Re: [Freeipa-users] separating authoritative servers from recursive servers
On 6.10.2015 14:13, Brendan Kearney wrote: > On 10/06/2015 07:42 AM, Petr Spacek wrote: >> On 6.10.2015 03:40, Brendan Kearney wrote: >>> i have two bind instances in somewhat of a multi-master server arrangement, >>> where they share the same ldap backend via bind-dyndb-ldap. currently, they >>> are authoritative and recursive servers, and i want to change things up a >>> bit. i want to move the recursive function to a third device. for this, i >>> believe i need to set a forwarder for the two current servers. i believe i >>> would do this by adding the idnsForwarders object (with value) on the OU >>> that >>> is the idnsConfigObject. >>> >>> i am looking for a sanity check, to ensure that i am not overlooking >>> something >>> important. are there any steps i am missing? i want the current two >>> instances to be authoritative for all my forward and reverse zones, and use >>> the forwarder for all recursion. the forwarder instance is already running, >>> and is setup to answer queries from only the two current instances. i >>> think i >>> just need to point the current instances to the forwarder instance, and turn >>> off recursion on them. >> Hmm, I think that there is some confusion about terms we use. >> >> Pure authoritative server would give out answers only for zones it is >> authoritative for (i.e. zones defined in /etc/named.conf or LDAP) and refuse >> to answer all other queries. Is that what are you looking for? >> >> In contrast, a recursive server would answer query for any zone. If you >> really >> want to separate authoritative and recursive roles, then you should: >> >> (0. As always: Make sure that delegation for all your zones is correct.) >> 1. Set up recursive-only server. Add 'allow-recursion { IP_range; };' to >> named.conf. >> 2. Reconfigure all clients to use the recursive-only server and not to ask >> authoritative servers directly. >> 3. Reconfigure authoritative servers by adding allow-recursion { none; }; to >> named.conf. >> >> No changes in LDAP should be necessary. >> >> Does it answer your question? >> > i want to have separation of duties in my dns infrastructure. the intention > is to have clients point to the current instances of dns for all records. > behind the scenes, i want to have those current instances be authoritative for > my internal zones, and for queries that they are not authoritative for, they > reach out to the third server/instance for recursive queries. the third > server/instance for recursive queries should not be contacted by clients. the > end result is a hierarchy of roles for the dns instances. > > from the bind docs: > The forwarding facility can be used to create a large site-wide cache on a few > servers, reducing traffic over links to external name servers. It can also be > used to allow queries by servers that do not have direct access to the > Internet, but wish to look up exterior names anyway. Forwarding occurs only on > those queries for which the server is not authoritative and does not have the > answer in its cache. > > I plan to remove external access for the two current dns instances and force > them to use the instance set as the forwarder for all external or recursive > lookups. it seems that the idnsForwarders attribute is where i start working > on this. Okay, now I can see what you are trying to achieve. Please note that your 'authoritative' servers will be at the same time used as recursive - the fact that they forward the query to another server does not change anything important because there will be only one shared cache in the 'authoritative' DNS servers. In other words, you are not getting anything separation-wise. Bug in recursive part will crash your authoritative server. Cache poisoning will be a thread to your authoritative servers, too. If you insist on this setup, you can either configure forwarders {} and forward-policy {} options in named.conf on each server or globally configure it using idnsForwarder and idnsForwardPolicy attributes in idnsConfig object. I hope this helps. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] separating authoritative servers from recursive servers
On 10/06/2015 07:42 AM, Petr Spacek wrote: On 6.10.2015 03:40, Brendan Kearney wrote: i have two bind instances in somewhat of a multi-master server arrangement, where they share the same ldap backend via bind-dyndb-ldap. currently, they are authoritative and recursive servers, and i want to change things up a bit. i want to move the recursive function to a third device. for this, i believe i need to set a forwarder for the two current servers. i believe i would do this by adding the idnsForwarders object (with value) on the OU that is the idnsConfigObject. i am looking for a sanity check, to ensure that i am not overlooking something important. are there any steps i am missing? i want the current two instances to be authoritative for all my forward and reverse zones, and use the forwarder for all recursion. the forwarder instance is already running, and is setup to answer queries from only the two current instances. i think i just need to point the current instances to the forwarder instance, and turn off recursion on them. Hmm, I think that there is some confusion about terms we use. Pure authoritative server would give out answers only for zones it is authoritative for (i.e. zones defined in /etc/named.conf or LDAP) and refuse to answer all other queries. Is that what are you looking for? In contrast, a recursive server would answer query for any zone. If you really want to separate authoritative and recursive roles, then you should: (0. As always: Make sure that delegation for all your zones is correct.) 