Reply

Initiate transfers from anycast IPs

rhinst
Techie
Posts: 3
2078     0

Is it possible source zones transfer requests to external primaries from my Anycast IPs? I have customers using my grid for secondary DNS service and they need to maintain an ACL on their end for allowing zone transfers. It makes far more sense for them to just have to add the publicly-advertised Anycast IP addresses of my DNS cluster instead of the physical IP of one or more specific member nodes, which might be subject to change.

Highlighted

Re: Initiate transfers from anycast IPs

Expert
Posts: 227
2078     0

Zone transfers are performed by TCP sessions.  In order for the anycast source to work, the replies would have to return to the member which sourced the session.  Depending on your topology, routing from the customer perspective might end up at a different member.

 

Are your real IPs not sufficiently stable that the customer could allow ranges?

 

Re: Initiate transfers from anycast IPs

rhinst
Techie
Posts: 3
2079     0

Part of the problem is that, after the lead secondary, there's no way (as far as I'm aware) to dictate which secondary takes over if the lead is down.  This means every customer has to always maintain an ACL containing all of my secondaries. As a rapidly-expanding service provider with many customers, not practical for us require all of our customers to update their ACLs every time our internal infrastructure changes.

Re: Initiate transfers from anycast IPs

Adviser
Posts: 77
2079     0

Can't you use TSIG for this?

Showing results for 
Search instead for 
Do you mean 

Recommended for You