User Guide for Cisco Network Registrar, 7.0
Managing High-Availability DNS Servers
Downloads: This chapterpdf (PDF - 130.0 KB) The complete bookPDF (PDF - 18.25 MB) | Feedback

Configuring High-Availability DNS Servers

Table Of Contents

Configuring High-Availability DNS Servers

HA DNS Processing

Configuring an HA DNS Server Pair

DNS Server Configuration for HA DNS

HA DNS Statistics

Configuring High-Availability DNS Servers

DNS was designed to have one primary server and multiple secondaries as authoritative for a zone. This works well for static addressing, because there is only one instance (the primary zone file) modified, while the secondaries periodically probe for updates from the primary, or the primary notifies the secondaries of them when the zone is loaded or reloaded.

This scenario has shortcomings with DNS updates under the RFC 2136 protocol where DHCP dynamically updates the DNS server, and only the primary DNS server can accept updates. This presents a single point of failure in that DNS updates cannot happen if the primary goes down.

To solve this problem, a second primary server can be made available as a hot standby that shadows the main primary server. This configuration is called High-Availability (HA) DNS. The Network Registrar web UI and CLI have features with which you can duplicate the primary setup required for HA DNS for the server pair. The server pair is responsible for detecting communication failures and the like.

See Also

HA DNS Processing
Configuring an HA DNS Server Pair
DNS Server Configuration for HA DNS
HA DNS Statistics

HA DNS Processing

In normal state, both the main and backup primary servers are up and running. The main server processes all DNS updates from clients and sends all accepted updates to the hot standby backup. The backup server refuses any DNS updates during normal times when the main is running and communicating with the backup. Both servers respond to nonupdate queries and zone transfers. The main and backup partners exchange heartbeat messages to detect if the other is not available.

If the hot standby backup goes down, the main waits a short time, then records the updates that the partner did not acknowledge. When the backup server comes back up, the main sends the recorded updates to the backup. If the backup has been down for an extended period, the main sends its entire zone data to the backup, essentially a full zone transfer.

If the main goes down, the backup waits a short time, then begins servicing the DNS updates from clients that the main would normally service and records the updates. When the main returns, the backup sends it the updates, and the main synchronizes with the backup any unsent updates it had before it went down. During the short synchronization period, neither server accepts DNS updates.

Both the main and backup can traverse the following states:

Startup—The servers establish communication and agree on the HA version to use. In this state, the servers do not accept DNS updates or RR edits, and they defer scavenging, if enabled.

Normal—Both servers are up and healthy, exchanging DNS updates and heartbeat messages. The main accepts DNS updates and RR edits, sends RR Update messages to the backup, and performs history trimming and scavenging, if enabled. The backup ignores DNS updates, refuses RR edits, but processes RR Update messages from the main server. The backup also performs history trimming, but defers scavenging, if enabled.

Communication-Interrupted—The server goes into this state after not getting a response or request from the partner during the communication timeout (ha-dns-comm-timeout) period (preset to 30 seconds). The server continues listening for communication from the partner (they both send heartbeat messages every 12 seconds) and tries to connect, meanwhile accepting DNS updates and RR edits and disabling scavenging.

Partner-Down—The server administrator notifies the partner that it will be down for an extended time. This manual intervention is possible only in Communication-Interrupted state. Either server continues listening for communication from the partner and tries to connect, accepts DNS updates and RR edits, and performs scavenging.

Synchronization—Once the partners establish or reestablish communication, they synchronize RR changes that occurred during the interrupted period.

Synchronization-Pending—Each server is waiting for the other to get ready to synchronize. In this state, DNS Updates and RR edits are not allowed.

When a DNS server starts up, it:

1. Tries to establish a connection with its partner.

2. Goes into Synchronization-Pending mode.

3. Goes into Synchronization mode once it receives a Synchronization-Pending response.

4. Goes into Normal mode.

Note HA DNS is fully integrated with DHCP servers updating the partners when hosts get added to the network (see Chapter 28, "Configuring DNS Update").

