This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[dns-wg] Updated DNS migration document
- Next message (by thread): [dns-wg] Updated DNS migration document
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mohsen Souissi
mohsen.souissi at nic.fr
Mon Jun 9 14:27:23 CEST 2008
Jim, On 27 Apr, Jim Reid wrote: | Here is the latest version of the DNS migration document. I've | included the comments made by Joao and Jarle. | Does anyone have anything else to add? ==> I know, it's quite late but I have just found time to review this document. In case it's not too late, please find below my remarks and suggestions. It's up to the authors to take all or part of it into account. First, I have some general comments: 1) I would recommend to use RFC3330 addresses for example IPv4 addresses. That's to say, within: 192.0.2/24 2) It would be a good idea (and also helpful by the way for administrators) to give examples of Name Servers supporting IPv6 transport (numbering within 2001:db8::/32, RFC 3849) In that case, all illustrations with IPv4 addersses would be completed by IPv6 addresses, when needed. 3) I think that it would be better to choose an NS list for example.com zone, such that not all of them be inside the zone itself For example: example.com. IN NS master.example.com. IN NS slave.example.net. and later "slave.example.org" (for the replacement). Attached below are my comments and suggestions (with '^' for locating the context and "==>" for my text). For readers only interested in the "diffs" a diff file is also attached. Mohsen. -------------- next part -------------- # # $Id: DNSmigration,v 1.7 2008/04/27 17:38:31 jim Exp $ # Recommended DNS Administration Procedure for Domain Name Migration Fernando Garcia Abstract The configuration and maintenance of DNS zones offer many degrees of freedom and thus several opportunities for making mistakes. One of the most complex and error prone situations that can arise is moving a domain name from one set of name servers to another. This can happen for a variety of reasons: technical, administrative and procedural. These problems can be even more awkward when the domain name concerns reverse lookups of IP addresses: for instance when a renumbering exercise is under way. One common reason for renumbering is when an an organisation changes its Internet Service Provider. An orderly sequence of changes has to be carefully co-ordinated to ensure the minimum disruption to important services such as those offered by email and web servers. Since this is not a situation which network or systems administrators need to handle very often, it is painfully easy to make mistakes when undertaking the migration process, These mistakes can have serious consequences for the services that depend on DNS service. This document is offers a step by step guide to system and network ^^^^^^^^^^^^^^^^^^ ==> document offers administrators, so they can have a problem free migration with full continuity of all services. Although the procedures described here do not require in-depth knowledge of the DNS protocol and its implementations, it is necessary to have some understanding of DNS fundamentals, notably name server configuration. The examples shown are specific to BIND but should be readily applied to other DNS implementations. 1. Conventions used in this document Domain names used in this document are for explanatory purposes only and should not be expected to lead to useful information in real life [RFC2606]. 2. Slave Server Migration The simplest form of name server migration is to move from one slave (secondary) server to another. In this case, the main effort is co-ordinating the reconfiguration of the name servers. For this example a new slave name server, ns1.example.com, is added for the example.com zone. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ==> rather "is going to replace slave.example.com" 2.1 Make new server authoritative for the zone For BIND, this is simply a matter of adding a new zone{} statement to the new name server's configuration file /etc/named.conf. [It is assumed that this file has already been created and a minimal but properly configured name server has been set up and is running. A suitable zone statement would resemble: zone "example.com" { type slave; file "slave-zones/example.com"; masters { 10.1.2.3; }; }; This instructs the new name server to be a slave server for the example.com zone and answer authoritatively for it. The server should check the zone's SOA record on the master server at IP address 10.1.2.3 and transfer the zone whenever it is updated on the master server. A copy of the transferred zone will be stored in the file slave-zones/example.com. Once /etc/named.conf has been updated, the configuration file should be checked with BIND9's named-checkconf utility. This should ensure the file contains no syntax errors or other mistakes which could leave the name server in an undefined or unknown state. Some form of version control should also be used at this point so /etc/named.conf should get committed to the organisation's preferred version control system, typically CVS or Subversion. The name server should now be forced to read the updated /etc/named.conf. This would normally be done with an rndc reconfig: % rndc reconfig The name server's logs should be checked to ensure that it has picked up the new configuration information and successfully transferred the example.com zone from the master server at 10.1.2.3. The obvious difficulties that could occur at this point should be readily identified from the name server's logs: some form of file system access permission issues ; connectivity problems; a non-authoritative master server; or incorrect name access controls on the master server. A discussion on how to resolve these problems is out of scope for this document. 