On 4/17/15 3:53 PM, Roland Dobbins wrote:
On 18 Apr 2015, at 5:44, Chuck Anderson wrote:2. Use anycast to make your multiple DNS servers appear as one IP, and put that one IP in /etc/resolv.conf. You can have multiple IPs, but each one should still be anycasted.The problem with using only one IP is that if someone accidentally fat-fingers an ACL or a routing statement or a firewall rule or whatever, all recursive DNS is hosed. So, anycasting *two* IP addresses (on differing netblocks) is probably warranted.
IME the behavior in failover to a secondary resolver address is so troublesome that if you're going to go to the trouble of anycasting (or load balancing) a resolver address it's better to go with just one.
In the unlikely event that someone does what you describe Roland (i.e., fat-finger access to a core services network), you're going to have so many other problems that resolver failover is going to be the least of your worries.
FWIW, Doug --I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks!
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
