On 16/08/2010 08:49, Mike wrote:
I am needing to renumber some core infrastructure - namely, my nameservers and my resolvers - and I was wondering if the collective wisdom still says heck yes keep this stuff all on seperate subnets away from eachother? Anyone got advice either way? Should I try to give sequential numbers to my resolvers for the benefit of consultants ... like .11, .22 and .33 for my server ips?
We have 4 authoritative nameservers with a management backend to make sure that their records are in sync. The servers are located on 3 separate continents, originated on 4 different ASNs, numbered from 4 different /8's and not sharing any common data centre or power infrastructure. The software platform is still a single point of failure and some people have recommended a mix of software vendors for additional redundancy. With resolvers the approach is a bit different: You want an easy to remember address and also an address that will not be subject to renumbering in the future. Even though they shouldn't we see many users statically configuring their DNS resolvers. A dedicated prefix for each resolver would be my first choice. You can then move that prefix to different hardware if necessary even if the routing to the hardware changes. A dedicated prefix also allows you to anycast the service if required. Since this is only internal routing it doesn't need to be a full /24. I have also found it helpful to have the upstream queries originating from IPs in separate prefixes and this is quite easy to move around transparently to users or even in an emergency. On IPv6 I have reserved 4 x /48s for DNS resolvers. The prefixes were chosen to be short and easy to remember and they are routed to existing resolvers. The :1 of each prefix is added to the loopback on the resolver. -- Graham Beneke