2.2 Check the new server is authoritative for the zone Once the new slave server is answering authoritatively for example.com, this should be verified with a DNS query utility such as dig: % dig @10.9.8.7 example.com soa +norecurse ^^^^^^^^ ==> 10.40.5.2 ? Which server is quried and which server is responding? Update text below accordingly... ; <<>> DiG 9.4.2 <<>> @10.40.5.2 www.example.com ^^^^^^^^^ ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26413 ;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.example.com. IN SOA ;; ANSWER SECTION: example.com. 3600 IN SOA master.example.com. hostmaster.example.com. 2007032700 86400 7200 3600000 172800 ;; AUTHORITY SECTION: example.com. 3600 IN NS master.example.com. example.com. 3600 IN NS slave.example.com. ;; ADDITIONAL SECTION: master.example.com. 3600 IN A 10.1.2.3 slave.example.com. 3600 IN A 10.11.12.13 ;; Query time: 4 msec ;; SERVER: 10.9.8.7#53(10.40.5.2) ^^^^^^^^ ^^^^^^^^^ ;; WHEN: Sun Mar 27 21:47:15 2007 ;; MSG SIZE rcvd: 131 Note that the new slave server's IP address (10.9.8.7) is queried directly instead of dig defaulting to whatever name server would be used by for routine DNS queries. The value of the returned SOA record should be identical to that found on the existing authoritative servers for the zone, master.example.com and slave.example.com. It is also important to check that the AA (Authoritative Answer) bit is set in the response from the new slave server. This is indicated by the "aa" entry in the flags header shown in the above output from dig. The +norecurse option is used to clear the RD bit (Recursion Denied) ^^^^^^ ==> Desired on the query. This shouldn't be necessary, especially when querying up-to-date name servers. However some DNS implementations such as BIND8 sometimes erroneously set the AA bit on answers. This may arise when the server also acts as a resolver. It can pass on the AA bit in the answer from a remote authoritative server when it resolves the query even though it was not authoritative for that data. If the new slave server suffers from this broken behaviour, it can lead the operator to assume that the new slave server is correctly configured with authoritative data even when it is not. Querying the new server with the RD bit cleared should ensure that the AA bit is only set on responses from servers that geunuinely are authoritative. ^^^^^^^^^^^^^^ ==> are genuinely If possible, the next check would be to query the name name server from different locations on the network. This could identify any connectivity problems or firewall issues that might prevent general access to the new slave server for DNS lookups. It may be advisable to check that EDNS0 queries work properly: some firewalls and middleware boxes are known to erroneously prevent these queries and responses. The +bufsize option to dig will generate EDNS0 queries. ie: % dig @10.9.8.7 example.com soa +bufsize=1024 +norecurse 2.3 Make the new slave server visible The next step is to make the newly-added slave server visible to the DNS. This is a two stage process. First the zone is updated. Then the delegation is updated, if necessary. 2.3.1 Updating the zone This is straightforward. An NS record for the new slave server is added to the example.com zone. If an address record (A or AAAA record) is needed for the new slave server, it should be added at this point. When the name of the new slave server is within the example.com zone, its address records must be added to the example.com zone. In this example, an address record for ns1.example.com is needed because this name lives in the example.com zone. Before the update, the zone file on the master server would resemble: example.com. IN NS master.example.com. example.com. IN NS slave.example.com. ... master.example.com. IN A 10.1.2.3 slave.example.com. IN A 10.11.12.13 After the update, the NS and glue records would look like: ^^^^ ==> it is not "glue", it's in-zone data ! instead of "glue", rather "A/AAA" example.com. IN NS master.example.com. example.com. IN NS slave.example.com. example.com. IN NS ns1.example.com. ... master.example.com. IN A 10.1.2.3 slave.example.com. IN A 10.11.12.13 ns1.example.com. IN A 10.9.8.7 Since the example.com has been updated, the zone's SOA record would be given a new serial number. The modified zone file would presumably be committed to the version control system. BIND9's named-checkzone should also be used to check for errors in the updated zone file: master% named-checkzone example.com example.com If all is well, the next step would be to make the master server load the new zone file with rndc: master% rndc reload example.com The master server's logs should be checked at this point. These should show that the server has successfully loaded the updated example.com zone. The logs should also indicate that it has sent out NOTIFY messages to the slave servers and that those slave servers have picked up the new version of the zone with a zone transfer. Ultra-cautious DNS administrators will use dig at this point to query the master server ^^^^^^^^^^^^^ ==> master and slave