On 4/17/15 4:42 PM, Roland Dobbins wrote:
On 18 Apr 2015, at 6:09, Doug Barton wrote:In the unlikely event that someone does what you describe Roland (i.e., fat-finger access to a core services network),Fat-Fingering happens all the time, as everyone on this list knows. Since it's trivial to set up two anycasted addresses instead of one, why not go ahead and do so?
You snipped out the part of my message that explained the answer to that question.
Fallback to secondary resolvers is nearly universally horrible. In his long diatribe Chuck described some of the problems. I would add that Windows is quite a bit worse that what he described. If a Windows end-user system doesn't get a response from the first (primary) resolver address it then tries ALL of the addresses it knows. So if the cause of the fallback is that the primary resolver is overloaded Windows creates its own thundering herd problem by banging away until it gets an answer. And that's just one example.
And to go further, why not assign one as the first recursor and the other as the second recursor with ~50% of any endpoints under one's own span of control, and then reverse the order for the other 50%?
Because fallback is to be avoided at all costs. If one of those addresses is working, it's overwhelmingly likely that they both will be. So by doing what you suggest you've added complexity for no real benefit.
Regarding Mike Hoskins' response, I've configured just one address on many platforms for many years, and never had a problem. It is true that the default behavior for Unix stubs is to try each 'nameserver' address in order till it times out, then cycle back through the list. I don't know where your "quick retries" information came from, but TMK that's never been the case.
DougPS, I really wasn't intending to start a conversation on this topic .... I'm really more interested in knowing whether folks see round robin of name server addresses often, or at all. :)
--I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks!
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
