[dns-operations] Anycast resolver addresses (Was: Do Unix stubs round robin nameserver addresses?)

Sat Apr 18 00:06:18 UTC 2015

On 4/17/15 4:42 PM, Roland Dobbins wrote:
>
> On 18 Apr 2015, at 6:09, Doug Barton wrote:
>
>> In the unlikely event that someone does what you describe Roland
>> (i.e., fat-finger access to a core services network),
>
> Fat-Fingering happens all the time, as everyone on this list knows.
> Since it's trivial to set up two anycasted addresses instead of one, why
> not go ahead and do so?

You snipped out the part of my message that explained the answer to that 
question.

Fallback to secondary resolvers is nearly universally horrible. In his 
long diatribe Chuck described some of the problems. I would add that 
Windows is quite a bit worse that what he described. If a Windows 
end-user system doesn't get a response from the first (primary) resolver 
address it then tries ALL of the addresses it knows. So if the cause of 
the fallback is that the primary resolver is overloaded Windows creates 
its own thundering herd problem by banging away until it gets an answer. 
And that's just one example.

> And to go further, why not assign one as the first recursor and the
> other as the second recursor with ~50% of any endpoints under one's own
> span of control, and then reverse the order for the other 50%?

Because fallback is to be avoided at all costs. If one of those 
addresses is working, it's overwhelmingly likely that they both will be. 
So by doing what you suggest you've added complexity for no real benefit.

Regarding Mike Hoskins' response, I've configured just one address on 
many platforms for many years, and never had a problem. It is true that 
the default behavior for Unix stubs is to try each 'nameserver' address 
in order till it times out, then cycle back through the list. I don't 
know where your "quick retries" information came from, but TMK that's 
never been the case.

Doug

PS, I really wasn't intending to start a conversation on this topic .... 
I'm really more interested in knowing whether folks see round robin of 
name server addresses often, or at all. :)

-- 
I am conducting an experiment in the efficacy of PGP/MIME signatures. 
This message should be signed. If it is not, or the signature does not 
validate, please let me know how you received this message (direct, or 
to a list) and the mail software you use. Thanks!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150417/6fa4c1fc/attachment.sig>