Configuring an HA DNS Server Pair

The attributes needed to set up an HA DNS server pair are:

ha-dns—Enabled or disabled. The preset value is disabled, so that this attribute must be set explicitly.

main—IP address of the main primary DNS server.

backup—IP address of the backup primary DNS server.

Local Basic or Advanced and Regional Web UI

Step 1 Create a cluster for the backup server.

Step 2 Click DNS, then HA Pairs to open the List HA DNS Server Pairs page.

Step 3 Click Add HA DNS Server Pair to open the Add HA DNS Server Pair page (see Figure 18-1 for the Advanced mode view of the page).

Figure 18-1 Add HA DNS Server Pair Page (Local Advanced)

Step 4 Enter the name of the server pair in the Name field. This can be any identifying text string.

Step 5 Click the cluster name of the main DNS server in the Main Server drop-down list.

Note If you change the IP address of your local host machine, you must modify the localhost cluster (on the Edit Cluster page) to change the address in the IP Address field. Do not set the value to

Step 6 Click the cluster name of the backup DNS server in the Backup Server drop-down list. This cannot be the same as the main server cluster. Set the ha-dns-main-server and ha-dns-backup-server attributes only if the server is configured with different interfaces for configuration management and update requests. (Configure the HA DNS protocol only with the interface used to service updates.)

Step 7 Click the ha-dns enabled button to enable HA DNS for the server pair.

Step 8 Click Add HA DNS Pair.

Step 9 Once the server pair appears on the List HA DNS Server Pairs page, synchronize the servers:

a. Click the Report icon () in the Synchronize column.

b. On the Report Sync HA DNS Pair page, choose the direction of synchronization (Main to Backup or Backup to Main).

c. Choose the operation type (Update, Complete, or Exact). See the table on the page for details on the operations for each operation type.

d. Click Report to display the prospective synchronization changes on the View HA DNS Sync Report page.

e. Click Run to complete the synchronization and view the actual changes. The configuration gets pushed to the remote cluster.

f. Click Return to return to the List HA DNS Server Pairs page.

Step 10 Reload both DNS servers to begin HA communication. The DNS servers synchronize things such as unprotected RRs themselves when they start communicating.

CLI Commands

Be sure that the main and backup DNS servers have the same zone configurations. Then explicitly enable HA DNS (ha-dns-pair name enable ha-dns). Create the HA DNS server pair (ha-dns-pair name create mainaddr backupaddr). Then synchronize the servers using ha-dns-pair name sync, specifying the synchronization operation (update, complete, or exact) and direction (main-to-backup or backup-to-main). For example:

nrcmd> ha-dns-pair enable ha-dns 
nrcmd> ha-dns-pair examplehadnspair create localhost test-cluster 
nrcmd> ha-dns-pair examplehadnspair sync exact main-to-backup 

The CLI provides an additional command for the DNS server to set the HA DNS partner down, if necessary, which is possible only while in Communication-Interrupted state:

nrcmd> dns setPartnerDown 

DNS Server Configuration for HA DNS

The only attribute on the main DNS server that addresses HA DNS is the ha-dns-comm-timeout attribute. This is the time required to determine if a partner is unreachable, after network communication is not acknowledged, which triggers the Communication-Interrupted state (see the description of this state in the "HA DNS Processing" section). The preset value is 30s. The server tries to communicate and then back off at multiples of the ha-dns-comm-timeout interval.

An additional log setting, ha-details, enables logging of HA DNS-related information.

Note that the HA DNS configuration is possible for Network Registrar 6.2 and later DNS servers only. Both the main and backup must have absolutely identical zone and RR configurations, and you must set the same HA DNS attributes for both servers.

HA DNS Statistics

You can view HA DNS statistics.

Local Basic or Advanced Web UI

Click the Statistics icon () on the Manage DNS Server page to open the DNS Server Statistics page. The statistics appear under the Max Counter Statistics subcategories of both the Total Statistics and Sample Statistics categories.

CLI Commands

Use dns getStats ha [total] to view the HA DNS Total counters statistics, and dns getStats ha sample to view the Sampled counters statistics.