REQUEST: Network Interface Failover and multi-DNS resolution

Pekka Savola pekkas at netcore.fi
Fri Aug 13 06:21:16 UTC 2004


On Thu, 12 Aug 2004, Roland McGrath wrote:
> > OK. Maybe so. But I think this is a valid bug based on my observations of the
> > same phenomena. If a machine has ns1 & ns2 listed, ns1 cannot get out to the
> > internet temporarily and returns an error, the whole mail system comes to a
> > stop...even though ns2 is working perfect.
> 
> That is how resolv.conf is supposed to work.  It lists nameservers, and you
> get the first one that is available, i.e. answers at all.  If you want more
> complicated logic, that does not belong in the resolver used by applications.
> Use a local caching nameserver that implements the fancy policy you want.

Actually, if ns1's internet connectivity breaks, and you ask it about
names out in the Internet, the response probably returns an *error*
like SERVFAIL or times out, *not* returns a negative reply.  Then the
resolver falls back to the next server (or at least it should!).  A
negative reply is returned only if the server is authoritative for the
zone of the name that was queried.

This stuff only happens if you're using split-faced DNS, i.e., zones
aren't unique and queriable by everyone in the world.  Doing so is
against the fundamental principles of DNS.

Again, if it hurts, don't do it.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings





More information about the fedora-devel-list mailing list