that was "refused".
Therefore that readiness check is not working. They claim this is normal
and that they only support Windows DNS for that check.
My conclusion is that Windows DNS is an abomination. And relying on an
inherently faulty behavior leads straight to hell.
Am I missing something? Is Bind behaving correctly?
Thanks,
Marki
More information about the bind-users
mailing list