[svlug] BIND9 on EC2

Rick Moen rick at svlug.org
Sun Nov 30 21:46:58 PST 2014

Just a follow-up note, Scott, about something that kept coming up during 
that thread.  I refer to the bit where you wrote one or two sentences 
characterising something in front of you, and my response was 'What?', 
sometimes followed by my best effort at _guessing_ what you were talking 
about.  This included the key passage at the beginning of your initial 
message where (you say) you revealed the problem you were aiming to solve.
I'd honestly have liked nothing better than to say 'Although I'm not getting
your meaning at all, probably lots of other people will.'  Sorry, I don't 
think so, and yrs. truly has done DNS administration for a living since some
time in the 1980s.
After about Round Three of the 'What?' reaction, you came up with this 
sentence:   'A can only access nameserver settings; no records.'
That sentence honestly doesn't say _anything_.  It doesn't say anything even
if one assumes 'A' was a typo (that you never followed up to clarify) that 
was intended to be 'I'.
Moreover, if I guess your intended meaning correctly (and double-checking 
the PNG), you were indulging a habit notorious for sabotaging communication
with would-be technical helpers:  posting your interpretations of the
situation, when what your helpers need is the raw data.[1]
Looking at your PNG, one (finally) sees that you were talking about your 
domain's roster of authoritative DNS nameservers in your administrative 
pages for it at your registrar.[2]  It would have been extremely handy if 
you had bothered to detail what else other than namserver entries you 
_expected_ to see there, and why.  That would have helped more-quickly get 
past what turned out to be some sort of mistaken conception about the domain
administrative WebUI.  (I _still_ don't know what else you expected to be 
there, and why.)
And ironically, the nameserver lines in question _are_ DNS records - in the
parent zone.

On a different matter:

> I felt it best to create my own Master and Slave on EC2 and I guess a
> third as well since it it highly recommended.

The main point of having three to seven (RFC recommendation) authoritative
nameservers for a domain is to avoid single points of failure - not having 
those nameservers not sharing the same power circuit, or the same IP
gateway, or any other common technological or geographical factor that could
make possible taking out multiple sources of the nameservice information at
the same time.

You be the judge about whether three nameservers all on EC2 meet those
criteria.  I kinda doubt it.

Specifically, I'm talking about RFC 2182, 'Selection and Operation of
Secondary DNS Servers', this passage:

3.1. Selecting Secondary Servers

   When selecting secondary servers, attention should be given to the
   various likely failure modes.  Servers should be placed so that it is
   likely that at least one server will be available to all significant
   parts of the Internet, for any likely failure.

   Consequently, placing all servers at the local site, while easy to
   arrange, and easy to manage, is not a good policy.  Should a single
   link fail, or there be a site, or perhaps even building, or room,
   power failure, such a configuration can lead to all servers being
   disconnected from the Internet.

   Secondary servers must be placed at both topologically and
   geographically dispersed locations on the Internet, to minimise the
   likelihood of a single failure disabling all of them.

   That is, secondary servers should be at geographically distant
   locations, so it is unlikely that events like power loss, etc, will
   disrupt all of them simultaneously.  They should also be connected to
   the net via quite diverse paths.  This means that the failure of any
   one link, or of routing within some segment of the network (such as a
   service provider) will not make all of the servers unreachable.

3.2. Unsuitable Configurations

   While it is unfortunately quite common, servers for a zone should
   certainly not all be placed on the same LAN segment in the same room
   of the same building - or any of those.  Such a configuration almost
   defeats the requirement, and utility, of having multiple servers.
   The only redundancy usually provided in that configuration is for the
   case when one server is down, whereas there are many other possible
   failure modes, such as power failures, including lengthy ones, to

Some might claim there's no way that multiple EC2 nodes could be taken down
by the same thing at the same time, and I hope they're right.  Me, though, I 
like to have nameservers be diverse in lots of ways including being
physically in different counties (ideally, different states).

[1] One of the several passages in How to Ask Questions the Smart Way where
I warn about this syndrome is the bit were I say 'Treat technical people 
like they're from Missouri.  Their motto is "Show me."'
[2] Once again, I'll point out that each registrar is a little different 
in how this functionality gets provided.

More information about the svlug mailing list