Is it possible source zones transfer requests to external primaries from my Anycast IPs? I have customers using my grid for secondary DNS service and they need to maintain an ACL on their end for allowing zone transfers. It makes far more sense for them to just have to add the publicly-advertised Anycast IP addresses of my DNS cluster instead of the physical IP of one or more specific member nodes, which might be subject to change.
2 weeks ago
Zone transfers are performed by TCP sessions. In order for the anycast source to work, the replies would have to return to the member which sourced the session. Depending on your topology, routing from the customer perspective might end up at a different member.
Are your real IPs not sufficiently stable that the customer could allow ranges?
Part of the problem is that, after the lead secondary, there's no way (as far as I'm aware) to dictate which secondary takes over if the lead is down. This means every customer has to always maintain an ACL containing all of my secondaries. As a rapidly-expanding service provider with many customers, not practical for us require all of our customers to update their ACLs every time our internal infrastructure changes.