servers to ensure that the correct data is now being served: ^^ ==> "are" ? % dig @10.1.2.3 example.com ns Aside from mistakes when updating the example.com zone, likely errors at this stage will concern possible connectivity problems such as a routing or network fault or perhaps an incorrect name server or firewall access control list. As before, the logs should indicate what went wrong and resolution of those faults are beyond the scope of this document. With BIND 9.4, it is also possible for an authoritative name server to send NOTIFY messages with rndc: master% rndc notify example.com It is also possible to make a slave server schedule an immediate SOA serial number check on the master server without waiting for the zone's refresh interval to be reached: slave% rndc refresh example.com A slave server can be forced to transfer the zone from the master server irrespective of the value of the zone's SOA serial number. This tends to be used when the master and slave servers have inconsistent serial numbers caused by administrative error. slave: rndc retransfer example.com The notify, refresh and retransfer features offered by rndc are not needed for the process described here. They are just explained in case a DNS administrator makes a mistake and needs an easy way of correcting that error. 2.3.2 Update the delegation The new name server, ns1.example.com, is now answering queries for the example.com zone and is listed in its NS RRset. However the job is not yet done. The parent zone, in this case .com, needs to be updated. The parent zone contains delegation information for example.com and this has to reflect the NS records and any relevant glue records that are present in the child zone, example.com. How this update gets performed depends on the parent zone. In the case of .com, this involves the registrar sending an EPP transaction to the registry to update its database. Most TLDs operate on this model. In general registrars provide a web-based interface to allow their customers to update their delegations, renew domain name registrations, amend contact data and so on. Some registries offer other mechanisms such as email-based text templates. As will be seen later, RIRs use email-based templates for updating delegation information for reverse zones assigned to their LIRs. Though these updates can also be done through web-based systems like RIPE NCC's LIR portal service. Since there are so many options here, it is impractical to describe these in detail here. In simple terms, the DNS administrator can login to some web page and select the option that allows delegation information to be updated. At this point the name of the new server, ns1.example.com, is added. Its IP address will have to be added as a ^^^^^^^ glue record too. The .com zone needs to advertise the IP address of ^^^^^^ ns1.example.com even though this under the example.com zone cut. ^^+is ==> Comment: if ns1.example.com. has got an IPv6 address, update the paragraph above accordingly. After the update has been entered into the registry database, the new DNS data get added to the parent zone and propagated to its name servers. The time for this change to take effect varies. Some registries do this immediately or within 10 to 15 minutes. Others generate a new zone file every few hours or perhaps just once or twice a day. DNS administrators need to take account of these propagation delays when moving name servers for a zone. 2.4 Delete the old slave server ^^^^^^^^^^^^^^^^^^^^^^^^^^^ ==> I would suggest to rename this section as: "Remove the old slave server from the name servers list" Once the parent zone has been updated and the new delegation information propagated to its name servers, the old name server can be removed. The process is essentially the reverse of the steps above. First, the NS record for the old server, slave.example.com is removed from the example.com zone on the master server. Version control and checks as described earlier should be carried out. The A record for slave.example.com should be removed at this point. However if that name is used elsewhere -- say as the target of an MX or CNAME record -- the A record should remain. With the NS record deleted from the example.com zone, the delegation should be updated. The procedure outlined in 2.3.2 would be followed, except to remove the NS record for slave.example.com and any relevant glue records. It is important to ensure that the glue records for a retired name server are removed from the parent. If this is not done, discrepancies can arise. For instance, the DNS administrator for example.com adds a new A or AAAA record for slave.example.com but there's a stale glue record for slave.example.com in the .com zone which points at the old IP address of the now long gone name server. 