[dns-operations] Anycast resolver addresses (Was: Do Unix stubs round robin nameserver addresses?)
dougb at dougbarton.us
Sat Apr 18 00:06:18 UTC 2015
On 4/17/15 4:42 PM, Roland Dobbins wrote:
> On 18 Apr 2015, at 6:09, Doug Barton wrote:
>> In the unlikely event that someone does what you describe Roland
>> (i.e., fat-finger access to a core services network),
> Fat-Fingering happens all the time, as everyone on this list knows.
> Since it's trivial to set up two anycasted addresses instead of one, why
> not go ahead and do so?
You snipped out the part of my message that explained the answer to that
Fallback to secondary resolvers is nearly universally horrible. In his
long diatribe Chuck described some of the problems. I would add that
Windows is quite a bit worse that what he described. If a Windows
end-user system doesn't get a response from the first (primary) resolver
address it then tries ALL of the addresses it knows. So if the cause of
the fallback is that the primary resolver is overloaded Windows creates
its own thundering herd problem by banging away until it gets an answer.
And that's just one example.
> And to go further, why not assign one as the first recursor and the
> other as the second recursor with ~50% of any endpoints under one's own
> span of control, and then reverse the order for the other 50%?
Because fallback is to be avoided at all costs. If one of those
addresses is working, it's overwhelmingly likely that they both will be.
So by doing what you suggest you've added complexity for no real benefit.
Regarding Mike Hoskins' response, I've configured just one address on
many platforms for many years, and never had a problem. It is true that
the default behavior for Unix stubs is to try each 'nameserver' address
in order till it times out, then cycle back through the list. I don't
know where your "quick retries" information came from, but TMK that's
never been the case.
PS, I really wasn't intending to start a conversation on this topic ....
I'm really more interested in knowing whether folks see round robin of
name server addresses often, or at all. :)
I am conducting an experiment in the efficacy of PGP/MIME signatures.
This message should be signed. If it is not, or the signature does not
validate, please let me know how you received this message (direct, or
to a list) and the mail software you use. Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: OpenPGP digital signature
More information about the dns-operations