Re: Newbie's BIND Questions on DNSSEC, HA and SD

[Chris Buxton]

On Jan 16, 2016, at 9:33 PM, David Li  wrote:
> 
> Hi,
> 
> I am new to BIND. I am researching for a DNS server that can meet a
> list of requirements to be used in  a distributed system. They are:
> 
> 1. Security (DNSSEC)
> 2. High Availability (HA)
> 3. Service Discovery (DNS-SD)


Hello David,

I think you’ll find 1 and 3 are easy to find. For 2, it depends on what you 
mean. Tony Finch has already given you several excellent options covering most 
of the use cases.

The one thing that is most difficult is HA for the primary master name server, 
which is the target for dynamic updates and is therefore fairly important; even 
a few minutes of downtime of this server might cause outages for DHCP service, 
for example. There are several commercial offerings that include this sort of 
HA. I work for one of these vendors, BlueCat.

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Newbie's BIND Questions on DNSSEC, HA and SD

[Darcy Kevin (FCA)]

ear. I gather that there's not a lot of "special" DNS-server 
requirements for that -- standard record types like PTR, SRV and TXT are used. 
Again, like DNSSEC, the devil is in the details, though: do you expect your 
Apple stuff to be able to update Bonjour resources directly? If so, then you 
need a way to secure those Dynamic Updates. I can't really speak to this, 
having not had much exposure to Bonjour, and I don't think BIND has any special 
accommodations in this regard. Maybe some other DNS packages do (?)

A requirement you *didn't* mention, however, and probably *should*, is: what 
are the mechanisms and tools for maintaining the DNS data and configurations in 
the environment? BIND is an open-source package, but it doesn't really provide 
its own GUI, or console, for instance, for managing DNS data and 
configurations. Were you thinking you'd just manually edit zone files and 
named.conf? That can get old real fast. A lot of commercial products are built 
on BIND (e.g. Infoblox and Blue Cat, to name a couple), and BIND can be 
front-ended with open source tools too (Webmin has been mentioned, although 
I've never used it personally) and these tools provide such functionality. I 
think you'll find that, while the initial implementation of a DNS environment 
can be rather manpower-intensive, in the long term, the care and feeding of a 
DNS environment will take a lot more of your time, unless you have powerful 
tools to help manage it. So, you should be looking not only at the core DNS pac
 kage to use on your network, but also at the management layer you're going to 
use with that core, since different combinations of core-software and 
management layer work better or worse with each other.

Lastly, another thing you didn't mention is integration between DNS and DHCP. 
Don't your clients use DHCP, and don't you want records populated automatically 
in DNS when they get a lease, and removed when the lease is gone? I suppose 
it's _possible_ that you don't use DHCP, or you don't care about having your 
client names automatically populate DNS, but this would be rather atypical. 
It's worth noting, I think, that the prevailing DHCP server software comes from 
the same organization (ISC) as maintains BIND, so these pieces work well 
together (which is not to suggest that ISC's DHCP server *can't* work with, 
say, PowerDNS and so forth, but just that there are more examples and 
"mindshare" out there for getting the ISC stuff to work together). Some of the 
aforementioned commercial products, e.g. Infoblox, provide both DNS and DHCP 
services, among others, and DNS and DHCP can be very tightly integrated with 
each other, within those products.


- Kevin

P.S. Re-reading my message, I realize it may sound like a bit of an 
advertisement for a commercial DDI (DNS, DHCP and IPAM) solution, e.g. 
Infoblox. But, having made the transition from a fairly "classic" BIND 
installation, with a significant amount of custom programming wrapped around 
it, to a commercial-DDI solution, with the remaining custom programming just a 
front-end to it, I can attest to the manageability and integration benefits. 
It's especially useful if one wants to run more advanced features like DNSSEC, 
Anycast, reputation-based blacklisting of C sites, DoS mitigation strategies, 
meaningful mining of query stats, integration with Active Directory's "sites 
and subnets" mechanism, etc. I shudder to think how much time and effort would 
be involved in creating those things from scratch, and/or cobbling together 
open source tools to make all of that work.

