BIND DNS HA Cluster - Issues

Lessons Learned

Category Lesson

Category	Lesson
Separation of Concerns	DNS should be independent of identity. FreeIPA DNS created circular dependency issues.
Zone Transfer	Use `allow-transfer` with IP ACL, not open. RNDC key authentication for updates.
cloud-init	Network config must match actual interface names (eth0 on Rocky cloud images).
SELinux	named_t context required for zone files. Use `chcon` or policy modules.
VyOS Integration	`set service dns forwarding name-server` for upstream resolution.

Separation of Concerns

DNS should be independent of identity. FreeIPA DNS created circular dependency issues.

Zone Transfer

Use allow-transfer with IP ACL, not open. RNDC key authentication for updates.

cloud-init

Network config must match actual interface names (eth0 on Rocky cloud images).

SELinux

named_t context required for zone files. Use chcon or policy modules.

VyOS Integration

set service dns forwarding name-server for upstream resolution.

Item	Status
bind-01	Operational, master zone
bind-02	Operational, slave zone
VyOS	DNS forwarding configured
FreeIPA	DNS disabled (identity-only mode)
Documentation	11-phase runbook + infrastructure records guide

Item

Status

bind-01

Operational, master zone

bind-02

Operational, slave zone

VyOS

DNS forwarding configured

FreeIPA

DNS disabled (identity-only mode)

Documentation

11-phase runbook + infrastructure records guide