Skip to main content
KBY Technologies Logo
cd ../lexicon
sys/docs/lexicon/split-brain-condition.md
Lexicon Entry

Split-Brain Condition

A failure mode where a network partition or stall causes two disjoint node groups to each believe they hold exclusive write authority, producing divergent, unreconciled state.

Practical example

In a Raft-based cluster, a leader experiences a long GC pause exceeding the election timeout. The majority partition elects a new leader with a higher term. The paused leader resumes and, unaware of the new term, keeps accepting client writes. Without monotonic epoch checks on the storage layer, both leaders' writes could be persisted, corrupting the dataset until reconciliation.

Split-brain is not itself a bug in a consensus protocol; it is what happens in the gap between a leader losing its lease/quorum and that leader actually stopping work. Every leader-election scheme (Raft, ZAB, Paxos-based epoch changes) guarantees that at most one node can be elected leader for a given term, but election correctness says nothing about whether the old leader has physically halted. If the deposed leader is merely partitioned rather than crashed, it may continue accepting writes under a stale term/epoch while a new leader is simultaneously elected on the majority side. Both sides now believe they are authoritative — hence the term.

The classic triggers are asymmetric network partitions, GC pauses or hypervisor stalls that exceed the failure detector’s timeout without killing the process, and misconfigured multi-datacenter deployments where inter-DC links flap. Unlike a clean crash-stop failure, split-brain is insidious specifically because the isolated node is still alive and servicing requests — it just can’t see the rest of the cluster, and clients on its side of the partition get no error signaling divergence until reconciliation.

Mitigation strategies operate at different layers of the stack:

  • Quorum enforcement — any write path must confirm majority acknowledgment (not just local commit) before being considered durable, which is why minority-side nodes should self-demote rather than continue serving.
  • Fencing / STONITH — physically or logically cutting off the old leader’s ability to touch shared resources (disk, network) once a new epoch is declared, independent of whether the old leader acknowledges the demotion.
  • Monotonic epoch tokens attached to every write, rejected by downstream storage if a lower epoch is presented, which prevents the stale leader from corrupting state even if it doesn’t know it’s stale.
  • Lease-based authority with conservative TTLs shorter than the failure detector’s suspicion window, so authority expires before a new leader could plausibly be elected.

The architectural consequence is that any component granting exclusive authority — locks, primary-replica designations, distributed cron schedulers — must treat ‘I was elected’ and ‘I am still authorized’ as two separate, continuously re-verified facts. Systems that conflate them (e.g., a leader that caches its leadership status indefinitely after election) are structurally vulnerable to split-brain regardless of how sound their underlying consensus algorithm is. This is why production-grade coordination layers (etcd, Consul, ZooKeeper) expose session-bound leases rather than static ‘leader flags’ — the lease’s expiry is the actual safety mechanism, not the election result itself.