-----Original Message----- From: Doug Barton <[email protected]> Date: Friday, April 17, 2015 at 7:09 PM To: "[email protected]" <[email protected]> Subject: [dns-operations] Anycast resolver addresses (Was: Do Unix stubs round robin nameserver addresses?)
>On 4/17/15 3:53 PM, Roland Dobbins wrote: >> >> On 18 Apr 2015, at 5:44, Chuck Anderson wrote: >> >>> 2. Use anycast to make your multiple DNS servers appear as one IP, and >>> put that one IP in /etc/resolv.conf. You can have multiple IPs, >>> but each one should still be anycasted. >> >> The problem with using only one IP is that if someone accidentally >> fat-fingers an ACL or a routing statement or a firewall rule or >> whatever, all recursive DNS is hosed. >> >> So, anycasting *two* IP addresses (on differing netblocks) is probably >> warranted. > >IME the behavior in failover to a secondary resolver address is so >troublesome that if you're going to go to the trouble of anycasting (or >load balancing) a resolver address it's better to go with just one. > >In the unlikely event that someone does what you describe Roland (i.e., >fat-finger access to a core services network), you're going to have so >many other problems that resolver failover is going to be the least of >your worries. Fully agreed, but many years ago when I first set this kind of environment up I found email threads, source code comments, etc. alluding to the way you should never have just one IP in resolv.conf because of quirky resolver semantics that "could in theory" lead to scenarios where you get quick retries with multiple servers vs just blocking/exponentially backing off/making things worse if there is only one. Sort of like dry firing antique firearms, I never cared to prove it out and just erred on the side of caution. :-) _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