2.5 Switch off the old name server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ==> Would suggest to rename this section as: "Stop serving the DNS zone on the old slave server" The final step of the process is to switch off the old name server or ^^^^^^^^^^^^^^^^ reconfigure it to stop serving the example.com zone. ------------------------------------------------------------------------ ==> Generally speaking, the real action is just "reconfiguring the old slave to stop serving the zone". Any further action (such as switching off the server) is specific to some contexts (for example, if the slave was serving only that zone... and not being used as a recurisve name server... And yes, even if such recursive functionality is discouraged on an authoritative nameserver, it is not forbidden). So I would rather prefer rewriting the sentence above as: "The final step of the process to reconfigure the old sevrer to stop serving the example.com zone. The server may even be switched off if it does not serve othe DNS zones." ------------------------------------------------------------------------ This should not be done immediately. First of all, other name servers may still be cacheing the old NS and address records for slave.example.com. These may not expire from the caches for some time: the TTL values in either the example.com or .com zones for slave.example.com. It is possible of course to reduce these TTLs so that the old server can be switched off sooner. However this will require further changes ^^^^^^^^^^^^ to the zone and its parent delegation: for instance to reduce the TTL for the NS and any address records for the old name server. This introduces extra steps into the migration process and may not be worth the effort. In the final analysis, the old name server shouldn't be switched off after the migration for at least the TTL value for the ^^^^^^^^^^^^ server that may have been cached anywhere. ==> Same remarks as to "switch off" vs "stop serving the zone" Even after a reasonable transition period of a few days, it is always possible for the old name server to still receive queries for example.com. The most likely cause of this are forwarding name servers that have been configured with the IP address of the old name server. Checking the name server's query logs will indicate if the old server receives such queries. If it does, the logs will identify the source of these queries. The DNS administrator can then arrange for these systems to be fixed or at least investigate why they are still sending queries to the wrong name server. It would be prudent to ensure that no harm would result from shutting down the old name server or stopping it from serving the example.com zone before taking that course of action. Removing the zone is simply the reverse of the procedure described in 2.1 above. However this applies to the old slave server, slave.example.com, and not the new one, ns1.example.com, that is now in use. The zone{} statement for example.com in /etc/named.conf on slave.example.com is removed and the usual version control process and configuration file checks with named-checkconf applied. The name server is made to re-read its configuration file with rndc and the server's logs checked to ensure the change has been carried out. Finally, any old copies of the zone file can be removed if necessary. 2.6 Documentation Once the new slave server or servers are in use, the organisation's DNS documentation should be updated. This should reflect the details of the slave servers: where they are located, what software they run; contact details for whoever is responsible for them; information about change procedures, change windows and any service level agreements that are in place. 2.7 Observations Although this procedure may be over-cautious, it does ensure that stable DNS service is maintained throughout the procedure. First, the new server is configured to serve the zone and then tested. This makes sure it can communicate with the zone's master server, there are no connectivity or firewall issues and that the new server is performing satisfactorily. It is only at this point that a go/no go decision is made about adding the new server to the zone's NS RRset. Further checks can then be made to ensure the server is properly handling queries from other name servers on the network. If anything goes wrong, the NS record can be ^^^^^^^ ==> and clients... removed. Everything then continues as normal on the existing DNS infrastructure for the zone. Once the new server is handling queries satisfactorily, the delegation information in the parent zone is updated. At this point the new slave server is fully activated. The old slave server can be removed once it no longer receives queries for the zone. This can be verified by checking its query logs. Other name servers may be holding on to stale delegation information that is still to expire from their caches. Or they may have been configured to forward to the old slave server. Deleting that zone from the slave is simply a matter of removing the corresponding zone{} statement from its named.conf file once it is considered safe for the slave server to no longer serve that zone. Another approach might be to switch off the slave server, provided of course it is not serving other zones or ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ being queried by stub resolvers. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ==> This remark is important, that's why I proposed to insert it earlier (above) in the text. Although this procedure could be carried out in parallel whenever several slave servers have to be changed, this is probably unwise. It is simpler and less error-prone for the servers to be migrated one at a time rather than in bulk. That way, there is less co-ordination to be done at any given moment, so there is less chance of something going wrong or being overlooked. On the other hand, this can mean that changing several name servers takes longer elapsed time than might be desirable. In principle, the same procedure could be followed for moving a zone's master server. However there are some additional steps that need to be taken for that and these are discussed in the next section. 