Looking through old notes
Setup description in Services/Club DNS appears to still be mostly accurate.
Things that have changed:
- IPV6 patch is now the test28 version.
- Query merging is now a custom patch I developed that uses red black trees to efficiently identifying potential targets for merging. Should not have issues with CPU load.
- We increase the maximum number of UDP connections dnscache will make from 200 to 400.
Probably better/easier to use IP aliases on a single interface than to setup two. (This should avoid messages in Observium's event log about MAC <-> IP mappings changing.)
auto eth0:0
iface eth0:0 inet static
address <addr>
netmask <mask>Fits better in Debian's filesystem hierarchy to put the tinydns and dnscache home directories in /var/local. Blech... /var/tinydns is coded into dnsupdate.sh though. So I made a symlink.
Daemontools-run has integration with systemd. Re-arrangement of /etc/inittab shouldn't be necessary. Not yet sure if there are any new gotchas from systemd.
Instead of adding rsync-dns.sh to rsync's crontab, install cclub-rsync-slave-dns.
Can prevent axfrdns from answering AXFR requests (but still allow it to serve DNS-over-TCP) by using :allow,AXFR="" in /var/local/axfrdns/tcp.
Systemd handling for daemontools-run and svinitd actually seems to be a little better than sysvinit handling was in wheezy. Starting the default down services out of /etc/init.d works as expected. Though it's helpful to add LSB headers to those scripts. E.g.,
### BEGIN INIT INFO # Provides: authoritative-dns # Required-Start: $network daemontools # Required-Stop: $network daemontools # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start axfrdns and tinydns at boot time # Description: Enable authoritative DNS service provided over TCP by # axfrdns and provided over UDP by tinydns. ### END INIT INFO
Script needs to be executable, and then enabled at the default run levels (update-rc.d authoritative-dns defaults). Reload systemd so it generates the corresponding unit (systemctl daemon-reload).
Packages
Basic packages for the DNS servers:
- daemontools
- daemontools-run
- dbndns
- dbndns-manpages
- svtools
- ucspi-tcp
Packages for the HA support:
- pacemaker
- pacemaker-cli-utils
- pcs
Interaction with the AFS PT/VL servers
Don't want the node-1 servers to answers requests for node-2, if node-1 has taken over DNS for node-2.
This is sort of kludgy. There's /var/lib/openafs/local/NetInfo and /var/lib/openafs/NetRestrict, but that only seems to affect the addresses that are advertised within the protocol. Daemons can use an "-rxbind" options which causes the daemons to only bind to the first IP address.
Possible alternative is mix of NetInfo/NetRestrict and firewall rules.
...
Decided that the best bet is to put the advertised interface in NetInfo, the blocked interfaces in NetRestrict, and block all the ports on the undesired interfaces. NetInfo/NetRestrict seem to be used for advertisements in ubik, and it's okay if the targeted interface is not there.
Basic Idea
- 4 "floating" IP addresses for each (authoritative and recursive DNS) x 2 servers
- Each machine has dnscache configurations for both recursive IPs, and tinydns and axfrdns configurations for both authoritative IPs
- Configurations for each IP will share the same chroot
Pacemaker will start/stop the services for a given IP depending on whether the machine is hosting the relevant IP—dependency/ordering constraints
Preference is to have each machine serving 1 authoritative IP and 1 recursive IP—collocation constraint
Cluster Setup
Gotcha: Need to make sure there aren't entries in /etc/hosts mapping node names to 127.0.1.1!
Essentially follow the Clusters from Scratch documentation for initial cluster setup.
Note that we actually want the corosync and pacemaker services enabled, as opposed to the document's suggestion of always starting them manually.