Re: Newbie's BIND Questions on DNSSEC, HA and SD
On Jan 16, 2016, at 9:33 PM, David Liwrote: > > Hi, > > I am new to BIND. I am researching for a DNS server that can meet a > list of requirements to be used in a distributed system. They are: > > 1. Security (DNSSEC) > 2. High Availability (HA) > 3. Service Discovery (DNS-SD) Hello David, I think you’ll find 1 and 3 are easy to find. For 2, it depends on what you mean. Tony Finch has already given you several excellent options covering most of the use cases. The one thing that is most difficult is HA for the primary master name server, which is the target for dynamic updates and is therefore fairly important; even a few minutes of downtime of this server might cause outages for DHCP service, for example. There are several commercial offerings that include this sort of HA. I work for one of these vendors, BlueCat. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Newbie's BIND Questions on DNSSEC, HA and SD
ear. I gather that there's not a lot of "special" DNS-server requirements for that -- standard record types like PTR, SRV and TXT are used. Again, like DNSSEC, the devil is in the details, though: do you expect your Apple stuff to be able to update Bonjour resources directly? If so, then you need a way to secure those Dynamic Updates. I can't really speak to this, having not had much exposure to Bonjour, and I don't think BIND has any special accommodations in this regard. Maybe some other DNS packages do (?) A requirement you *didn't* mention, however, and probably *should*, is: what are the mechanisms and tools for maintaining the DNS data and configurations in the environment? BIND is an open-source package, but it doesn't really provide its own GUI, or console, for instance, for managing DNS data and configurations. Were you thinking you'd just manually edit zone files and named.conf? That can get old real fast. A lot of commercial products are built on BIND (e.g. Infoblox and Blue Cat, to name a couple), and BIND can be front-ended with open source tools too (Webmin has been mentioned, although I've never used it personally) and these tools provide such functionality. I think you'll find that, while the initial implementation of a DNS environment can be rather manpower-intensive, in the long term, the care and feeding of a DNS environment will take a lot more of your time, unless you have powerful tools to help manage it. So, you should be looking not only at the core DNS pac kage to use on your network, but also at the management layer you're going to use with that core, since different combinations of core-software and management layer work better or worse with each other. Lastly, another thing you didn't mention is integration between DNS and DHCP. Don't your clients use DHCP, and don't you want records populated automatically in DNS when they get a lease, and removed when the lease is gone? I suppose it's _possible_ that you don't use DHCP, or you don't care about having your client names automatically populate DNS, but this would be rather atypical. It's worth noting, I think, that the prevailing DHCP server software comes from the same organization (ISC) as maintains BIND, so these pieces work well together (which is not to suggest that ISC's DHCP server *can't* work with, say, PowerDNS and so forth, but just that there are more examples and "mindshare" out there for getting the ISC stuff to work together). Some of the aforementioned commercial products, e.g. Infoblox, provide both DNS and DHCP services, among others, and DNS and DHCP can be very tightly integrated with each other, within those products. - Kevin P.S. Re-reading my message, I realize it may sound like a bit of an advertisement for a commercial DDI (DNS, DHCP and IPAM) solution, e.g. Infoblox. But, having made the transition from a fairly "classic" BIND installation, with a significant amount of custom programming wrapped around it, to a commercial-DDI solution, with the remaining custom programming just a front-end to it, I can attest to the manageability and integration benefits. It's especially useful if one wants to run more advanced features like DNSSEC, Anycast, reputation-based blacklisting of C sites, DoS mitigation strategies, meaningful mining of query stats, integration with Active Directory's "sites and subnets" mechanism, etc. I shudder to think how much time and effort would be involved in creating those things from scratch, and/or cobbling together open source tools to make all of that work. