2

I am implementing a solution to load balance DNS queries across multiple bind recursive DNS servers to increase QPS limit

Each centos VM has a namespace gi set up with the loopback of the ns set to asingle DNS Public IP

Each DNS server advertises the same DNS IP to my network across bgp peerings configured on my quagga router

all incoming queries are load-balanced via the network core using the bgp maximum-paths feature

However only 1 Bind DNS server will query the DNS IP, the other will just return servfail (this is not static, if i kill the bgp peerings to Server1, queries are succesful, the same happens if i kill the peerings to Server2) however they will not work in tandem.

One thing i have noticed is that if i do a

ip netns exec gi dig @DNSIP +trace

ip netns exec gi dig @DNSIP  cloudflare.com +trace

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @DNSIP cloudflare.com +trace
; (1 server found)
;; global options: +cmd
.           509520  IN  NS  e.root-servers.net.
.           509520  IN  NS  c.root-servers.net.
.           509520  IN  NS  f.root-servers.net.
.           509520  IN  NS  j.root-servers.net.
.           509520  IN  NS  b.root-servers.net.
.           509520  IN  NS  i.root-servers.net.
.           509520  IN  NS  h.root-servers.net.
.           509520  IN  NS  m.root-servers.net.
.           509520  IN  NS  k.root-servers.net.
.           509520  IN  NS  a.root-servers.net.
.           509520  IN  NS  l.root-servers.net.
.           509520  IN  NS  d.root-servers.net.
.           509520  IN  NS  g.root-servers.net.
.           509520  IN  RRSIG   NS 8 0 (didn't include the key)

whereas Server2 does not return an RRSIG even though both named.conf files have dnssec-enable yes and dnssec-validation yes

ip netns exec gi dig @DNSIP  cloudflare.com +trace

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @DNSIP cloudflare.com +trace
; (1 server found)
;; global options: +cmd
.           518400  IN  NS  c.root-servers.net.
.           518400  IN  NS  k.root-servers.net.
.           518400  IN  NS  g.root-servers.net.
.           518400  IN  NS  d.root-servers.net.
.           518400  IN  NS  a.root-servers.net.
.           518400  IN  NS  j.root-servers.net.
.           518400  IN  NS  e.root-servers.net.
.           518400  IN  NS  h.root-servers.net.
.           518400  IN  NS  f.root-servers.net.
.           518400  IN  NS  i.root-servers.net.
.           518400  IN  NS  m.root-servers.net.
.           518400  IN  NS  b.root-servers.net.
.           518400  IN  NS  l.root-servers.net.

My dnssec configuration is as follows:

    dnssec-enable no;
    dnssec-validation no;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

If i disable dnssec in my named.conf file thr DNS servers work in tandem and I can achieve my target goal of 20,000 QPS, however with dnssec enabled it does not work.

Has anyone encountered a problem like this before, is it a limiation of BIND behind a single PublicIP? or is as I suspect an issue with DNSSEC setup

Dunner1991
  • 31
  • 5
  • 1
    Note that `dnssec-enable` is obsolete. – Tommiie Nov 10 '20 at 11:50
  • How are you load balancing if all but one server returns a SERVFAIL? Also, are you advertising the anycast IP address from several geographic locations on the Internet? Otherwise only one server will be closest and will receive all traffic. Reading the title, I expected to see a setup with a reverse proxy/load balancer in front of several DNS servers with private IP addresses. – Tommiie Nov 10 '20 at 11:53
  • Are you asking about the SERVFAIL or about the RRSIG records? It seems like you are asking two questions in one post. Please remove unneeded information and provide configuration samples. – Tommiie Nov 10 '20 at 11:54
  • Hi @Tommiie thank you for the info regarding dnssec-enable – Dunner1991 Nov 10 '20 at 15:29
  • Hi @Tommiie i have made changes to the port above so I hope the quesiton has become more clear. It was my understanding that Servfail was being returned due to an issue with dnssec on my bind dns servers – Dunner1991 Nov 10 '20 at 15:35
  • Since it stops working when you add DNSSEC into the mix, please share the relevant DNSSEC configuration snippets. – Tommiie Nov 10 '20 at 16:14
  • 2
    HI @Tommiie i have added the dnssec conf as it appears in my named.conf file (it is the same config for all of DNS servers). Do i need to post any additonal config relating to dnssec i.e. the key file or anything else to shed some more light on the issue I am facing? – Dunner1991 Nov 11 '20 at 08:30

1 Answers1

2

Try this DNSsec configuration on all of your DNS resolvers:

options {
   //dnssec-enable no; - remove the line, the option has been obsoleted
   dnssec-validation auto;
}

The options dnssec-enable has been deprecated (see ARM, p. 156) and DNSsec lookaside validation (DLV) also has been deprecated (see ARM, p. 156).

For recursive resolvers I do not believe you need something else.

Note that dnssec-validation auto; is the default setting so you do not even need to enter this one.

Tommiie
  • 5,627
  • 2
  • 12
  • 46