DNS Racing -Multi ISP load balancing with failover using DNS.

Phil Mayers p.mayers at imperial.ac.uk
Wed Jun 1 09:55:57 UTC 2011

On 01/06/11 08:11, Matus UHLAR - fantomas wrote:
>> On 31/05/11 09:28, Matus UHLAR - fantomas wrote:
>>> This problem could be avoided by providing the same data, but differently
>>> sorted, correct?
> On 31.05.11 12:27, Phil Mayers wrote:
>> Not really. Client side sorting may take place (e.g. to comply with RFC
>> 3484 policies in calls to getaddrinfo) and destroy any server-side
>> sorting.
> by "this problem" I mean the DNSSEC. Providing all the data just differently
> sorted would cause them to be DNSSEC compliant, wouldn't it?

Yes, but the client would then re-sort the data, so it wouldn't achieve 
the original purpose. Sorting the data server side gives you essentially 
no control over which record the client will pick if they are calling 
getaddrinfo, as is likely.

As Mark has already pointed out, the approach is not intrinsically 
DNSSEC-hostile. It's perfectly legitimate to serve different data with 
different, valid, signatures. This is what happens with signature regen 
and key rollover. In this case, it would just be a permanent case of 
rollover - one KSK, one ZSK per "dns server" and different copies of the 

I withhold judgement on whether it's a good approach in general. I 
suspect it's just GSLB-lite personally.

More information about the bind-users mailing list