[svlug] BIND9 on EC2
rick at svlug.org
Sun Nov 30 21:46:58 PST 2014
Just a follow-up note, Scott, about something that kept coming up during
that thread. I refer to the bit where you wrote one or two sentences
characterising something in front of you, and my response was 'What?',
sometimes followed by my best effort at _guessing_ what you were talking
about. This included the key passage at the beginning of your initial
message where (you say) you revealed the problem you were aiming to solve.
I'd honestly have liked nothing better than to say 'Although I'm not getting
your meaning at all, probably lots of other people will.' Sorry, I don't
think so, and yrs. truly has done DNS administration for a living since some
time in the 1980s.
After about Round Three of the 'What?' reaction, you came up with this
sentence: 'A can only access nameserver settings; no records.'
That sentence honestly doesn't say _anything_. It doesn't say anything even
if one assumes 'A' was a typo (that you never followed up to clarify) that
was intended to be 'I'.
Moreover, if I guess your intended meaning correctly (and double-checking
the PNG), you were indulging a habit notorious for sabotaging communication
with would-be technical helpers: posting your interpretations of the
situation, when what your helpers need is the raw data.
Looking at your PNG, one (finally) sees that you were talking about your
domain's roster of authoritative DNS nameservers in your administrative
pages for it at your registrar. It would have been extremely handy if
you had bothered to detail what else other than namserver entries you
_expected_ to see there, and why. That would have helped more-quickly get
past what turned out to be some sort of mistaken conception about the domain
administrative WebUI. (I _still_ don't know what else you expected to be
there, and why.)
And ironically, the nameserver lines in question _are_ DNS records - in the
On a different matter:
> I felt it best to create my own Master and Slave on EC2 and I guess a
> third as well since it it highly recommended.
The main point of having three to seven (RFC recommendation) authoritative
nameservers for a domain is to avoid single points of failure - not having
those nameservers not sharing the same power circuit, or the same IP
gateway, or any other common technological or geographical factor that could
make possible taking out multiple sources of the nameservice information at
the same time.
You be the judge about whether three nameservers all on EC2 meet those
criteria. I kinda doubt it.
Specifically, I'm talking about RFC 2182, 'Selection and Operation of
Secondary DNS Servers', this passage:
3.1. Selecting Secondary Servers
When selecting secondary servers, attention should be given to the
various likely failure modes. Servers should be placed so that it is
likely that at least one server will be available to all significant
parts of the Internet, for any likely failure.
Consequently, placing all servers at the local site, while easy to
arrange, and easy to manage, is not a good policy. Should a single
link fail, or there be a site, or perhaps even building, or room,
power failure, such a configuration can lead to all servers being
disconnected from the Internet.
Secondary servers must be placed at both topologically and
geographically dispersed locations on the Internet, to minimise the
likelihood of a single failure disabling all of them.
That is, secondary servers should be at geographically distant
locations, so it is unlikely that events like power loss, etc, will
disrupt all of them simultaneously. They should also be connected to
the net via quite diverse paths. This means that the failure of any
one link, or of routing within some segment of the network (such as a
service provider) will not make all of the servers unreachable.
3.2. Unsuitable Configurations
While it is unfortunately quite common, servers for a zone should
certainly not all be placed on the same LAN segment in the same room
of the same building - or any of those. Such a configuration almost
defeats the requirement, and utility, of having multiple servers.
The only redundancy usually provided in that configuration is for the
case when one server is down, whereas there are many other possible
failure modes, such as power failures, including lengthy ones, to
Some might claim there's no way that multiple EC2 nodes could be taken down
by the same thing at the same time, and I hope they're right. Me, though, I
like to have nameservers be diverse in lots of ways including being
physically in different counties (ideally, different states).
 One of the several passages in How to Ask Questions the Smart Way where
I warn about this syndrome is the bit were I say 'Treat technical people
like they're from Missouri. Their motto is "Show me."'
 Once again, I'll point out that each registrar is a little different
in how this functionality gets provided.
More information about the svlug