3 Moving a master server The safest way to move the master server for a zone is to configure a new name server at the new location. Perhaps the easiest way to do this is instantiate the new server with the configuration data -- zone files, named.conf, version control logs, ticketing system references -- from the backups/archives of the current master server. Once the new master server is set up, it should be checked that it is answering authoritatively for example.com and that it has the same data that is found on the existing master server for the zone. This cannot be one by transferring the zone from both servers and comparing ^^^ ==> done the zone files because there is no guarantee the two files will be identical. The files should of course have the same DNS data but there is no DNS protocol requirement for that data to be presented in a single, canonical order when a zone transfer is performed. It should be remembered that a zone transfer replicates zone data and it is not a file transfer protocol. Although ensuring the same DNS data exists is the most important consideration, the actual master file can be important too. For example it may contain comments that would not be visible when a zone transfer is performed. The new master server should be checked to ensure it is answering correctly and authoritatively for example.com. Zone transfers and EDNS0 queries should be used to ensure that there are no connectivity problems or access control lists which prevent the new server being ^^^^^^ ==> "from being"? used. The checks illustrated in Section 2.2 can be applied here. Once the new server is running correctly, there is a potential problem. There are now two servers which are master for the zone and these can get out of synchronisation with each other. Updates made to the zone on one will not be seen by the other. The simplest way to do that is to only permit updates on one server, the new master server, or to decide no changes can be made to the zone until the new master server is fully activated. This may mean temporarily preventing dynamic updates or other changes to the zone. 3.1 SOA Record Values Before the new master server is brought on-line, the zone's SOA record should have a sensible expire interval: 30 days is reasonable. Short expire intervals are unwise in general. They are especially unwise when the master server is moved. If the slave servers cannot contact the master server within one expire interval, they will no longer answer authoritatively for the zone, creating a lame delegation. A suitably long expire interval allows plenty of time to correct any master-slave connectivity issues before they can cause serious trouble. 3.2 Notification of the Slave Servers With the new server answering authoritatively for the zone, all the slave servers for the zone need to be reconfigured. They should be told to use the IP address(es) of the new server for zone transfers and SOA refresh checks. This will be done by some out-of-band means. Usually the DNS administrator will inform the DNS administrators of the slave servers about the migration by email. They will then update their name server's configurations with the details of the new server. If the master server for example.com was being moved from 10.1.2.3 to 172.16.1.1, the appropriate zone{} statement in the slave server's named.conf would look like: zone "example.com" { type slave; file "slave-zones/example.com"; masters { 172.16.1.1; 10.1.2.3; }; }; As always, version control, a ticketing system and a check with named-checkconf would be done before the slave server loads the new named.conf file. The above entry would tell the slave server to try the new IP address (172.16.1.1) as well as the old one when checking for fresh versions of example.com and transferring them. At this point it is crucial that both the old and new master servers for example.com have identical versions of the zone. If not, slave servers could be picking up different versions of example.com from either server, resulting in inconsistent data being published in the DNS. This is why it is safest to prevent any changes to the example.com zone until all the slave servers are now using the new master server. Updates to the slave server configurations should be carefully planned. The operators of the slave servers may have change windows, perhaps just once a week or month, where name server configurations can be altered. The slave server administrators may have their own ticketing systems and procedures for making those changes. So the DNS administrator should take account of these and give plenty of notice, perhaps as long as a month, of the impending move of the zone's master server. There may be service level agreements with the slave service providers which document the procedure and turn-round times for responding to such change requests. Putting the IP addresses of both servers in the masters{} clauses of the zone{} statement is a fail-safe. If the new server is unreachable for some reason, the zone can still be checked and transferred from the old master server. Assuming of course the old master server still has an up to date copy of the zone. And if the new master server is misbehaving, it can be switched off immediately. The slave servers will automatically fall back to using the IP address of the old master server for their checks. 