On Tue, Aug 4, 2015 at 9:39 AM, Mark Andrews <ma...@isc.org> wrote: > In message <9c2aca5a-755d-4fcf-8491-745a1f911...@puck.nether.net>, Jared > Mauch writes: > > I recommend using DNSDIST to balance traffic at a protocol level as you > can h= > > ave implementation diversity on the backside.=20 > > > > I can send an example config out later for people. You can balance to > bind N= > > SD and others all at the same time :-) just move your SPoF > > Unless the same client hits the same server all the time this is a > bad idea. >
But tying a set of clients to the same backend puts them all in the same failure domain.... Resolvers actually track capabilities of servers as it is the only > way to get answers due to firewalls dropping legitimate packet and > protocol misimplementations. Add to that different vendors / > versions supporting different extensions randomly flipping between > vendors / versions is frought with danger unless you take extreme > care. Out of curiosity, do any resolvers other than BIND do this? I ask because BIND has a reputation for having "too many" features, and I wonder if this is one of them. Damian > > On Aug 4, 2015, at 10:03 AM, Jay Ashworth <j...@baylink.com> wrote: > > > > > > Everyone got BIND updated? > > > > > > > > > http://arstechnica.com/security/2015/08/exploits-start-against-flaw-that-c > > ould-hamstring-huge-swaths-of-internet/ > > > -- > > > Sent from my Android phone with K-9 Mail. Please excuse my brevity. > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >
