[nsd-users] DNSSEC question

Michael A. Peters mpeters at domblogger.net
Tue Apr 5 03:21:24 UTC 2016



On 04/04/2016 02:54 PM, dmitry kohmanyuk wrote:
> On 4 квіт. 2016 р., at 23:32, Peter Hessler <phessler at theapt.org> wrote:
>>
>> No.  DNS does not have "an order".
>>
>
> Indeed. Apart from record types which include weight field (MX, SRV). Perhaps author wants AAAA tried before A in case if "smart" resolver omits DNSSEC-unsigned responses?
> This is orthogonal to presence of DNSSEC in the zone, and is on client side only.
>
> So please specify your problem more precisely: is that a resolver/cache you control, zone, or both?

What I was hoping to have is a couple CDN nodes in North America, couple 
in Europe, etc. but configure the httpd on each CDN end-point to be able 
to handle requests for the others.

So nsd1 and nsd2 are both different nodes in North America.

If nsd1 goes down for whatever reason, the second A record would point 
users to the other node, thus providing both distribution of static 
content load and redundancy in case one goes down, with a system 
administrator needing to update the zone file until the problem recovers 
(which can take over an hour to propagate anyway)

I know A/AAAA records don't have priority like MX does, that would solve 
the problem. But I also know when multiple A records exist, clients tend 
to try in order. So I was hoping DNSSEC might have a side effect of 
keeping the order intact but it seems it doesn't.



More information about the nsd-users mailing list