[dns-operations] Too Open (Was: OpenDNS makes your Internet work better

Thu Jul 13 02:05:30 UTC 2006

At 8:34 AM -0700 2006-07-12, Rodney Joffe wrote:

>  I believe so. Could you perhaps expand on your belief that a pure anycast
>  TLD implementation is evil?

Based solely on the problems I've heard reported by people who have 
had issues with the domains operated by UltraDNS.  Maybe it was 
NANOG, or some other list, but I definitely recall some problems 
being reported that were related to routing issues resulting from the 
anycast tricks being played, and which should have been resolved if 
some non-anycast IP addresses were also made available for that same 
zone.

>  H'mmm. Perhaps you could explain how using two different AS's affects
>  anything at all operationally.

Well, my understanding is that at the core level, routing is done by 
AS, which is associated with one or more blocks of network addresses. 
Different subnets could have their routing advertised by being in 
different ASes, but only if the other networks are willing to carry 
those advertisements based on the size of the affected network.  This 
results in an effective limit on the smallest size of subnet that you 
can advertised differing routes for, which precludes you from taking 
two machines on the same subnet and yet having different routes for 
them.

>                                 And what "appear" means in operational
>  terms or effect? Please also use 204.74.112.1 and 199.7.66.1 as a
>  working example, and describe the effects of separate AS's on those
>  2 addresses. And perhaps how it would differ between 204.74.112.1 and
>  204.74.113.1?

I can't use those addresses, because the ones that OpenDNS is 
advertising for their recursive resolvers are 208.67.222.222 and 
208.67.220.220.  Try doing pings and traceroutes to these two IP 
addresses yourself, and see if you get exactly the same route to 
both, with RTTs in the same ballpart, etc....  That is what happens 
for me.

If the route is the same, then there is no redundancy which would 
help guarantee continued service if the routing tables were to get 
hosed for that one AS.

>  Also could you define "the same subnet"?

At this level, having precisely the same route between me and them, 
including the exact same final-but-one hop into the actual network 
operated by OpenDNS.  Internally, there may be switching or hubbing 
that is going on that is not externally visible, but that's what I'm 
seeing.

>  H'mmm again. ..."something they'd want to have within their own domain?"
>  Could you be more specific? What do you mean? And why?

If you run example.com, and you want to advertise yourself as a world 
expert on DNS and DNS services, don't you think that you'd want your 
own nameservices to be under the same example.com, so that it looks 
like you're eating your own dog food?

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  Founding Individual Sponsor of LOPSA.  See <http://www.lopsa.org/>.