On 1/22/19 10:06 PM, ObNox wrote:
I'm not fully against this idea but I'm not comfortable with Site2/3 depending on Site1 for the updates.
Fair.
If for some reason Site1 is unreachable and a host tries to update the DHCP lease, the DNS update would fail and the said host wouldn't be reachable by other direct neighbor hosts (same site) by DNS name just because a remote service is not available. Yes, I could lower the DHCP leases time to try again sooner but it looks inelegant to me.
I would expect that DHCP would operate independently. Though the Dynamic DNS update may fail.
I tend to prefer for DHCP to offer the same addresses to clients if it can. So even if one update did fail, chances are good that the last update was for the same IP and DNS still had correct data.
But your concern is legitimate.I start to wonder if other BIND back ends might offer additional options via DLZ.
This reminds me of an infamous issue few years ago where a WiFi router brand cut the internet access to all hosts because their cloud service was down. The idiotic router firmware believed that internet was "down". Also like stupid Windows hosts displaying warning icons when they can't access www.msftncsi.com, etc. etc. I hate these kind of dependencies and I do whatever I can to avoid them.
See above. I think clients would still work using old information.
There would be no need to promote secondaries to primaries because Site1 is really the big one holding most of the information. Site2/3 are "satellites" really where only minimal service is provided.
Fair.
I thought of that too :-) A week would be far enough in my case.
;-)
That's a nice idea, however I feel like it's starting to be a bit complicated for my use case. 2 DNS servers per site, maintaining RPZ zones, etc seems a bit overkill for my setup.
Ya. I felt like it might be overkill for your situation. But you asked a question, and I shared the (partial) answer that I was aware of.
If I understand correctly, each site would have 2 DNS servers, one "normal" and one forwarder. Would this kind of setup support dynDNS without trouble?
I don't know how dynamic DNS would integrate. I would think that you would want the updates to be sent to site 1 which would then replicate back to sites 2 & 3. The other local DNS server would be for overrides, which I doubt would change very often.
What I meant is that each site would work on its own for normal traffic. Hosts and assets (printers, etc.) would boot up, DHCP, register DNS and access internet the usual way. That's what I mean by "independent".
Yep.
Only the DNS requests for "unknown records within the local example.com" would be forwarded to the "master" (Site1)
Yep. So I guess you would want the dynamic updates to the local DNS server. I think you could direct updates there.
Site1 would hold all the DNS records for its own hosts/assets (ie: host1, printer1, etc.). Site2/3 would do the same on their own (ie: host21,printer21, host31, printer31, etc.) but "app.example.com" and all the others would be forwarded to Site1.
*nod*
All of this to avoid duplicating the DNS records on each site (currently 3 of them but could grow). At least, that's the current idea but I'm open to other solutions if they fit the bill :-)
Ya. Sometimes technical solutions are more of a problem than the lack of them is a problem.
I wouldn't need to promote secondary servers to be primary as all of this is purely internal to the company. Site2/3 people would to their work normally, just being unable to reach the centralized app only available at Site1.
ACK
You assume correctly :)
:-)
I think I'm now geared towards this solutions which seems to be the simpler one to implement.
I think it's at least worth playing out to see if it fails or if it works well enough for your needs.
I like out-of-the-comfort-zone ideas but in my current case, this seems to be a bit overkill.
Agreed.You asked a question, and I provided the only answer that I was aware of. I'm sure there are others. I'd like to see what other people suggest. I selfishly want to learn from their efforts. }:-)
I think I'm a bit biased here because I thought about a multi-master DNS service like I already have with OpenLDAP! The multi-master setup of OpenLDAP works so magically well that I really wished it was possible for my DNS use case :-) I can update any LDAP server in the chain and it magically propagates everywhere in an instant.
:-)Take a look at the BIND DLZ LDAP driver. I suspect you can get BIND to use (what sounds like) your multi-master OpenLDAP configuration.
Link - BIND DLZ > Driver Docs > LDAP - http://bind-dlz.sourceforge.net/ldap_driver.html
That's because I didn't find anything in the docs about the multi-master setup that I came up with the idea of a "selective forwarding" thing :)
Sounds like you're trying to find a possible solution. More than one would be nice so that you can evaluate the merits of them.
Thank you for your feedback.
You're welcome.Please share what you end up doing and why you chose it. I'd like to learn from your efforts. ():-)
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
