[34047] in North American Network Operators' Group
Re: How common is lack of DNS server diversity?
daemon@ATHENA.MIT.EDU (Tony Rall)
Sat Jan 27 14:20:34 2001
To: Shawn McMahon <smcmahon@eiv.com>
Cc: nanog@merit.edu
Message-ID: <OF015ADF12.B8647026-ON882569E1.0067E9E7@LocalDomain>
From: "Tony Rall" <trall@almaden.ibm.com>
Date: Sat, 27 Jan 2001 11:13:11 -0800
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii
Errors-To: owner-nanog-outgoing@merit.edu
>Then it probably doesn't matter if you resolve their DNS, because you
won't be
>getting to any of their services anyway.
Several folks have mentioned that they don't see a problem with dns failure
caused by an inability to reach all of the nameservers for a domain -
because presumably clients won't be able to reach any of the hosts in that
domain.
First, as we've seen demonstrated so clearly in the Microsoft case this
week, nameserver unreachability does not always imply unreachability of the
hosts in the domain.
Second (and even if all of the hosts are truly unreachable), there is one
somewhat important service that has a markedly different failure mode if
the server appears to not exist - email (smtp).  Folks sending mail to a
domain that doesn't resolve usually get an immediate "delivery failure"
response.  But those sending to a resolvable domain when the target mail
server is simply unreachable get their mail queued.  It will typically get
retried by the mail system for a few days.  Only after such a long outage
of the target will a delivery failure occur.  (One somewhat ugly side
effect of the dns outage is that some mailing lists will remove the user
from their list when a delivery failure occurs.  Not good to have to
explain this to your users.)
I lived through both situations (dns plus entire domain unreachable, and
the domain unreachable but dns still works); I much prefer the results with
a diverse dns setup.
Tony Rall