[nsd-users] Seeking advice for deploying an anycast cluster

Måns Nilsson mansaxel at besserwisser.org
Sat Jan 4 07:24:16 UTC 2020


Subject: Re: [nsd-users] Seeking advice for deploying an anycast cluster Date: Fri, Jan 03, 2020 at 09:22:46PM -0500 Quoting Daniel Corbe via nsd-users (nsd-users at lists.nlnetlabs.nl):
> 
> So I'm worried about nsd getting the right information from the right
> source.   If I put my nsd instances in a "full mesh" so to speak,
> where they are all XFR and NOTIFY each other, my "A" and "B" PowerDNS
> servers would still need to be the authoritative source for
> information.  I'm assuming that's where the serial number of the zone
> comes into play?   Highest provided serial number wins, right?

Correct. 

Don't forget that you would be wise to include TSIG as well. Here, between
servers managed by the same entity, it is child's play. And being able
to prove that the AXFR is correct all the way is quite beneficial.

Further, you need a system to manage the "new zone deployment" process,
as well as removal (but adding is more time-critical than removal). I've
used "dper.pl" from Kirei (https://github.com/kirei/dper) to automate
this for quite a few years now. No hickups. A new version that is Python
and YAML is in the works, of which I will have experience soon.

In summary: 

* every slave should fetch its zone from at least 2 masters, 

* serial governs which zone is loaded and served, 

* TSIG set up between masters and slaves, 

* NOTIFY (by virtue of "also-notify" in BIND and PowerDNS syntax) makes
  things fast,

* Zone deployment is and was always supposed to be OOB, and needs to
  be handled. (NB: There with some frequency pops up suggestions to do
  in-band provisioning, and I THINK I've seen it on the feature list for
  some implementations, but no standard method has yet been devised.)


rgds, 
-- 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE           SA0XLR            +46 705 989668
I hope I bought the right relish ... zzzzzzzzz ...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20200104/a7744ec4/attachment.bin>


More information about the nsd-users mailing list