On Fri, 19 May 2000, Bernd Eckenfels wrote:
> It is easier if you have multiple IP Addresses assigned to the same name.
> You wont need wildcard certificates and DNS is doing the load balancing for
> you.
<nit> "Load sharing" is a better term than "Load balancing" if you're
using normal DNS.
</nit>
As an aside, if you want "interesting" stuff from DNS, instead of just
round robin A records, "Paul's fun DNS failover trick" is to round-robin
the NS records for the host (I generally put them in their own subdomain)
then run an authoritative DNS on the host itself which has its own IP
address for the A record. That way you get box (not service, but hey it's
free) level failover with zero DNS code changes.
eg.
Zone
----------------------------------------
server.foo.com IN NS 127.0.0.1
127.0.0.2
127.0.0.3
---------------------------------------
First server (127.0.0.1)
---------------------------------------
www IN A 127.0.0.1
---------------------------------------
Second server (127.0.0.2)
--------------------------------------
www IN A 127.0.0.2
--------------------------------------
Third server (127.0.0.3)
--------------------------------------
www IN A 127.0.0.3
--------------------------------------
It's possible to play service-level games with the boxes or the NS
records, but BIND doesn't like to round robin NS' internally, so you won't
get a new NS for each query- no matter what the TTL is, but if a server
goes down, you'll automatically get the next server from any client that
I've seen. If you do it for your TLD, then your load sharing/failover
stuff lives in the root servers for your domain. If you get bored, you
can always switch back to round robin RRs lower down in the hierarchy.
This has always seemed to be a good failover scheme for proxy servers on
the internal network, though if you want load sharing to work well in a
contained environment, you'll want to make the internal DNS part of
the scheme itself and use multiple nameserver lines in the clients with
different ordering for each subnet to get the initial seeding distributed
well.
The downside if you're running BIND is that you'll have to update DNS on
more boxes when the next exploit surfaces.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