3.3 Activating the new master server The logs on the slave servers and the new master server should be checked to ensure that they are being used for zone transfers and refresh checks, not the old master server. Once this has been verified, the slave servers can be reconfigured to only use the new master server. That simply means a repeat of the process in Section 3.2, except this time to remove the old IP address (10.1.2.3) from the masters{} clauses of the relevant zone{} statement. From this point onwards, the new master server will be the only place for any updates to the zone to be performed. 3.4 Update the example.com zone With the slave servers now using the new master server, the zone file will probably have to be updated. If the zone's master server has been renamed, that should be shown in the SOA record's MNAME field. The zone's NS RRset may have to be updated too and any "glue" for the new master server added. ^^^^^ ------------------------------------------------------------------------ ==> once again, it is not "glue", it is in-zone data! If the new master was already published in the DNS zone, its IP address(es) will remain unchanged. Otherwise, (an) A/AAAA entr{y,ies} will be added. OTOH, I think you should mention as early as in the paragraph above, the "hidden master option", in which case, nothing would be updated in the SOA record. ------------------------------------------------------------------------ In the example used for this document, the new master server retains the same name, master.example.com, but gets renumbered to a new IP address, 172.16.1.1. The relevant updates to the zone file would be similar to the following: example.com. 3600 SOA master.example.com. hostmaster.example.com. ( 2007032701 ; serial number 86400 ; refresh (24 hours) 7200 ; retry (2 hours) 3600000 ; expire (1000 hours) 172800 ; minimum (2 days) example.com. IN NS master.example.com. example.com. IN NS ns1.example.com. ... master.example.com. IN A 172.16.1.1 ns1.example.com. IN A 10.9.8.7 As before, changes to the example.com should be linked to the organisation's ticketing system, its change control procedure and checks with named-checkzone before the name server loads the new zone file. Once loaded, the name server's logs should be inspected to make sure that the new zone propagates to the zone's slave servers. Stealth master servers are commonly used. These are master servers ^^^^^^^ ==> AFAIK, it's the term "Hidden" which is rather used with masters. For slaves, it is indeed "stealth" which is used. see: http://www.oreillynet.com/pub/a/network/excerpt/dnsbindcook_ch07/ (search for "stealth") that are not listed in the zone's NS RRset or SOA record's MNAME field or in any parent zone's delegation information. This means the location of the master name server is not readily disclosed in the zone file and it is not found in the DNS metadata. The name and address of that server is only known to the authoritative slave servers for the zone and any utilities that are permitted to send dynamic updates to the server. If a stealth master configuration is in place, there ^^^^^^^ ==> hidden will be no need to update the zone's NS RRset or SOA MNAME field. 3.5 Update the delegation If the master server was part of the delegation information in the parent zone, that zone will need to be updated too. The name and address of the new master server will need to be in the parent zone. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ==> Only in case of "glue" and that's not the general case. An outline of the procedure to be followed for updating the parent zone is given in Section 2.3.2. There is no need to update the delegation if a stealth master configuration is used: the name and ^^^^^^^ ==> hidden address of the master server will not be in the parent zone and do not need to be added to it. 3.6 Update tools and clients Any tools or procedures which are used to modify the zone contents will have to be updated and tested for use on the new server. These changes will have to be documented. Clients which issue dynamic updates -- for example a DHCP server -- may need to be reconfigured to use the master server's new IP address. ^^^^^^^^ ==> addresse(s). However they may be able to find the new location of the master server from the MNAME field in the zone's SOA record. Dynamic update tools like nsupdate will do this automatically. 3.7 Decommission the old master server Finally, the procedure described in Section 2.5 can be used to stop the old master server from serving the zone. There will be additional steps to take however. The organisation's documentation should be updated to reflect the change of location for the master server. Administrative measures should be put in place to ensure no updates for the zone get made on the old server. These could include blocking or rejecting any dynamic update requests, preventing the old master zone file from being modified, training for DNS operations staff or perhaps all of these measures. 