This is a good reminder for everyone else on the list (not Paul) that geographic diversity is useful. Two thoughts;
1) Follow best practices of separation of authoritative and recursive DNS. The IP addresses you hand out to your customers for "NS1" and "NS2" to resolve things, your recursive resolvers that have an ACL that allow queries from your netblocks should *not* also be your authoritative DNS servers. Put your authoritative ns1/ns2 slave/ns3 slave elsewhere. 2) Have geographic diversity in the location of your ns2 and ns3 authoritative slaves for your zone files. Even on a minuscule budget, it takes a tiny amount of resources to run bind9 for authoritative only, you can have an ns3 that is a $5/month VM hosted in a state 1500 miles away. Or we can all mutually swap slave nameservers. If anyone wants NS2 and NS3 slave services for free I have a set of nameservers that are currently averaging six nines availability over a year. 3) Consider what other things you can have off site for geographic diversity. If you do your own mail servers, make a second SMTP server ( mail2.domain.com) with appropriate MX records in your DNS, and host it on a small dedicated machine or VM that is thousands of miles away from you. Your local mail server in your core POP goes down? Mail will still arrive and be queued in a spool if things are set up right. On Fri, Oct 7, 2016 at 12:39 PM, Paul McCall <pa...@pdmnet.net> wrote: > A BIG thanks to Josh for stepping up real quickly to help keep AFMUG > online. > > > > Gotta get that 3rd DNS server OFFSITE ! Too many things on “the list” > > > > We sustained some damage, but it could have been a LOT worse. Got blessed > by a last minute jog to the East keeping the Cat4 winds in the ocean where > they belong > > > > Paul > > > > *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *George Skorup > *Sent:* Friday, October 7, 2016 2:18 PM > > *To:* af@afmug.com > *Subject:* Re: [AFMUG] afmug.com DNS > > > > Looks like Paul got his network back online. Lets all hope he has a speedy > recovery. > > But anyway, I don't know exactly when his network/name servers went > offline, but when I started this thread last night, I was already getting > NXDOMAIN. And as Eric pointed out, your NS record wasn't added to the zone, > so that explains why. Your name server was definitely answering... with > Paul's three NS records, which were all offline, thus brokedid. > > I wouldn't have a problem being a secondary for the zone either. My ns1, > ns2 and ns3 machines share an anycast address. Which would be a little > tricky to set up. The anycast address would be the NS record, but the zone > config on the master would need also-notify statements. I know Paul isn't > running BIND, so not sure if that would work. > > But I can't imagine afmug.com being a large zone. We're a Tucows/OpenSRS > reseller too. And I have many domains using their DNS. And it's the right > price... free. That might be the easier solution to this problem in the > future. Or Amazon's DNS since the list is there anyway. > > On 10/7/2016 6:51 AM, Josh Baird wrote: > > I'm hosting DNS on NS1.KYWIMAX.COM. It looks like Paul did forget to > update the NS RRSet to make my server authoritative (give him a break, he's > dealing with a hurricane), but as long as I'm answering queries things > should be fine for the next 9 days (when the expire SOA reaches zero). I > could always flip the slave into a master zone and update the NS RRSet > myself. > > > > Josh > > > > On Fri, Oct 7, 2016 at 12:41 AM, Ken Hohhof <af...@kwisp.com> wrote: > > So a lame delegation. But if it is answering queries, maybe things won’t > break? > > > > *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Eric Kuhnke > *Sent:* Thursday, October 6, 2016 11:27 PM > *To:* af@afmug.com > *Subject:* Re: [AFMUG] afmug.com DNS > > > > I am seeing ns1.kywimax.com as a 3rd nameserver in the whois record for > afmug.com > > It seems to be answering > > But the zone file itself was not updated to list ns1.kywimax.com as > authoritative, so stuff will probably break. > > > dig mail.afmug.com @ns1.kywimax.com > > ; <<>> DiG 9.10.3-P4-Ubuntu <<>> mail.afmug.com @ns1.kywimax.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17959 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;mail.afmug.com. IN A > > ;; ANSWER SECTION: > mail.afmug.com. 600 IN A 54.210.210.89 > > ;; AUTHORITY SECTION: > afmug.com. 10800 IN NS ns0.pdmnet.com. > afmug.com. 10800 IN NS ns.pdmnet.com. > afmug.com. 10800 IN NS ns1.pdmnet.com. > > ;; Query time: 93 msec > ;; SERVER: 100.42.32.200#53(100.42.32.200) > ;; WHEN: Thu Oct 06 21:25:11 PDT 2016 > ;; MSG SIZE rcvd: 119 > > > > On Thu, Oct 6, 2016 at 9:09 PM, George Skorup <geo...@cbcast.com> wrote: > > Looks like Paul's network is offline. Did the secondary DNS for afmug.com > get set up? Doesn't look like it. I'm still seeing ns, ns0 and > ns1.pdmnet.net as the name servers. And all three are obviously down. So > the list is going to break once everyone's DNS caches expire. > > > > > > >
