On 2014-05-08 07:13, Barry S. Finkel wrote:
On 2014-05-07 15:06, Lawrence K. Chen, P.Eng. wrote:
OTOH, the idea of multi-master is intriguing.....the only down side
I see, is hat I
>> have one really powerful server for my current master....(Sun Fire
X4170)....and my
>> other servers are weak leftovers....just passed EOL last year.
>> And, have all the servers doing full DNSSEC signing could be
>> interesting.
It also raises the question of how does the outside world cope with
all the servers
>> having identical zones...signed on slightly different times, etc.
>> (especially since I'm using unix timestamp for zone serial....avoids
>> issues of multiple admins incrementing serial without
>> noticing others and/or collisions with DNSSEC's
>> incrementing of serials.)
Dave Warren replied:
I wouldn't expect any real issues here, Windows DNS has done multimaster
DNS since Windows 2000. In the case of Windows, dynamic updates (via
client or GUI) can be done at any location, the serial numbers are
incremented automatically, but the zones and servers may vary from each
other for a brief period of time.
So for example, DC1 and DC2 may start with serial 100, DC1 will receive
2 changes and be up to 102, DC2 will give 5 different changes and be up
to 105. When Active Directory synchronization happens outside of DNS,
the two sides merge changes together, and set the serial to the higher
of the two plus one, so the serial would be 106. To the outside world,
records can appear/disappear for a brief period while the servers drift
out of sync, similar to what could happen in a BIND configuration
without notifies as resolvers hit the two DNS servers round-robin.
The only thing that causes issues is if you use DNS to create a
non-Active Directory slave. BIND will throw errors because it will see
serial 100, 101, 102, then get a notify from the second server about
101. However, the slave will still sync up once the AD servers sync to
106. The fix here is to configure BIND to only slave off of one master
or the other, not both.
While there might be other factors involved in turning BIND into a true
multi-master solution, I wouldn't expect zones drifting out of sync or
having minor differences to be a big factor since it happens in the wild
already.
As I have written before, see MS article 282826. If one is going
to slave an MS AD DNS server, one has to choose ONLY ONE AD DNS
Server as a master. As I see it, there is no way that AD can
choose a zone serial number from among all of the AD DNS Servers.
Assuming that a zone has the same contents and same serial number,
say n, on all Domain Controllers. Then, one Windows machine sends
a DDNS update for the zone to DC1 at the same time that another Windows
machine sends a different DDNS update for that zone to DC2. Now,
each DC has serial number n+1 and different contents. When AD
synchronizes the zone contents and serial number under the covers,
what serial number can it choose? It can't choose n+1, as that
serial number has already been used. It can't choose n+2, as it
does not know if another DDNS for the same zone has arrived before
the synchronization has taken place.
n+2 works fine, the situation is no worse off than it was with two
servers each at n+1 and being slightly out of sync. At the n+2 step, the
zones are closer to being in sync then they were. The logic that MS DNS
uses is to always set the serial number to the highest seen anywhere +1
and it works very well internally.
Even if you don't follow the advice in 282826, it actually works
surprisingly well; as AD syncs up (which tends to happen very quickly
for DNS servers in the same site, slower with intra-site replication),
the changes merge together, the serial increments and BIND gets the
latest zone. You obviously have to use AXFR rather than IFXR, and you
have to accept that newly added records will appear and disappear from
the BIND zone when/if BIND flips between AD masters, but the effects are
understandable and manageable.
(I'm not advocating slaving off of multiple AD masters, I agree
completely with 282826 -- it's a dumb idea. But I've seen it done and if
you ignore BIND's logs and understand that newly added records need to
propagate before they will exist reliably, it works well in production)
But again, the point of this isn't "how to integrate MS DNS and BIND",
it's "What happens, in the real world, if multi-master authoritative
servers were to serve ever-so-slightly-different-versions of the same
zone with the same serial", and the answer is that this is already
battle-tested in the real world and it works very well, outside of
slaves which aren't aware of this design or aren't part of the
multi-master configuration.
IIRC, 282826 says that if a
DC is not used as a master for a BIND slave, then its zone serial
number is not important.
Indeed -- And that's my point, the situation where slightly different
versions of the same zone are being served by different DNS servers
already happens in the real world and most things work fine, except for
the one big issue of slaving off of such a server.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
