CNAME and Round Robin
Danny Mayer
mayer at gis.net
Wed Nov 15 02:19:00 UTC 2000
Two comments here.
1) An SSL client shouldn't need to look up an IP address again once it has
it.
It should continue to use the same IP address for the duration of the
session.
If it's not doing that then the client is broken (not to mention making
poor use
of Internet Resources).
2) A properly set up SSL server complex should be able to figure out what
the SSL endpoint of the SSL tunnel is and pass on the packets to that
endpoint. This is not simple to implement but is doable. You basically
pass
the IP information to several indentical servers which tracks clients and
server
endpoints and points the receiving front-end server to the tunnel endpoint.
It's more complicated than that, of course, but you get the general idea.
Danny
At 02:54 AM 11/14/00 +0000, Chris Clark wrote:
>thanks for the replies... an A record round robin does break SSL sessions.
>Especially behind proxy servers. I have tried the CNAME round robin and it
>worked for a while. Now the DNS server just answers with one record. It does
>not round robin now.... Anybody know what versions of BIND or options will
>round robin on CNAME's????
>
>"Igmar Palsenberg" <maillist at chello.nl> wrote in message
>news:Pine.LNX.4.21.0011131338320.839-100000 at server.serve.me.nl...
>>
>> On Sun, 12 Nov 2000, Danny Mayer wrote:
>>
>> >
>> > I'm confused. What has SSL got to do with CNAMES? SSL encrypts the
>> > packets, not the IP address.
>>
>> Is was talking about the suggested A record round robin, not the CNAMES
>> stuff.
>> Maybe browsers are intelligent enought to stick to one IP, but I wouldn't
>> rely on that.
>>
>>
>>
>> Igmar
>>
>>
>>
>>
>
More information about the bind-users
mailing list