DNS Racing -Multi ISP load balancing with failover using DNS.
p.mayers at imperial.ac.uk
Wed Jun 1 09:55:57 UTC 2011
On 01/06/11 08:11, Matus UHLAR - fantomas wrote:
>> On 31/05/11 09:28, Matus UHLAR - fantomas wrote:
>>> This problem could be avoided by providing the same data, but differently
>>> sorted, correct?
> On 31.05.11 12:27, Phil Mayers wrote:
>> Not really. Client side sorting may take place (e.g. to comply with RFC
>> 3484 policies in calls to getaddrinfo) and destroy any server-side
> by "this problem" I mean the DNSSEC. Providing all the data just differently
> sorted would cause them to be DNSSEC compliant, wouldn't it?
Yes, but the client would then re-sort the data, so it wouldn't achieve
the original purpose. Sorting the data server side gives you essentially
no control over which record the client will pick if they are calling
getaddrinfo, as is likely.
As Mark has already pointed out, the approach is not intrinsically
DNSSEC-hostile. It's perfectly legitimate to serve different data with
different, valid, signatures. This is what happens with signature regen
and key rollover. In this case, it would just be a permanent case of
rollover - one KSK, one ZSK per "dns server" and different copies of the
I withhold judgement on whether it's a good approach in general. I
suspect it's just GSLB-lite personally.
More information about the bind-users