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of David Li
Sent: Sunday, January 17, 2016 12:34 AM
To: bind-users@lists.isc.org
Subject: Newbie's BIND Questions on DNSSEC, HA and SD

Hi,

I am new to BIND. I am researching for a DNS server that can meet a list of 
requirements to be used in  a distributed system. They are:

1. Security (DNSSEC)
2. High Availability (HA)
3. Service Discovery (DNS-SD)

So I think BIND might be my best choice so far. Others I have looked at include 
dnsmasq, unbound, PowerDNS etc.

Because I don't have real experience with BIND yet and our architecture hasn't 
been finalized, I am asking the community experts for validations on my 
conclusion.

Another question I haven't quite figured out is the HA architecture.
Is it possible to set up a cluster of BIND servers (> 2) for each VLAN subnet 
with one of them as master the rest as slaves?

Thanks!

David
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-user

Re: Newbie's BIND Questions on DNSSEC, HA and SD

[David Li]

Hi Tony/Chris,

Thanks for the suggestion and pointers.

At this stage, my network design is still very fluid. However, the
basic architecture constrains call for at least three racks of
servers. Each is served by a TOR switch. One of the servers in each
rack is dedicated to DHCP/DNS services so there will be three of them
at least.

Each rack potentially is a subnet or VLAN by itself.  Every other
server in each rack should be able to reach any other servers in the
whole cluster. All names and addresses are internal private ones.

Questions are:

1. Does it make sense to have one DNS zone for the cluster?
2. Does it make sense to have one master authoritative DNS server and
two other slaves to cover the cluster and meet the HA requirement?

Thanks.

David

On Tue, Jan 19, 2016 at 10:14 AM, Chris Buxton  wrote:
> On Jan 16, 2016, at 9:33 PM, David Li  wrote:
>>
>> Hi,
>>
>> I am new to BIND. I am researching for a DNS server that can meet a
>> list of requirements to be used in  a distributed system. They are:
>>
>> 1. Security (DNSSEC)
>> 2. High Availability (HA)
>> 3. Service Discovery (DNS-SD)
>
>
> Hello David,
>
> I think you’ll find 1 and 3 are easy to find. For 2, it depends on what you 
> mean. Tony Finch has already given you several excellent options covering 
> most of the use cases.
>
> The one thing that is most difficult is HA for the primary master name 
> server, which is the target for dynamic updates and is therefore fairly 
> important; even a few minutes of downtime of this server might cause outages 
> for DHCP service, for example. There are several commercial offerings that 
> include this sort of HA. I work for one of these vendors, BlueCat.
>
> Regards,
> Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Newbie's BIND Questions on DNSSEC, HA and SD

[Tony Finch]

David Li  wrote:
>
> Another question I haven't quite figured out is the HA architecture.
> Is it possible to set up a cluster of BIND servers (> 2) for each VLAN
> subnet with one of them as master the rest as slaves?

Are these recursive or authoritative servers?

For recursive servers you only need a few per site. (Per VLAN would be
overkill unless your VLANs are very busy) The standard HA technique
is to use anycast - see for example
http://www.bortzmeyer.org/files/afrinic-dns-anycast.pdf
https://strobe.uwaterloo.ca/watitis/resources/2009/AnyCast%20DNS/AnyDNS.ppt

Where I work our core server network spans multiple sites at layer 2, so
I'm using keepalived which makes the coupling between the DNS servers and
the network a lot simpler.

For authoritative DNA HA, make your recursive servers authoritative for
your local zones, so your recursive servers still work when the rest of
your DNS is broken. Get third-party off-site secondary DNS service.
There's not much need to get more complicated than that.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/
Viking, North Utsire, South Utsire, Forties: Cyclonic becoming northerly 4 or
5, occasionally 6 in South Utsire and Forties. Slight or moderate, becoming
moderate. Wintry showers. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Newbie's BIND Questions on DNSSEC, HA and SD

[David Li]

Hi,

I am new to BIND. I am researching for a DNS server that can meet a
list of requirements to be used in  a distributed system. They are:

1. Security (DNSSEC)
2. High Availability (HA)
3. Service Discovery (DNS-SD)

So I think BIND might be my best choice so far. Others I have looked
at include dnsmasq, unbound, PowerDNS etc.

Because I don't have real experience with BIND yet and our
architecture hasn't been finalized, I am asking the community experts
for validations on my conclusion.

Another question I haven't quite figured out is the HA architecture.
Is it possible to set up a cluster of BIND servers (> 2) for each VLAN
subnet with one of them as master the rest as slaves?

Thanks!

David
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users