[dns-operations] Anycast resolver addresses

Noel Butler noel.butler at ausics.net
Sat Apr 18 09:32:43 UTC 2015


 

On 18/04/2015 10:11, Roland Dobbins wrote: 

> On 18 Apr 2015, at 7:06, Doug Barton wrote:
> 
>> You snipped out the part of my message that explained the answer to that question.
> 
> I understood the answer, I've just seen enough examples of ACLs and firewall rules and so forth being borked and remaining borked for unreasonable lengths of time until they're finally fixed that even in this context, having another address which can be used for recursive DNS service makes sense to me.

If it is so screwed because of fat fingering, the problem will be
noticed en mass, and CSR's would be overloaded with complaint levels
that it would actually be escalated rather quickly, and the problem
would be identified and fixed much faster than if it was by your
assumptions. 

At _ISP_ we anycasted the primary end user cache server IP at every PoP,
if for whatever reason it was unavailable, the secondary cache IP was
the "main secondary" in the primary NOC, this works fine for many years,
with rarely any hits on it, even from that states users, I think your
trying to introduce unnecessary complexities, and THAT we all know
increases the risk of disasters. 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150418/edd1ca7d/attachment.html>


More information about the dns-operations mailing list