On 02/19/2010 06:25:10 AM, Siim Põder wrote:
> Hi
>
> Karl O. Pinc wrote:
> > So, unless you're pulling names out of /etc/hosts it's likely
> > that randomization does nothing. And if the bind administrator
> > has gone to the extra work to enable a fixed ordering of
> > RR records then randomization destroys his work.
>
> That's entirely dependent on the DNS server.
Yes, entirely implementation dependent as noted.
> Some DNS servers do not
> randomize the order (so I've heard).
>
> Moreover, if you consider that openvpn is mostly used to connect to
> central resources from a random location, you can not assume anything
> about the nameserver(s) you resolve through. Therefore even if you go
> through the trouble of enabling fixed ordering on your DNS, it is
> likely that the (caching) nameservers that the clients resolve
> through
> randomize the list sometimes and you will get unpredictable results
> anyway.
>
> So IMO it would better to pick at random for load balancing (the case
> when ISP local nameserver caches and respons with a static list) as
> there is no obvious reason for fixed ordering and even if there were,
> it would not work anyway (unless used in a environment entirely under
> your control).
I prefer the "Unix way" where each bit of software does one thing
and does it well. This is a matter of taste, taste for modularity IMO.
Leaving the choice regarding randomization to the resolver/dns server
keeps the system modular and provides a centralized point of control.
(Some people do have their dns entirely under their control.)
As you point out that there can be a legitimate need for randomization
to provide control over load balancing from within the application.
If this is an important enough feature then it should be just that,
a feature that's dynamically configurable in OpenVPN's config file
and designed to do something specific. In this case it might,
possibly, make more sense to be able to specify the address pool
within the config file, or pushed to the client in some fashion
(caching between openvpn invocations would obviously be required), etc.
Options regarding randomized choice, cycling, etc. could also be
provided. One of those options could also be a fixed fallback
sequence, so that instead of load balancing you get failover.
(This is all blue-sky thinking, I've not steeped myself in
OpenVPN enough of late to be sure how any of this would work.)
Implementing randomization as a configurable feature gets
you the best of both worlds. Somebody other than me needs
to decide if the added feature creep is worth it.
Regards,
Karl <k...@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
