On Fri, Apr 25, 2014 at 3:51 PM, Chuck Anderson <cra@xxxxxxx> wrote: > I'm starting a new thread to clarify and emphasize the problem I'm > actually trying to solve. Here is the problem restated as I posted it > to the dns-operations list: > > ----- > Is it really expected that the first DNS server listed in > /etc/resolv.conf should never go down? Operationally speaking, who > can actually rely on listing multiple nameservers in /etc/resolv.conf > and using libc's failover mechanism in any kind of production server? > Because the failover behavior in libc is atrocious--each new or > existing process has to re-do the failover after timing out, and even > long-running processes have to call res_init() to re-read resolv.conf. > It seems that the only sensible way to run a datacenter (or a network > full of Linux workstations for that matter) is to either: > > 1. Make sure the first nameserver listed in resolv.conf never goes > down by using Anycast DNS or some other failover mechanism like > VRRP or CARP on the DNS server side. Unworkable on normal servers or for normal home users. > > or: > > 2. Use a local DNS daemon on every server with forwarders configured > to the network's nameservers, and fix resolv.conf to 127.0.0.1. > ----- > > (I've since learned that nscd can be a third option) > >> >nscd is ... bad > > I've since learned more about nscd. Apparently its reputation may be > undeserved, at least the newer versions in glibc. I have no direct > experience, but I finally found a good thread about fixing the stub > resolver that addresses people's unwillingness to use nscd as well as > some other things that could be done, such as a patch apparently > carried by Debian and Ubuntu that improves detection of changes to > resolv.conf: > > https://sourceware.org/ml/libc-alpha/2012-12/msg00416.html I've never understood why something like nscd is even worth trying to support. There's a simple, well specified protocol that program can use to talk to a DNS resolver. It's called DNS. Why try to shoehorn it into something else when all you're likely to do is come up with a poor imitation of what you get by sending DNS queries over DNS to a local resolver? I'm sure it would be possible to improve/rewrite nscd, but at best you'll match the quality of something like unbound. And you'll never be compatible with all the third-party resolver clients out there. --Andy -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
