Hello all,
We are a mid-sized carrier (1.2M broadband subscribers) and we are looking
for an upgrade in our public DNS resolver infrastructure, so we are
interested in getting to know what are you guys using in your networks.
Mainly what kind/brand of software and which architecture did you use to
deploy it, and how did you do the sizing, all of it would be most helpful
information.
Many thanks in advance for your advice!
cl.
Claudio Lapidus (clapidus) writes:
Hello all,
We are a mid-sized carrier (1.2M broadband subscribers) and we are looking
for an upgrade in our public DNS resolver infrastructure, so we are
interested in getting to know what are you guys using in your networks.
Mainly what kind/brand of software and which architecture did you use to
deploy it, and how did you do the sizing, all of it would be most helpful
information.
You'd probably want to start taking a look at unbound:
It's open source, and actively maintained by NLNetLabs.
Setup properly on a decent OS and anycasted, it performs extremely
well - better than some commercial solutions.
PowerDNS also has an open source solution (www.powerdns.com). PowerDNS
is easily modified with custom backends (using a simple pipe interface).
Then there are solutions from Nominum if you want to pay yourself
out the question, as well as products from Infoblox (they are more
targeted towards corporate DNS, but have recently introduced what they
claim to be "ISP class" resolvers).
There's also Secure64, which I haven't tested but some people are very
happy with it.
All of the above support DNSSEC.
Sizing considerations will depend on your network topology, how many
customers / PoP, etc...
You may want to ask the dns operations list
(dns-operations Info Page) for advice,
but please wait until you've collected a bit more data on which solution
you'd consider, and it's usually not very useful to ask "is vendor solution
X better than Y".
Cheers,
Phil
I do hosting rather than network provisioning, but when I was doing network provisioning we used PowerDNS' resolver. Its small, and its very, very fast. Its customizable and can be scripted using LUA.
Claudio Lapidus <clapidus@gmail.com> writes:
We are a mid-sized carrier (1.2M broadband subscribers) and we are
looking for an upgrade in our public DNS resolver infrastructure, so we
are interested in getting to know what are you guys using in your
networks. Mainly what kind/brand of software and which architecture did
you use to deploy it, and how did you do the sizing, all of it would be
most helpful information.
Unsurprisingly, we (AS1280, AS3557) run BIND 9. see <http://www.isc.org/>\.
We have at least two recursives in each AS1280 site, and one in each
AS3557 location (f-root). Stubs (either /etc/resolv.conf or DHCP) each use
all local plus some non-local, for a minimum of three total. Recursive DNS
servers do not use forwarding or other cache-sharing techniques, each is
fully independent. Most have DNSSEC validation enabled, and of those, all
are subscribed to ISC DLV, see <http://dlv.isc.org/>\. Most server hosts
here run FreeBSD on AMD64/EM64T or else i386.
I do not think so:
http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
DNSSEC support in PowerDNS is currently restricted to being able to serve DNSSEC-related RRs. No further DNSSEC processing takes place.
I have reviewed all popular DNS software recently, PowerDNS was really OK, but eventually I have decided not to go with it due to lack of full DNSSEC support.
I have been using BIND9. I have also seen a number of folks try other things, but I have found when testing those software that DNSSEC/EDNS0 and properly handling DNS query/response on TCP are not well supported.
DNSSEC with powerdns is under development. Its coming soon to a server near you.
--C