Numbering nameservers and resolvers

Wed Aug 18 05:41:17 UTC 2010

On 16/08/2010 08:49, Mike wrote:
>    I am needing to renumber some core infrastructure - namely, my
> nameservers and my resolvers - and I was wondering if the collective
> wisdom still says heck yes keep this stuff all on seperate subnets away
> from eachother? Anyone got advice either way? Should I try to give
> sequential numbers to my resolvers for the benefit of consultants ...
> like .11, .22 and .33 for my server ips?

We have 4 authoritative nameservers with a management backend to make 
sure that their records are in sync. The servers are located on 3 
separate continents, originated on 4 different ASNs, numbered from 4 
different /8's and not sharing any common data centre or power 
infrastructure. The software platform is still a single point of failure 
and some people have recommended a mix of software vendors for 
additional redundancy.

With resolvers the approach is a bit different:
You want an easy to remember address and also an address that will not 
be subject to renumbering in the future. Even though they shouldn't we 
see many users statically configuring their DNS resolvers.

A dedicated prefix for each resolver would be my first choice. You can 
then move that prefix to different hardware if necessary even if the 
routing to the hardware changes. A dedicated prefix also allows you to 
anycast the service if required. Since this is only internal routing it 
doesn't need to be a full /24.

I have also found it helpful to have the upstream queries originating 
from IPs in separate prefixes and this is quite easy to move around 
transparently to users or even in an emergency.

On IPv6 I have reserved 4 x /48s for DNS resolvers. The prefixes were 
chosen to be short and easy to remember and they are routed to existing 
resolvers. The :1 of each prefix is added to the loopback on the resolver.

-- 
Graham Beneke