[dns-operations] Load balancing DNS queries across many machines

[Matthew Dempsky]

What do large authoritative zones currently do about load balancing
DNS queries across many machines?  E.g., .com and .net have 15 IP
addresses (13 IPv4 + 2 IPv6) listed to handle queries, but I think
Verisign has many more machines than this to handle the load.

I know anycast is often used to help divide the load across multiple
sites, but what do zones do about splitting load across multiple
machines at a single site?  Do they anycast individual machines and
just rely on multipath routing to load balance, or put all of the
machines on the same network and use VRRP or CARP, or do any sites use
higher level protocols for load balancing?


I ask because a current deployment path for DNSCurve for authoritative
zone is to have admins to setup a DNSCurve-to-DNS forwarder, which
transparently handles DNSCurve for the existing servers (similar to
HTTPS-to-HTTP forwarders).  However, two downsides to this approach
are 1) the forwarder needs to maintain some state to be able to
encrypt and forward response packets and 2) the DNS server doesn't
know the original source address for logging and/or client
differentiation.

One solution to this is for the forwarder to forward the DNS packet
along with the source address (and port) and some extra state bytes.
The backend server would then respond with a DNS packet and echo back
the extra information given, so the forwarder can know what to do with
the response.

I suspect if any existing large sites do application-level load
balancing of DNS queries, they've probably come up with a similar
solution.  Also, because this new backend protocol would require
authoritative server support, it seems worthwhile to try to build on
existing practice rather than reinvent the wheel if possible.

Thanks!