tickets #161846
Updated by crameleon about 1 month ago
These nameservers should be migrated away from the manually configured named/bind setup to a PowerDNS stack (authoritative for public facing and recursor for internal requests) similar to what is already done with prg-ns{1,2} and hel{1,2}. To prepare for network segmentation in these locations it might be a good opportunity to split the internal and public facing services to separate machines and to remove named/bind installations from machines which shouldn't run their own nameserver (ipx-proxy, stonehat).
This will unify the setup and allow us to fully cover the DNS setup with a streamlined Salt configuration.
During the DC migration, when this was originally discussed, a few options for backend replication were discussed, and some were theoretically evaluated before it was decided to only implement the new stack in Prague for now and to postpone qsc-ns3/provo-ns for a future improvement. The traditional AXFR approach might be better to replace with a database/file replication, considerations are keeping DNSSEC in tact and potentially allowing for multi-master operation (i.e. be able to modify DNS records when connectivity to Prague is lost - currently it's exclusively possible from chip.i.o.o).