> Please confirm that if a DNS query is sent to the virtual address, the reply > will be sourced from the virtual address. The reason for restricting BIND to > a single address was mostly for firewall and administrative simplicity, but > that's not a big deal as long as the same address is used both directions.
Yes, the correct source address is used (the source of a response is the destination of the inbound query). However, onward queries that bind makes on behalf of a client (eg if recursing) will use whatever address (or presumably query-source/query-source-v6). The default query source always seems to be the primary address of an interface, as far as I've seen. > The documentation for keepalived isn't very good, but as near as I can tell > it does not support bringing up an application like BIND along with a VRRP > address. Maybe I'm wrong? The cluster.org package works great except for the > lack of an interface, so I've posted over there also to see if it's possible > to build a virtual interface for the IP, but I doubt it. Our recursive servers run keepalived to juggle the two service addresses that we advertise, and we don't set query-source, listen-on or notify-source. I don't see any benefit in moving the query/notify source addresses between hosts, especially since it makes it hard to test/monitor a host that isn't in service at the moment. Keepalived calls 'rndc scan' to nudge the already-running named when addresses appear/disappear, but I think this might be a historical thing now that bind can watch the routing socket. Graham > > -----Original Message----- > From: Tony Finch [mailto:d...@dotat.at] > Sent: Tuesday, March 15, 2016 5:40 PM > To: Mike Bernhardt > Cc: bind-users@lists.isc.org > Subject: Re: PCS, Corosync, Pacemaker, and Bind > > Mike Bernhardt <bernha...@bart.gov> wrote: >> >> I'm setting up a new CentOS 7 DNS server cluster to replace our very >> old CentOS 4 cluster. The old one uses heartbeat which is no longer >> supported, so I'm now using pcs, corosync, and pacemaker. > > I suggest having a look at keepalived: it's significantly simpler. > >> I want BIND to listen on, query from, etc on a particular IP address, >> which is virtualized. The options currently used are: >> query-source address >> listen-on >> notify-source >> >> listen-on isn't a big deal, but the source address options are. > > Why do you care about the query source address? > > I don't set any of those options and just let BIND pick whatever source > address it wants; it might choose the server admin address or the advertised > service address, and that doesn't matter because everything else is > configured to accommodate this. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Shannon, Rockall: > Southeast 4 or 5, increasing 6 at times in Shannon. Moderate or rough. Fair. > Mainly good. > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
