Moving dynamic zones to new master+slave pair without interruptions

2016-01-06 Thread Peter Rathlev
We currently have two internal DNS servers that are both authoritative for a range of internal zones and caching resolvers for our clients. We would like to split this so authorizative and caching roles exist on different servers. And we would like to do this with as little down time as possible,

Re: Moving dynamic zones to new master+slave pair without interruptions

2016-01-06 Thread Tony Finch
Peter Rathlev wrote: > We currently have two internal DNS servers that are both authoritative > for a range of internal zones and caching resolvers for our clients. We > would like to split this so authorizative and caching roles exist on > different servers. And we would like

RE: Moving dynamic zones to new master+slave pair without interruptions

2016-01-06 Thread Darcy Kevin (FCA)
I'd just like to note in passing that the "separate authoritative and recursive" herd mentality reaches the ultimate point of absurdity when you only have 2 servers and you're going to create single points of failure (apparently, unless I'm misinterpreting "stand alone") to conform to this

Re: Moving dynamic zones to new master+slave pair without interruptions

2016-01-06 Thread Peter Rathlev
On Wed, 2016-01-06 at 18:04 +, Darcy Kevin (FCA) wrote: > I'd just like to note in passing that the "separate authoritative and > recursive" herd mentality reaches the ultimate point of absurdity > when you only have 2 servers and you're going to create single points > of failure (apparently,

Re: Moving dynamic zones to new master+slave pair without interruptions

2016-01-06 Thread Peter Rathlev
Hi Tony, Thank you for the suggestions! On Wed, 2016-01-06 at 16:05 +, Tony Finch wrote: > * Set up a new hidden master, with copies of your zones. (See below) > > * Change your existing servers to slave from the new hidden master > instead of the old master. Reconfigure the old master to

dnskey algorithm update

2016-01-06 Thread Carl Byington
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My zones are currently using algorithm 5 (RSASHA1), with two KSKs and two ZSKs with overlapping timers. In preparation for updating to algorithm 8 (RSASHA256), I read: The bind-users thread "KSK signing all records; NSEC3 algorithm status?"

Re: dnskey algorithm update

2016-01-06 Thread Jay Ford
On Wed, 6 Jan 2016, Carl Byington wrote: My zones are currently using algorithm 5 (RSASHA1), with two KSKs and two ZSKs with overlapping timers. In preparation for updating to algorithm 8 (RSASHA256), I read: The bind-users thread "KSK signing all records; NSEC3 algorithm status?"