How to set up BIND DNS active-active with PCS

An active-active BIND DNS deployment keeps multiple DNS servers answering at the same time, reducing single-node risk and spreading query load across the cluster.

With Pacemaker managed through the pcs CLI, a systemd resource can control the named (or bind9) service and a cloned resource can run that service on every cluster node while Pacemaker monitors health and performs recovery actions.

Zone data replication is not handled by Pacemaker, so zone files, dynamic update targets, TSIG keys, and transfer policies must already keep all nodes consistent before cluster control is enabled. Traffic distribution is also external to the cluster (multiple NS records, a load balancer, or Anycast), so inconsistent zone contents or an incomplete routing plan can produce mixed answers and hard-to-debug client behavior.

Related: How to plan active-active high availability with Pacemaker
Related: How to set up BIND DNS high availability with PCS

Steps to set up BIND DNS active-active with PCS:

  1. Confirm the cluster is online with quorum. 
    $ sudo pcs status
Cluster name: clustername
Cluster Summary:
  * Stack: corosync (Pacemaker is running)
  * Current DC: node-01 (version 2.1.6-6fdc9deea29) - partition with quorum
  * Last updated: Thu Jan  1 04:29:13 2026 on node-01
  * Last change:  Thu Jan  1 04:29:11 2026 by root via cibadmin on node-01
  * 3 nodes configured
  * 0 resource instances configured

Node List:
  * Online: [ node-01 node-02 node-03 ]

Full List of Resources:
  * No resources

Daemon Status:
  corosync: active/enabled
  pacemaker: active/enabled
  pcsd: active/enabled

    Related: How to check Pacemaker cluster status

  2. Identify the BIND DNS service unit name. 
    $ systemctl list-unit-files --type=service --no-legend | grep -E '^(named|bind9)\.service'
named.service                                disabled        enabled

    Related: How to manage Pacemaker cluster services with systemctl in Linux

  3. Validate the BIND DNS configuration on each node. 
    $ sudo named-checkconf -z
zone example.net/IN: loaded serial 2026010101
zone localhost/IN: loaded serial 2
zone 127.in-addr.arpa/IN: loaded serial 1
zone 0.in-addr.arpa/IN: loaded serial 1
zone 255.in-addr.arpa/IN: loaded serial 1

    Inconsistent zone contents across nodes can return different answers for the same name depending on which server receives the query.

  4. Disable automatic startup of the identified service unit on each node. 
    $ sudo systemctl disable named.service
Synchronizing state of named.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable named
Synchronizing state of named.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable named
Synchronizing state of named.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable named

    Using systemctl disable --now stops the DNS service immediately and can interrupt production traffic if routing still points at the node.

    Related: How to manage Pacemaker cluster services with systemctl in Linux

  5. Create the BIND DNS systemd resource in PCS. 
    $ sudo pcs resource create bind_service systemd:named op monitor interval=30s

    Use systemd:bind9 when that unit is present.

    Related: How to create a Pacemaker resource

  6. Clone the BIND DNS resource across nodes. 
    $ sudo pcs resource clone bind_service

    Related: How to create a cloned resource in Pacemaker
    Related: How to set Pacemaker clone resource options

  7. Verify the cloned resource status. 
    $ sudo pcs status resources
  * Clone Set: bind_service-clone [bind_service]:
    * Started: [ node-01 node-02 node-03 ]
  8. Query the first node for the zone serial number. 
    $ dig @192.0.2.11 example.net SOA +short
ns1.example.net. hostmaster.example.net. 2026010101 3600 900 604800 86400

    Matching SOA serials across nodes is a quick sanity check for consistent zone data.

  9. Query the second node for the same zone serial number. 
    $ dig @192.0.2.12 example.net SOA +short
ns1.example.net. hostmaster.example.net. 2026010101 3600 900 604800 86400
  10. Update client routing to distribute DNS traffic across active nodes.

    Related: How to plan traffic distribution for active-active PCS services

  11. Put one node into standby to simulate a node failure. 
    $ sudo pcs node standby node-01

    Standby mode removes the node from resource hosting, which reduces serving capacity until the node returns.

    Related: How to run a Pacemaker failover test with PCS

  12. Confirm the clone set remains started on remaining nodes. 
    $ sudo pcs status resources
  * Clone Set: bind_service-clone [bind_service]:
    * Started: [ node-02 node-03 ]
    * Stopped: [ node-01 ]
  13. Query a remaining node directly to confirm continuity. 
    $ dig @192.0.2.12 example.net SOA +short
ns1.example.net. hostmaster.example.net. 2026010101 3600 900 604800 86400
  14. Return the standby node to the cluster. 
    $ sudo pcs node unstandby node-01
  15. Confirm the clone set is started on all nodes. 
    $ sudo pcs status resources
  * Clone Set: bind_service-clone [bind_service]:
    * Started: [ node-01 node-02 node-03 ]