4 Renumbering When hosts get renumbered or renamed, it is not always the case that this can be done by simply updating the DNS. This is of course a major component of the renaming or renumbering. But it is by no means the only one. Any changes to the DNS should be carefully co-ordinated and integrated with the other aspects of the renumbering or renaming exercise. These can include the reconfiguration and testing of web servers and mail systems, changes to router and firewall configurations, updates to application-level access control lists, server downtime and the replacement of X.509 certificates. Changing the name or IP address of a host can be straightforward. It's unlikely anyone cares what name or IP address is assigned by a DHCP server to some host. All that is likely to matter in that sort of example is that the forward and reverse entries match up: ie a reverse lookup of the IP address returns a name that when looked up returns that IP address. Even that might not be essential. Though it is of course desirable. There are examples where the names and addresses of hosts are significant, particularly servers. POP and IMAP client will want to connect to the appropriate server. Similarly, mail clients will have to connect to the correct SMTP or ESMTP server when delivering or submitting email. This paradigm obviously extends to web servers, database servers and so on. When these sorts of critical network resources get moved or renamed, some careful planning is needed. For illustrative purposes below, the mail server for example.com, oldbox.example.com on 10.20.30.40 is going to be moved to newbox.example.com which has IP address 172.16.0.1. Before the DNS is updated, it can be assumed that the new mail server has been tested thoroughly and any accompanying addressing or numbering requirements have been resolved: for instance, the installation of new X.509 certificates. 4.1 Changing the forward zone Before this change, there will be MX and A records like the ones below in the example.com zone file: example.com. 3600 MX 10 oldbox.example.com. ... oldbox.example.com. 3600 A 10.20.30.40 Some time before the switch to the new mail server, the TTL values for the above resource records should be reduced to a few minutes. This will ensure old and possibly stale data does not live for more than a few minutes in the caches of other name servers. The absolute minimum time for this to be done is 1 refresh interval (24 hours in Section 3.4) plus the maximum TTL value for these resource records: 1 hour. This means that the TTL should be decreased no later than 25 hours before the planned switch. The rationale for this is a slave server may have just performed its refresh check just before the zone was updated. So if it does not support NOTIFY (or doesn't get any NOTIFY messages from the master server), the slave will take one refresh interval before it does another refresh check and picks up a new copy of the zone. Assuming that the zone transfer takes no time, the slave server will still be responding to lookups for example.com's MX records with data that has a one hour TTL value for one expire interval after the zone was updated. A ticket should be opened and the zone file updated in the usual manner with version control and zone file syntax checks with named-checkzone. Even though only the TTL for the records below are modified, the zone's SOA record serial number should be updated according to local convention. In the example below, the updated MX and A records now have a TTL of 5 minutes. Not that no other data for ^^^ ==> Note these records is changed ^^are? example.com. 300 MX 10 oldbox.example.com. ... oldbox.example.com. 300 A 10.20.30.40 The new zone is loaded on the master server and propagated to the slave servers in the usual way. Subsequent lookups for the MX records for example.com will only be cached for 5 minutes unless they'd already been cached from an earlier lookup. This means that there will probably be more DNS queries for example.com's MX records because this ^^ese? data does not get cached for as long as it used to. However within 25 ^^^^do? ^^they? hours of this zone update, no name server should be caching these MX records for longer than 5 minutes. Any data that was cached prior to ^^^were? the change should have expired from name server caches by then. This now means there is a 5 minute window for changing the mail server to the new system on a new IP address. At this point, the old mail server should be stopped from accepting inbound email. This will prevent it from processing incoming mail and storing it on mailboxes that have probably been migrated to the new server. With the old mail server not accepting email, all the mailboxes and other configuration data can be moved to the new server. Describing how this would be done is beyond the scope of this document. The new mail server can now be started. Once that has been done, the DNS can be updated. The MX and A records above would be replaced with the entries shown below: example.com. 300 MX 10 newbox.example.com. ... oldbox.example.com. 300 A 172.16.0.1 As before, the zone file should undergo version control and a check with named-checkzone. It should also get a new SOA serial number. Once this zone has propagated to the slave servers for example.com, incoming mail should start to be delivered to the new server. This is one example where the use of NOTIFY is a great benefit to get the slave servers to quickly converge on the new version of the zone. This could also be achieved by reducing the SOA record's refresh interval but this should only be necessary for legacy DNS implementations that do not implement NOTIFY. Those legacy implementations are likely to be so out of date that they need to be replaced anyway. Note that the TTL for the MX and A records above are still set to 5 minutes. This is to allow for a quick back-out in case of unforeseen problems with the new servers. The DNS administrator can revert to the old data and the old mail server restarted if there are problems. Since the DNS data for the new server has a short TTL, this will not be cached for too long by other name servers, reducing the potential for mail to go astray by being delivered to the new server when it is not performing correctly. Once mail operations have bedded down, the example.com zone file can be updated once more and the above MX and A records given more suitable TTL values. 