Change Summary

Migrate all campus recursive DNS resolvers from the two existing authoritative servers (ns1.example.edu, ns2.example.edu) to a new anycast resolver cluster composed of four nodes spread across two data centres.

Change Type: Standard
Risk Level: Medium
Rollback Available: Yes (15-minute cutback procedure documented in the runbook)

Business Justification

The current DNS infrastructure was deployed in 2019 and runs on aging hardware with no geographic redundancy. During a recent power event at Data Centre A, DNS resolution failed campus-wide for 23 minutes. The anycast migration eliminates this single point of failure and reduces average query latency from 12 ms to under 2 ms.

Technical Scope

ComponentAction
ns1.example.edu (DC-A)Decommission after validation
ns2.example.edu (DC-B)Decommission after validation
Anycast node A1 (DC-A)Activate
Anycast node A2 (DC-A)Activate
Anycast node B1 (DC-B)Activate
Anycast node B2 (DC-B)Activate
DHCP server pool configUpdate resolver IPs campus-wide

Implementation Steps

  1. Pre-validate anycast nodes are serving all internal zones correctly (pre-change)
  2. Update DHCP scopes to advertise anycast VIP 10.0.0.53 as primary resolver
  3. Update static resolver configuration on servers and network devices
  4. Monitor query volumes and error rates for 30 minutes
  5. Decommission legacy resolver VMs if no anomalies detected
  6. Update network documentation

Rollback Plan

Revert DHCP scopes to the legacy resolver IPs (10.10.1.53, 10.10.2.53). Estimated rollback time: 15 minutes. Legacy VMs remain online during the observation window specifically to support this rollback.

Testing

  • 100% internal zone resolution tested in staging ✓
  • External resolution (root hints) validated ✓
  • DNSSEC validation tested for all signed zones ✓

Notifications

Approved by the Change Advisory Board on 2026-03-28. End users are not expected to experience any disruption — the change occurs at 2:00 AM during a low-use window.