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of David Li Sent: Sunday, January 17, 2016 12:34 AM To: bind-users@lists.isc.org Subject: Newbie's BIND Questions on DNSSEC, HA and SD Hi, I am new to BIND. I am researching for a DNS server that can meet a list of requirements to be used in a distributed system. They are: 1. Security (DNSSEC) 2. High Availability (HA) 3. Service Discovery (DNS-SD) So I think BIND might be my best choice so far. Others I have looked at include dnsmasq, unbound, PowerDNS etc. Because I don't have real experience with BIND yet and our architecture hasn't been finalized, I am asking the community experts for validations on my conclusion. Another question I haven't quite figured out is the HA architecture. Is it possible to set up a cluster of BIND servers (> 2) for each VLAN subnet with one of them as master the rest as slaves? Thanks! David ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-user
Re: Newbie's BIND Questions on DNSSEC, HA and SD
Hi Tony/Chris, Thanks for the suggestion and pointers. At this stage, my network design is still very fluid. However, the basic architecture constrains call for at least three racks of servers. Each is served by a TOR switch. One of the servers in each rack is dedicated to DHCP/DNS services so there will be three of them at least. Each rack potentially is a subnet or VLAN by itself. Every other server in each rack should be able to reach any other servers in the whole cluster. All names and addresses are internal private ones. Questions are: 1. Does it make sense to have one DNS zone for the cluster? 2. Does it make sense to have one master authoritative DNS server and two other slaves to cover the cluster and meet the HA requirement? Thanks. David On Tue, Jan 19, 2016 at 10:14 AM, Chris Buxtonwrote: > On Jan 16, 2016, at 9:33 PM, David Li wrote: >> >> Hi, >> >> I am new to BIND. I am researching for a DNS server that can meet a >> list of requirements to be used in a distributed system. They are: >> >> 1. Security (DNSSEC) >> 2. High Availability (HA) >> 3. Service Discovery (DNS-SD) > > > Hello David, > > I think you’ll find 1 and 3 are easy to find. For 2, it depends on what you > mean. Tony Finch has already given you several excellent options covering > most of the use cases. > > The one thing that is most difficult is HA for the primary master name > server, which is the target for dynamic updates and is therefore fairly > important; even a few minutes of downtime of this server might cause outages > for DHCP service, for example. There are several commercial offerings that > include this sort of HA. I work for one of these vendors, BlueCat. > > Regards, > Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Newbie's BIND Questions on DNSSEC, HA and SD
David Liwrote: > > Another question I haven't quite figured out is the HA architecture. > Is it possible to set up a cluster of BIND servers (> 2) for each VLAN > subnet with one of them as master the rest as slaves? Are these recursive or authoritative servers? For recursive servers you only need a few per site. (Per VLAN would be overkill unless your VLANs are very busy) The standard HA technique is to use anycast - see for example http://www.bortzmeyer.org/files/afrinic-dns-anycast.pdf https://strobe.uwaterloo.ca/watitis/resources/2009/AnyCast%20DNS/AnyDNS.ppt Where I work our core server network spans multiple sites at layer 2, so I'm using keepalived which makes the coupling between the DNS servers and the network a lot simpler. For authoritative DNA HA, make your recursive servers authoritative for your local zones, so your recursive servers still work when the rest of your DNS is broken. Get third-party off-site secondary DNS service. There's not much need to get more complicated than that. Tony. -- f.anthony.n.finch http://dotat.at/ Viking, North Utsire, South Utsire, Forties: Cyclonic becoming northerly 4 or 5, occasionally 6 in South Utsire and Forties. Slight or moderate, becoming moderate. Wintry showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Newbie's BIND Questions on DNSSEC, HA and SD
Hi, I am new to BIND. I am researching for a DNS server that can meet a list of requirements to be used in a distributed system. They are: 1. Security (DNSSEC) 2. High Availability (HA) 3. Service Discovery (DNS-SD) So I think BIND might be my best choice so far. Others I have looked at include dnsmasq, unbound, PowerDNS etc. Because I don't have real experience with BIND yet and our architecture hasn't been finalized, I am asking the community experts for validations on my conclusion. Another question I haven't quite figured out is the HA architecture. Is it possible to set up a cluster of BIND servers (> 2) for each VLAN subnet with one of them as master the rest as slaves? Thanks! David ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users