On 16/08/2010 08:49, Mike wrote:
I am needing to renumber some core infrastructure - namely, my
nameservers and my resolvers - and I was wondering if the collective
wisdom still says heck yes keep this stuff all on seperate subnets away
from eachother? Anyone got advice either way? Should I try to give
sequential numbers to my resolvers for the benefit of consultants ...
like .11, .22 and .33 for my server ips?
We have 4 authoritative nameservers with a management backend to make
sure that their records are in sync. The servers are located on 3
separate continents, originated on 4 different ASNs, numbered from 4
different /8's and not sharing any common data centre or power
infrastructure. The software platform is still a single point of failure
and some people have recommended a mix of software vendors for
additional redundancy.
With resolvers the approach is a bit different:
You want an easy to remember address and also an address that will not
be subject to renumbering in the future. Even though they shouldn't we
see many users statically configuring their DNS resolvers.
A dedicated prefix for each resolver would be my first choice. You can
then move that prefix to different hardware if necessary even if the
routing to the hardware changes. A dedicated prefix also allows you to
anycast the service if required. Since this is only internal routing it
doesn't need to be a full /24.
I have also found it helpful to have the upstream queries originating
from IPs in separate prefixes and this is quite easy to move around
transparently to users or even in an emergency.
On IPv6 I have reserved 4 x /48s for DNS resolvers. The prefixes were
chosen to be short and easy to remember and they are routed to existing
resolvers. The :1 of each prefix is added to the loopback on the resolver.
--
Graham Beneke