1. Set up recursive-only server. Add 'allow-recursion { IP_range; };' to named.conf. 2. Reconfigure all clients to use the recursive-only server and not to ask authoritative servers directly. 3. Reconfigure authoritative servers by adding allow-recursion { none; }; to named.conf. No changes in LDAP should be necessary. Does it answer your question? i want to have separation of duties in my dns infrastructure. the intention is to have clients point to the current instances of dns for all records. behind the scenes, i want to have those current instances be authoritative for my internal zones, and for queries that they are not authoritative for, they reach out to the third server/instance for recursive queries. the third server/instance for recursive queries should not be contacted by clients. the end result is a hierarchy of roles for the dns instances. from the bind docs: The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external name servers. It can also be used to allow queries by servers that do not have direct access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache. I plan to remove external access for the two current dns instances and force them to use the instance set as the forwarder for all external or recursive lookups. it seems that the idnsForwarders attribute is where i start working on this. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] separating authoritative servers from recursive servers
On 6.10.2015 03:40, Brendan Kearney wrote: > i have two bind instances in somewhat of a multi-master server arrangement, > where they share the same ldap backend via bind-dyndb-ldap. currently, they > are authoritative and recursive servers, and i want to change things up a > bit. i want to move the recursive function to a third device. for this, i > believe i need to set a forwarder for the two current servers. i believe i > would do this by adding the idnsForwarders object (with value) on the OU that > is the idnsConfigObject. > > i am looking for a sanity check, to ensure that i am not overlooking something > important. are there any steps i am missing? i want the current two > instances to be authoritative for all my forward and reverse zones, and use > the forwarder for all recursion. the forwarder instance is already running, > and is setup to answer queries from only the two current instances. i think i > just need to point the current instances to the forwarder instance, and turn > off recursion on them. Hmm, I think that there is some confusion about terms we use. Pure authoritative server would give out answers only for zones it is authoritative for (i.e. zones defined in /etc/named.conf or LDAP) and refuse to answer all other queries. Is that what are you looking for? In contrast, a recursive server would answer query for any zone. If you really want to separate authoritative and recursive roles, then you should: (0. As always: Make sure that delegation for all your zones is correct.) 1. Set up recursive-only server. Add 'allow-recursion { IP_range; };' to named.conf. 2. Reconfigure all clients to use the recursive-only server and not to ask authoritative servers directly. 3. Reconfigure authoritative servers by adding allow-recursion { none; }; to named.conf. No changes in LDAP should be necessary. Does it answer your question? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] separating authoritative servers from recursive servers
i have two bind instances in somewhat of a multi-master server arrangement, where they share the same ldap backend via bind-dyndb-ldap. currently, they are authoritative and recursive servers, and i want to change things up a bit. i want to move the recursive function to a third device. for this, i believe i need to set a forwarder for the two current servers. i believe i would do this by adding the idnsForwarders object (with value) on the OU that is the idnsConfigObject. i am looking for a sanity check, to ensure that i am not overlooking something important. are there any steps i am missing? i want the current two instances to be authoritative for all my forward and reverse zones, and use the forwarder for all recursion. the forwarder instance is already running, and is setup to answer queries from only the two current instances. i think i just need to point the current instances to the forwarder instance, and turn off recursion on them. thanks in advance, brendan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project