4.2 Reverse zones For reverse zones, things can be somewhat simpler. The DNS administrator can prepare the reverse zones and populate them with PTR records before the corresponding IP addresses are actually used. The zone file for 16.172.in-addr.arpa could contain the following PTR record: 1.0.16.172.in-addr.arpa. 600 PTR newbox.example.com. Note that the PTR has the same TTL as the A record in the forward zone. This is not a DNS protocol requirement. It is an administrative convenience so that reverse lookups of 172.16.0.1 expire from the world's name server caches in no longer than the corresponding A record in example.com would. As with the forward zone, the reverse zone should be updated and propagated to its slave servers no later than 1 expire interval + the ^^^^^^ ==> refresh! PTR TTL value before the new IP address is used. The SOA record for 16.172.in-addr.arpa is not shown here, but it can be assumed that its expire interval is 8 hours and the PTR record previously had a TTL of ^^^^^^ ==> refresh 1 hour. [There is no requirement for SOA timer values and TTLs in reverse zones to be identical to forward zones or vice versa.] The rationale for the short TTL is the same as that given in Section 4.1: the data won't hang around caches for long if the change has to be backed out for some reason. In practice, reverse DNS entries are rarely critical to email operations (or any server operations in general). However some anti-spam defences use the absence of a working reverse DNS entry as a good rule of thumb for identifying a spam source. As with the forward zone, the PTR record in the 16.172.in-addr.arpa can be given a more reasonable TTL once everyone is happy that the new mail server is performing satisfactorily. 4.4 Other servers The same procedure can be applied to other network services that get moved or renumbered. Well in advance of the change, the TTL values on the corresponding resource records in the DNS should be reduced to a few minutes. This should be done to allow for any already cached data for those entries to expire from the caches of any other name servers. They will then lookup the names again and get the same responses, albeit with much shorter TTLs. This will mean more traffic to the name servers for the forward and reverse zones while the migration is in progress. The reduced TTL provides the window for switching from one server to another. While this switch is actually in progress, it may be necessary to stop the old server. For instance to ensure transactions are not sent to the wrong database or email delivered to the old mail store instead of the new one. Once the new server is ready, the DNS should be updated with the new addressing and naming data. This should still have a short TTL in case the new system has to be backed out. That can be done without the new DNS data staying in name server caches for too long. Finally, once the new server is shown to be working correctly, the TTLs for the new DNS data can be increased to more normal values. 4.5 Changes to service infrastructure Changes to DNS are often coupled to other changes to an organisation's service infrastructure. For example the replacement of web servers or mail servers may involve a change of ISP, some renumbering and DNS migration. Or some combination of these. A common scenario is that the new web site does not become visible until the DNS is updated and the delegation information in the parent zone has been updated too. This can put the organisation at the mercy of several external parties: for instance the old and new DNS service providers and ISPs, registrars, parent registry and so on. There is likely to be limited direct control over those parties, so careful co-ordination and communication will be needed to synchronise and sequence each part of the update process with any procedures or maintenance windows that these parties have. If there are any delays or errors happen during the DNS change, the ^ing resulting problems may be severe. These changes of course tend to take place at weekends or other quiet periods when key technical staff may not be available. Minimising the number of parties in a given change or migration reduces the risk of something going wrong and simplifies any recovery or back-out procedures when a problem occurs. As far as is practically possible, changes to the DNS delegation should be performed separately from changes to the other service infrastructure. Then, for the service infrastructure changes, the zone administrator is free to manage the zone contents without being dependent on other parties. -------------- next part -------------- A non-text attachment was scrubbed... Name: DNSmigration.diff Type: text/x-diff Size: 17442 bytes Desc: not available URL: </ripe/mail/archives/dns-wg/attachments/20080609/ec818d33/attachment.bin>
- Next message (by thread): [dns-wg] Updated DNS migration document
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]