From owner-freebsd-isp@FreeBSD.ORG Tue Jun 28 15:23:24 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5FCE916A41C for ; Tue, 28 Jun 2005 15:23:24 +0000 (GMT) (envelope-from john@essenz.com) Received: from beck.quonix.net (beck.quonix.net [146.145.66.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1631F43D1D for ; Tue, 28 Jun 2005 15:23:23 +0000 (GMT) (envelope-from john@essenz.com) Received: from beck.quonix.net (localhost [127.0.0.1]) by beck.quonix.net (8.13.4/8.13.4) with ESMTP id j5SFNEXL016683; Tue, 28 Jun 2005 11:23:14 -0400 (EDT) Received: from localhost (essenz@localhost) by beck.quonix.net (8.13.4/8.13.4/Submit) with ESMTP id j5SFNEUe016680; Tue, 28 Jun 2005 11:23:14 -0400 (EDT) X-Authentication-Warning: beck.quonix.net: essenz owned process doing -bs Date: Tue, 28 Jun 2005 11:23:14 -0400 (EDT) From: John Von Essen X-X-Sender: essenz@beck.quonix.net To: Adam Jacob Muller In-Reply-To: <1D0EBF69-F1EB-4056-BCA1-2E91207D11E8@oxeo.com> Message-ID: <20050628111413.J15817@beck.quonix.net> References: <20050628102618.J13559@beck.quonix.net> <1D0EBF69-F1EB-4056-BCA1-2E91207D11E8@oxeo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-SpamAssassin-3.0.3-Score: -2.82/5.8 ALL_TRUSTED X-MimeDefang-2.51: beck.quonix.net X-Scanned-By: MIMEDefang 2.51 on 146.145.66.90 Cc: freebsd-isp@freebsd.org, John Von Essen Subject: Re: Thoughts on a large-scale DNS server... X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2005 15:23:24 -0000 Adam, Thanks for the info. The two servers will be in two geographically separated datacenters. I am unfamiliar with djbdns. The first question I have is, are zone file configurations the same. We currently have all 11,000 zone files ready to go within a BIND environment, and we really dont want to have to change the core config style of all those domains. As for TTL, we currently use a 24 hour TTL, for zone file itself we then do something like: $TTL 86400 @ IN SAO ... 2004100500 ; Serial 10800 ; Refresh after 3 hour 3600 ; Retry after 1 hour 604800 ; Expire after 1 week 86400 ) ; Minimum TTL of 1 day The majority of our dns will rarely if "ever" change. I would only use Linux if I was really convinced that BIND (or djbdns) for some reason or another ran better (better pthread support, etc.,.) on it. But then again I'm partial to FreeBSD. -John On Tue, 28 Jun 2005, Adam Jacob Muller wrote: > I annotated your message below, basically explaining our similar setup. > > On Jun 28, 2005, at 10:42 AM, John Von Essen wrote: > > > I have been tasked with setting up a large-scale dns server > > environment > > (One ISP is taking over another ISP) and would greatly appreciate any > > thouhts or experiences that could help me out. > > > > In the end we will probably be doing authoritative DNS for 11,000 > > domains, > > and another 200 or so in-arpa address ranges for reverse resolution. > > we have ~ 10k domains right now, and much less than 200 ptr's > > > > > The plan is to have 3 core machines. One is the master, and gets > > its zone > > files created from local cvs exports. The other two are slaves, and do > > zone transfers from the master. The Public will actually only talk to > > these two slave DNS servers (NS1 and NS2). The machines themselves > > will be > > Single 3Ghz Xeon, 1Gb Memory, and 70Gb RAID 1 U320 SCSI. For every > > machine, we will have a standby machine waiting and ready. > > sounds like a very conservative setup, and for DNS that's good. if at > all possible I > would suggest that you move at least one of those servers to a > totally seperate network. > This is important, if your network is unreachable for say, 20 minutes > for any reason, anyone who queries > your dns in that time and caches the result will be unable to connect > until that invalid entry clears from their cache. > > As slashdot tells us, some providers ignore your set records, > http://ask.slashdot.org/article.pl? > sid=05/04/18/198259&tid=95&tid=128&tid=4 > so this is a very prudent step as i'm sure providers also tweak the > retry times since a failed lookups are > more likely to be repeated and consume more resources than successful > ones. > > > > > > The first question is, do I have enough CPU/Memory. Keep in mind these > > machines will nothing but DNS. > > Yes > > > > > Are there any performace issues with using regular filesystem > > directory > > zone file storage. For example, we will have a very large > > named.conf file > > with some 11,000 zone entries (I have never worked with a named.conf > > file that big before). Those entries will just reference the local > > filesystem, file "s/a/adam.com"; and so on. > > > > The next big question is BIND8 or BIND9. I would like to take > > advantage of > > threading in BIND9, but saw a previous post that BIND9 can have > > difficulty > > working with BIND8 servers which were incorrectly setup, whereas > > BIND8 can > > allow for a certain level of "external" incompetence. > > the real question is, do you want to use bind at all? > We currently use djbdns to manage everything, i personally find it to > be much more tolerant of errors than any version of bind. > http://cr.yp.to/djbdns.html > > > > > > And finally, Linux or FreeBSD, and if FreeBSD, 4 or 5. > > FreeBSD > > > > > Current staff (besides me) whats to run Debian Linux, but BIND9 > > pthreads > > dont work in Linux, do they work in FreeBSD? I want to use FreeBSD > > just > > because it better overall with regards to TCP/IP. > > Debian is a good, stable linux distro, my personal favorite in fact. > (though gentoo is also nice). > Linux is more reliable out of the box, FreeBSD can and is more > reliable if you know how to work it. > > > > > The only performance numbers we got from the other ISP, is that > > existing > > dns servers use about a constanst 400 kbps (bits) of bandwidth. > > The bandwidth, the needed server specs are a combination of two > things. First, the number of domains you have and 2nd the TTL on > those domains. > We currently use a TTL of 12 hours. This serves us well. If you halve > the TTL to say, 6 hours, expect to double the number of DNS queries. > If you double the TTL to 24 hours, expect to halve the number of DNS > queries. > > > > > Thanks in advance > > John > > _______________________________________________ > > freebsd-isp@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >