[dns-operations] Multi-master setups

Richard Lamb richard.lamb at icann.org
Tue May 21 02:57:44 UTC 2013


Sounds like a good idea.

...and IMHO I agree some sort of reliable verification or "stop serving the zone" test needs to be implemented to substitute for SOA expiration so that the second "master" doesn't keep serving expired signatures should its link completely fail ;-)

-Rick


-----Original Message-----
From: dns-operations-bounces at mail.dns-oarc.net [mailto:dns-operations-bounces at mail.dns-oarc.net] On Behalf Of Carlos M. martinez
Sent: Monday, May 20, 2013 9:52 AM
To: dns-operations at mail.dns-oarc.net
Subject: Re: [dns-operations] Multi-master setups

rsync sounds like a fine solution, the problem imo, is what happens when something goes wrong, when a file transfer fails.

right now i'm thinking about not rsync'ing the zone files by eash one, but rsync a tar file with all the zone files, so if it fails, it fails atomically (i know that this works for me, but other may prefer other failure modes)

as a crude verification mechanism i was planning on naming the tar file with the sha-256 hash of the tar file

cheers!

~Carlos

On 5/20/13 1:34 PM, Bob Harold wrote:
> Syncing between the two servers would seem to only help in the case 
> where the masters could only reach the first server, but your slaves 
> could only reach the second server, which seems unlikely, unless the 
> second distribution server is closer (network-wise) to the slaves.
> 
> I would continue to push for 100% allow-transfer, and set up automated 
> cron jobs to test and send email for those that are not working.
> 
> I plan to use a similar setup, but fortunately I only have about a 
> dozen masters to contact, so it will be much easier for me.
> 
> The only 'clever' alternative I can think of is to change the IP of 
> the second distribution server to take over the IP of the first server 
> if the first one fails.  It helps if each server has a second IP that 
> is separate.
> 
> --
> Bob Harold
> DNS, University of Michigan
> 
> 
> On Sat, May 18, 2013 at 8:00 AM,
> <dns-operations-request at lists.dns-oarc.net
> <mailto:dns-operations-request at lists.dns-oarc.net>> wrote:
> 
>     Message: 1
>     Date: Fri, 17 May 2013 16:53:09 +0200
>     From: Anand Buddhdev <anandb at ripe.net <mailto:anandb at ripe.net>>
>     To: dns-operations at mail.dns-oarc.net
>     <mailto:dns-operations at mail.dns-oarc.net>
>     Subject: [dns-operations] Multi-master setups
>     Message-ID: <51964455.9060904 at ripe.net
>     <mailto:51964455.9060904 at ripe.net>>
>     Content-Type: text/plain; charset=ISO-8859-1
> 
>     Dear DNS folk,
> 
>     I'm thinking about multi-master setups to add some resiliency to our DNS
>     infrastructure.
> 
>     In our specific case we have a distribution server which slaves several
>     zones from various different parties. They also send notify messages to
>     this server. Once it transfers a zone, it sends notify messages to our
>     public-facing DNS cluster, and they all transfer the zone from it.
> 
>     Obviously, this single distribution server is a single point of failure,
>     and I'd like to get rid of it.
> 
>     The simplest solution is to add a second server to our infrastructure,
>     with an identical zone configuration, so that it is also a slave for all
>     the same zones. It would also transfer zones directly from the masters,
>     and provide AXFR/IXFR to our cluster.
> 
>     Adding a second distribution server has management overhead though. We
>     have several hundred masters, and even after contacting all of them, we
>     will never have a 100% clean setup where the master allows zone
>     transfers for both our distribution servers. So if I want to ensure that
>     both our distribution servers hold identical copies of zones, then I
>     would ideally want them to notify each other, and pull zones off each
>     other as well. Do any of you do this?
> 
>     Aside from this idea, are there any other clever ideas people have
>     implemented?
> 
>     Regards,
> 
>     Anand Buddhdev
> 
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs



More information about the dns-operations mailing list