On 01/13/2016 04:34 AM, Philippe Maechler wrote:
My idea for the new setup is: ----------------------------------- caching servers - Setup new caching servers - Configure the ipv4 addresses of both (old) servers on the new servers as a /32 and setup an anycast network. This way the stupid clients, who won't switch to the secondary ns server when the primary is not available, are happy when there is some problem with one server. If we're having issues with the load in the future we can setup a new server and put it into the anycast network
Assuming you can manage the anycast effectively that's a good architecture that works well. Many of my customers have used it.
auth. servers - Setup a hidden master on the vmware - Setup two physical servers which are slaves of the hidden master That way we have one box which is (anytime in the future) doing the dnssec stuff, gets the update that we're doing over the webinterface and deploys the ready-to-serve zones to his slaves.
I would not hesitate to make the authoritative servers virtual as well.
I'm not sure if it is a good thing to have physical serves, although we have a vmware cluster in both nodes which has enough capacity (ram, cpu, disk)? I once read that the vmware boxes have a performance issue with heavy udp based services. Did anyone of you face such an issue? Are your dns servers all running on physical or virtual boxes?
When I was at BlueCat we recommended to customers that they put their resolving name servers on physical boxes in order to avoid chicken and egg problems after a catastrophic failure. Resolvers are core infrastructure, as are Virtualization clusters. It's better to avoid interdependencies between critical infrastructure wherever possible. Since you already have the physical boxes, I would continue to use them. The same argument can be made for DHCP as well, BTW.
That said, a non-zero number of our customers had all of their stuff virtualized, and were quite happy with it. Modern VMware has little or no penalty, and certainly nothing that would slow you down at 15k qps.
hope this helps, Doug _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
