Sometimes when a owner has multiple A (or AAAA) records, recursive resolvers change the order in which a client receives them.
Does DNSSEC force them to be in the same order or is the order still subject to change and the whim of a recursive server?
What I am trying to do is set up fall-back IP addresses in case a particular IP address is offline, and trying to find work-around for a lack of order preference (like MX records have) in A/AAAA records.
I use DNSSEC anyway and am *hoping* that means DNSSEC enforcing resolvers will preserve the order the records have coming from the authoritative server.
Thanks for suggestions.
No. DNS does not have "an order".
No. DNS does not have "an order".
Indeed. Apart from record types which include weight field (MX, SRV). Perhaps author wants AAAA tried before A in case if "smart" resolver omits DNSSEC-unsigned responses?
This is orthogonal to presence of DNSSEC in the zone, and is on client side only.
So please specify your problem more precisely: is that a resolver/cache you control, zone, or both?
What I was hoping to have is a couple CDN nodes in North America, couple in Europe, etc. but configure the httpd on each CDN end-point to be able to handle requests for the others.
So nsd1 and nsd2 are both different nodes in North America.
If nsd1 goes down for whatever reason, the second A record would point users to the other node, thus providing both distribution of static content load and redundancy in case one goes down, with a system administrator needing to update the zone file until the problem recovers (which can take over an hour to propagate anyway)
I know A/AAAA records don't have priority like MX does, that would solve the problem. But I also know when multiple A records exist, clients tend to try in order. So I was hoping DNSSEC might have a side effect of keeping the order intact but it seems it doesn't.