host name resolution, again (krb5-1.3-alpha1 is available)

[Russ Allbery]

Sam Hartman <hartmans at mit.edu> writes:

> In my opinion the correct way to do clustering is the return a CNAME to
> the cluster address not an A record.  I believe this can be made to
> work.

Yes, this is the way that lbnamed always worked originally.

There was a reason why we stopped doing that for at least some services,
though.  The load-balanced DNS records are returned with a 0 TTL, so that
on the next connect the client will always ask the DNS server again;
otherwise, the load distribution can be too bursty for some services.  But
several versions of BIND decided that 0 TTL CNAMEs were some sort of
security problem or protocol violation or something (even though I've
never seen any actual standards language to support that) and started
rejecting them.  Suddenly, lots of people couldn't get to
www.stanford.edu.

We therefore now hand out 0 TTL A records directly instead of 0 TTL CNAMEs
in some circumstances.

I believe that this bug has been fixed in newer versions of BIND, so
hopefully after a few more widely-publicized security holes, it will cease
to be relevant.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>