On 2019-01-26 16:24, Paul Ebersman wrote:
ebersman> And if the server doesn't give the same complete answer every
ebersman> time (regardless of order), it's technically violating the DNS
ebersman> RFCs.
dw> I'm not sure that this is really true from a client's standpoint.
dw> Just because you get a different answer from my authoritative server
dw> every time you query doesn't actually mean I am giving you
dw> incomplete answers, maybe I'm just changing the zone very very
dw> frequently?
Yes, if the zone changes. But assuming the same SOA for the zone, giving
a different answer for the same query is breaking the "rules".
Assume I incremented the SOA so many times it wrapped around and is back
to the original number (because you can't prove it didn't, therefore
your code can't make assumptions about the SOA even if you happen to
have it available).
Besides which, the SOA serial shouldn't be used by anything other than
primary/secondary implementations which rely on classic zone transfers.
Doesn't
mean it doesn't happen (there are all sorts of places we now do "stupid
DNS tricks") but it does violate the RFCs. And assuming you're not also
doing DNSSEC tricks, it breaks DNSSEC.
But getting back to the original topic, the point is that using things
like DNS round robin or trying to load balance by giving different
responses to the same question will tend to bite you in the ass because
you might not want to follow the rules but someone else in the DNS chain
might be strict.
Outside of DNSSEC, everyone else can be as strict as they want, they can
either cache the result (within the TTL) or not (it doesn't matter).
(My understanding of DNSSEC is that you could make this work by signing
the responses on the fly, but I could be wrong about this, I freely
admit I am not up to speed on DNSSEC beyond signing basic zonefile based
zones.)
In general, it's far more reliable for the app that is generating the
query to have any logic or load balancing or whatever built into the app
and not assume that the DNS won't ever surprise you.
Agreed. But in practice, it works well enough on the small scale.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
