[dns-operations] Too Open (Was: OpenDNS makes your Internet work better
brad at stop.mail-abuse.org
Thu Jul 13 02:05:30 UTC 2006
At 8:34 AM -0700 2006-07-12, Rodney Joffe wrote:
> I believe so. Could you perhaps expand on your belief that a pure anycast
> TLD implementation is evil?
Based solely on the problems I've heard reported by people who have
had issues with the domains operated by UltraDNS. Maybe it was
NANOG, or some other list, but I definitely recall some problems
being reported that were related to routing issues resulting from the
anycast tricks being played, and which should have been resolved if
some non-anycast IP addresses were also made available for that same
> H'mmm. Perhaps you could explain how using two different AS's affects
> anything at all operationally.
Well, my understanding is that at the core level, routing is done by
AS, which is associated with one or more blocks of network addresses.
Different subnets could have their routing advertised by being in
different ASes, but only if the other networks are willing to carry
those advertisements based on the size of the affected network. This
results in an effective limit on the smallest size of subnet that you
can advertised differing routes for, which precludes you from taking
two machines on the same subnet and yet having different routes for
> And what "appear" means in operational
> terms or effect? Please also use 126.96.36.199 and 188.8.131.52 as a
> working example, and describe the effects of separate AS's on those
> 2 addresses. And perhaps how it would differ between 184.108.40.206 and
I can't use those addresses, because the ones that OpenDNS is
advertising for their recursive resolvers are 220.127.116.11 and
18.104.22.168. Try doing pings and traceroutes to these two IP
addresses yourself, and see if you get exactly the same route to
both, with RTTs in the same ballpart, etc.... That is what happens
If the route is the same, then there is no redundancy which would
help guarantee continued service if the routing tables were to get
hosed for that one AS.
> Also could you define "the same subnet"?
At this level, having precisely the same route between me and them,
including the exact same final-but-one hop into the actual network
operated by OpenDNS. Internally, there may be switching or hubbing
that is going on that is not externally visible, but that's what I'm
> H'mmm again. ..."something they'd want to have within their own domain?"
> Could you be more specific? What do you mean? And why?
If you run example.com, and you want to advertise yourself as a world
expert on DNS and DNS services, don't you think that you'd want your
own nameservices to be under the same example.com, so that it looks
like you're eating your own dog food?
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
Founding Individual Sponsor of LOPSA. See <http://www.lopsa.org/>.
More information about the dns-operations