RFC 3258 (rfc3258) - Page 2 of 11


Distributing Authoritative Name Servers via Shared Unicast Addresses



Alternative Format: Original Text Document



RFC 3258        Distributing Authoritative Name Servers       April 2002


2.  Architecture

2.1 Server Requirements

   Operators of authoritative name servers may wish to refer to
   [SECONDARY] and [ROOT] for general guidance on appropriate practice
   for authoritative name servers.  In addition to proper configuration
   as a standard authoritative name server, each of the hosts
   participating in a shared-unicast system should be configured with
   two network interfaces.  These interfaces may be either two physical
   interfaces or one physical interface mapped to two logical
   interfaces.  One of the network interfaces should use the IPv4 shared
   unicast address associated with the authoritative name server.  The
   other interface, referred to as the administrative interface below,
   should use a distinct IPv4 address specific to that host.  The host
   should respond to DNS queries only on the shared-unicast interface.
   In order to provide the most consistent set of responses from the
   mesh of anycast hosts, it is good practice to limit responses on that
   interface to zones for which the host is authoritative.

2.2 Zone file delivery

   In order to minimize the risk of man-in-the-middle attacks, zone
   files should be delivered to the administrative interface of the
   servers participating in the mesh.  Secure file transfer methods and
   strong authentication should be used for all transfers.  If the hosts
   in the mesh make their zones available for zone transfer, the
   administrative interfaces should be used for those transfers as well,
   in order to avoid the problems with potential routing changes for TCP
   traffic noted in section 2.5 below.

2.3 Synchronization

   Authoritative name servers may be loosely or tightly synchronized,
   depending on the practices set by the operating organization.  As
   noted below in section 4.1.2, lack of synchronization among servers
   using the same shared unicast address could create problems for some
   users of this service.  In order to minimize that risk, switch-overs
   from one data set to another data set should be coordinated as much
   as possible.  The use of synchronized clocks on the participating
   hosts and set times for switch-overs provides a basic level of
   coordination.  A more complete coordination process would involve:

      a) receipt of zones at a distribution host
      b) confirmation of the integrity of zones received
      c) distribution of the zones to all of the servers in the mesh
      d) confirmation of the integrity of the zones at each server




Hardie                       Informational