On 16 September 2014 09:53, Tony Finch <[log in to unmask]> wrote:
> Terry Burton <[log in to unmask]> wrote:
>>
>> ISC's SNS-PB seems to fit the bill and we have been quoted ~$1000
>> p.a. Anycast, multi-master, high-volume...
>
> We have been eyeing that with interest. How many zones is the quote for?
Here's what we submitted:
Organization: University of Leicester
Type for Organization: Educational (UK HE)
<...snip...>
Number of zones 4
Estimated Number of RRs: 250,000 (including DNSSEC RRs)
Sample list of zones: le.ac.uk, leicester.ac.uk,
210.143.in-addr.arpa, 6.0.3.0.0.3.6.0.1.0.0.2.ip6.arpa
Average Query Load (qps): 25-100 (occasional bursts of 1000 qps)
I'll summarise how our discussions go once we've made our decision.
The pricing is currently indicative and we are awaiting a response to
some technical questions.
>> Secondly, in the broader context of disaster recovery perhaps people
>> are prepared to describe any of their solutions (present or future) to
>> remotely update DNS in the presence of DNSSEC signing?
>
> We don't have a specific plan, but my approach would roughly be to have an
> offsite slave which is used as a second master by our public secondaries.
> (XFR distribution nets can be arbitrary graphs.) This would have a small
> amout of tooling to convert it into a master in place. We would keep a
> copy of the DNSSEC keys either offline somewhere (so they can be uploaded
> to the backup server when required), or encrypted on the server. (Or a
> local and offsite pair of HSMs perhaps?) After the conversion to master,
> nsupdate would make the necessary changes, probably agreed in advance and
> scripted.
Likewise, we are toying with an offsite stealth slave to which we sync
encrypted DNSSEC keys. Currently a VPS but real hardware might be
better (more entropy, etc.) but the intention is to only resort to
this in a "real disaster."
The ISC have mentioned that they are considering methods for online
conversion of a slave into a signing master for a future version of
BIND. We'll follow that with interest but a scripted solution will
suffice for the time being. Again, if/when we have something baked
that's sufficiently generic then we'll share it.
|