[dns-operations] Anycast resolver addresses (Was: Do Unix stubs round robin nameserver addresses?)

[Mike Hoskins (michoski)]

-----Original Message-----
From: Doug Barton <dougb at dougbarton.us>
Date: Friday, April 17, 2015 at 7:09 PM
To: "dns-operations at dns-oarc.net" <dns-operations at dns-oarc.net>
Subject: [dns-operations] Anycast resolver addresses (Was: Do Unix stubs
round robin nameserver addresses?)

>On 4/17/15 3:53 PM, Roland Dobbins wrote:
>>
>> On 18 Apr 2015, at 5:44, Chuck Anderson wrote:
>>
>>> 2. Use anycast to make your multiple DNS servers appear as one IP, and
>>>  put that one IP in /etc/resolv.conf.  You can have multiple IPs,
>>>  but each one should still be anycasted.
>>
>> The problem with using only one IP is that if someone accidentally
>> fat-fingers an ACL or a routing statement or a firewall rule or
>> whatever, all recursive DNS is hosed.
>>
>> So, anycasting *two* IP addresses (on differing netblocks) is probably
>> warranted.
>
>IME the behavior in failover to a secondary resolver address is so
>troublesome that if you're going to go to the trouble of anycasting (or
>load balancing) a resolver address it's better to go with just one.
>
>In the unlikely event that someone does what you describe Roland (i.e.,
>fat-finger access to a core services network), you're going to have so
>many other problems that resolver failover is going to be the least of
>your worries.

Fully agreed, but many years ago when I first set this kind of environment
up I found email threads, source code comments, etc. alluding to the way
you should never have just one IP in resolv.conf because of quirky
resolver semantics that "could in theory" lead to scenarios where you get
quick retries with multiple servers vs just blocking/exponentially backing
off/making things worse if there is only one.  Sort of like dry firing
antique firearms, I never cared to prove it out and just erred on the side
of caution.  :-)