[dns-operations] Anycast resolver addresses (Was: Do Unix stubs round robin nameserver addresses?)
Doug Barton
dougb at dougbarton.us
Fri Apr 17 23:09:47 UTC 2015
On 4/17/15 3:53 PM, Roland Dobbins wrote:
>
> On 18 Apr 2015, at 5:44, Chuck Anderson wrote:
>
>> 2. Use anycast to make your multiple DNS servers appear as one IP, and
>> put that one IP in /etc/resolv.conf. You can have multiple IPs,
>> but each one should still be anycasted.
>
> The problem with using only one IP is that if someone accidentally
> fat-fingers an ACL or a routing statement or a firewall rule or
> whatever, all recursive DNS is hosed.
>
> So, anycasting *two* IP addresses (on differing netblocks) is probably
> warranted.
IME the behavior in failover to a secondary resolver address is so
troublesome that if you're going to go to the trouble of anycasting (or
load balancing) a resolver address it's better to go with just one.
In the unlikely event that someone does what you describe Roland (i.e.,
fat-finger access to a core services network), you're going to have so
many other problems that resolver failover is going to be the least of
your worries.
FWIW,
Doug
--
I am conducting an experiment in the efficacy of PGP/MIME signatures.
This message should be signed. If it is not, or the signature does not
validate, please let me know how you received this message (direct, or
to a list) and the mail software you use. Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150417/2334f527/attachment.sig>
More information about the dns-operations
mailing list