DEPLOY-2026-02-14 BIND DNS HA Cluster

1. Executive Summary

Deployment Type: DNS Infrastructure

Problem Statement: FreeIPA DNS was tightly coupled to identity services. Need dedicated, authoritative DNS with zone transfer replication for HA.

Solution: Standalone BIND DNS cluster (bind-01 + bind-02) with zone transfers, serving inside.domusdigitalis.dev zone.

Environment	Production (Home Lab)
Runbooks	BIND DNS Deployment, bind-02 Secondary
Risk Level	Low (parallel deployment, non-destructive)

Environment

Production (Home Lab)

Runbooks

BIND DNS Deployment, bind-02 Secondary

Risk Level

Low (parallel deployment, non-destructive)

2. Deployment Information

Field	Value
Deployment Date	2026-02-14 (bind-01), 2026-02-17 (bind-02)
Previous State	FreeIPA DNS (tightly coupled to identity)
Target State	Standalone BIND DNS with HA replication
Deployment Window	2 hours per node
Rollback Plan	Revert VyOS DNS forwarding to FreeIPA
Affected Systems	All DNS resolution (gradual migration)

Field

Value

Deployment Date

2026-02-14 (bind-01), 2026-02-17 (bind-02)

Previous State

FreeIPA DNS (tightly coupled to identity)

Target State

Standalone BIND DNS with HA replication

Deployment Window

2 hours per node

Rollback Plan

Revert VyOS DNS forwarding to FreeIPA

Affected Systems

All DNS resolution (gradual migration)

3. Infrastructure Deployed

Component	Primary	Secondary
Hostname	bind-01.inside.domusdigitalis.dev	bind-02.inside.domusdigitalis.dev
IP Address	10.50.1.90	10.50.1.91
Hypervisor	kvm-01	kvm-02
Zone Role	Master (authoritative)	Slave (zone transfer)
Zone	inside.domusdigitalis.dev

Component

Primary

Secondary

Hostname

bind-01.inside.domusdigitalis.dev

bind-02.inside.domusdigitalis.dev

IP Address

10.50.1.90

10.50.1.91

Hypervisor

kvm-01

kvm-02

Zone Role

Master (authoritative)

Slave (zone transfer)

Zone

inside.domusdigitalis.dev

4. Architecture

Table 1. BIND DNS HA Architecture
Component	Configuration
Zone Type	Authoritative for internal domain
Replication	IXFR/AXFR zone transfers (notify)
Update Method	nsupdate (dynamic DNS)
Forwarding	External queries → upstream resolvers
Clients	VyOS DNS forwarding, DHCP clients

5. Deployment Phases

5.1. bind-01 (Primary)

Phase	Description	Key Steps
1	Download Cloud Image	Rocky 9 GenericCloud, SHA256 verification
2	cloud-init Configuration	meta-data, user-data, network-config
3-4	VM Creation	Disk resize, virt-install, libvirt
5	VM Verification	SSH connectivity, hostname
6	DNS & DHCP	Static reservation in VyOS
7	Workstation Prerequisites	SSH config, known_hosts
8	Configure BIND	named.conf, zone files, RNDC key
9	Start BIND	Enable/start named, firewalld rules
10	Test DNS	dig queries, zone validation
11	VyOS Integration	DNS forwarding to BIND

Phase

Description

Key Steps

Download Cloud Image

Rocky 9 GenericCloud, SHA256 verification

cloud-init Configuration

meta-data, user-data, network-config

3-4

VM Creation

Disk resize, virt-install, libvirt

VM Verification

SSH connectivity, hostname

DNS & DHCP

Static reservation in VyOS

Workstation Prerequisites

SSH config, known_hosts

Configure BIND

named.conf, zone files, RNDC key

Start BIND

Enable/start named, firewalld rules

Test DNS

dig queries, zone validation

VyOS Integration

DNS forwarding to BIND

5.2. bind-02 (Secondary)

Phase	Description
1-5	VM creation (same as bind-01)
6	Slave zone configuration
7	Zone transfer from master
8	Notification testing

6. Validation Results

Test Result Evidence

Test	Result	Evidence
Forward DNS lookup	✅ PASS	`dig vault-01.inside.domusdigitalis.dev`
Reverse DNS lookup	✅ PASS	`dig -x 10.50.1.x`
Zone transfer	✅ PASS	bind-02 received zone from bind-01
nsupdate dynamic update	✅ PASS	A record added successfully
VyOS forwarding	✅ PASS	DHCP clients resolve via VyOS → BIND
Failover test	✅ PASS	bind-01 down, bind-02 continues serving

Forward DNS lookup

✅ PASS

dig vault-01.inside.domusdigitalis.dev

Reverse DNS lookup

✅ PASS

dig -x 10.50.1.x

Zone transfer

✅ PASS

bind-02 received zone from bind-01

nsupdate dynamic update

✅ PASS

A record added successfully

VyOS forwarding

✅ PASS

DHCP clients resolve via VyOS → BIND

Failover test

✅ PASS

bind-01 down, bind-02 continues serving

7. Lessons Learned

Category Lesson

Category	Lesson
Separation of Concerns	DNS should be independent of identity. FreeIPA DNS created circular dependency issues.
Zone Transfer	Use `allow-transfer` with IP ACL, not open. RNDC key authentication for updates.
cloud-init	Network config must match actual interface names (eth0 on Rocky cloud images).
SELinux	named_t context required for zone files. Use `chcon` or policy modules.
VyOS Integration	`set service dns forwarding name-server` for upstream resolution.

Separation of Concerns

DNS should be independent of identity. FreeIPA DNS created circular dependency issues.

Zone Transfer

Use allow-transfer with IP ACL, not open. RNDC key authentication for updates.

cloud-init

Network config must match actual interface names (eth0 on Rocky cloud images).

SELinux

named_t context required for zone files. Use chcon or policy modules.

VyOS Integration

set service dns forwarding name-server for upstream resolution.

8. Post-Deployment Status

Item	Status
bind-01	Operational, master zone
bind-02	Operational, slave zone
VyOS	DNS forwarding configured
FreeIPA	DNS disabled (identity-only mode)
Documentation	11-phase runbook + infrastructure records guide

Item

Status

bind-01

Operational, master zone

bind-02

Operational, slave zone

VyOS

DNS forwarding configured

FreeIPA

DNS disabled (identity-only mode)

Documentation

11-phase runbook + infrastructure records guide