[dns-operations] Too Open (Was: OpenDNS makes your Internet work better

Rodney Joffe rjoffe at centergate.com
Fri Jul 14 02:27:24 UTC 2006

Hey Brad,

Jeroen has already responded to this. But I will step in and expand  
on a couple of items, and then follow up with a response to your next  
note, relating to UltraDNS...

First, I sense a pattern to your comments...

On Jul 12, 2006, at 7:05 PM, Brad Knowles wrote:

> At 8:34 AM -0700 2006-07-12, Rodney Joffe wrote:
>>  I believe so. Could you perhaps expand on your belief that a pure  
>> anycast
>>  TLD implementation is evil?
> Based solely on the problems I've heard reported by people who have  
> had issues with the domains operated by UltraDNS.  Maybe it was  
> NANOG, or some other list, but I definitely recall some problems  
> being reported that were related to routing issues resulting from  
> the anycast tricks being played, and which should have been  
> resolved if some non-anycast IP addresses were also made available  
> for that same zone.

You're making statements, and when asked to be specific, you cite  
second and third-hand information that you vaguely recall hearing  
somewhere or other as the basis for your initial statement, which was:

>> IIRC, OpenDNS is using anycast routing tricks, right?  Didn't we have
>> a knock-down, drag-out fight a while back over the evil that we've
>> seen happen with other pure-anycast TLD operators?  I mean, I know
>> that some of the root servers are doing anycast, but there are other
>> root servers that are pure unicast, and that should hopefully resolve
>> the routing weirdness issues for them.
>> Or am I mis-remembering things?

At the very least. Never mind, we'll get back to this. Moving on...

>>  H'mmm. Perhaps you could explain how using two different AS's  
>> affects
>>  anything at all operationally.
> Well, my understanding is that at the core level, routing is done  
> by AS, which is associated with one or more blocks of network  
> addresses. Different subnets could have their routing advertised by  
> being in different ASes, but only if the other networks are willing  
> to carry those advertisements based on the size of the affected  
> network.  This results in an effective limit on the smallest size  
> of subnet that you can advertised differing routes for, which  
> precludes you from taking two machines on the same subnet and yet  
> having different routes for them.

As has now been pointed out to you, ASNs don't work in this way. Nor  
does BGP. In fact, your last statement completely stumps me, mainly  
because of your confusion regarding the use of the word "subnet"  
which we'll get to shortly. However...

>>                                 And what "appear" means in  
>> operational
>>  terms or effect? Please also use and as a
>>  working example, and describe the effects of separate AS's on those
>>  2 addresses. And perhaps how it would differ between  
>> and
> I can't use those addresses, because the ones that OpenDNS is  
> advertising for their recursive resolvers are and  
>  Try doing pings and traceroutes to these two IP  
> addresses yourself, and see if you get exactly the same route to  
> both, with RTTs in the same ballpart, etc....  That is what happens  
> for me.

I'm not sure why you can't use those addresses to explain your  
understanding of the issue. It has nothing to do with traceroute or  
ping, but to follow up on your response:

If OpenDNS announced each /24 from a different AS into the same  
network connections, why/how would that make any difference to their  
path, or latency or route?

Conversely, if you traceroute to and, which  
have exactly the same origin AS, are you claiming they would have the  
same path from your cable modem? Would you mind pasting your  
traceroutes to those two ip addresses here?

> If the route is the same, then there is no redundancy which would  
> help guarantee continued service if the routing tables were to get  
> hosed for that one AS.

Could you explain how an *AS* gets hosed in the "routing table"?

>>  Also could you define "the same subnet"?
> At this level, having precisely the same route between me and them,  
> including the exact same final-but-one hop into the actual network  
> operated by OpenDNS.  Internally, there may be switching or hubbing  
> that is going on that is not externally visible, but that's what  
> I'm seeing.

Ahhhh. I begin to see the light...

 From my location:

rjoffe$ lft

Tracing ...........T

Hop LFT trace to pdns3.ultradns.org (
1  host ( 1.4ms
2  s9-1-0-1--0.gw02.phnx.eli.net ( 5.2ms
3  so-4-0-1--0.cr01.phnx.eli.net ( 51.4ms
4  pos10-0.cr01.lsan.eli.net ( 12.5ms
5  p9-0.cr02.sntd.eli.net ( 21.5ms
6  so-0-0-0--0.er02.plal.eli.net ( 23.0ms
7  ge1-1-0.103-100m.ar2.pao2.gblx.net ( 30.9ms
8  so2-1-0-2488m.ar1.sjc2.gblx.net ( 26.5ms
9 ( 26.0ms
10  [target] pdns3.ultradns.org ( 25.7ms


rjoffe$ lft

Tracing ...........T

Hop LFT trace to pdns6.ultradns.co.uk (
1   host ( 2.0ms
2  s9-1-0-1--0.gw02.phnx.eli.net ( 6.6ms
3  so-4-0-1--0.cr01.phnx.eli.net ( 8.3ms
4  pos10-0.cr01.lsan.eli.net ( 12.9ms
5  p9-0.cr02.sntd.eli.net ( 28.4ms
6  so-0-0-0--0.er02.plal.eli.net ( 22.6ms
7  ge1-1-0.103-100m.ar2.pao2.gblx.net ( 23.1ms
8  so2-1-0-2488m.ar1.sjc2.gblx.net ( 46.1ms
9 ( 25.8ms
10  [target] pdns6.ultradns.co.uk ( 25.3ms

By your definition, technically, and are on  
the same subnet? OK. I think I begin to see where the challenges are.

> If you run example.com, and you want to advertise yourself as a  
> world expert on DNS and DNS services, don't you think that you'd  
> want your own nameservices to be under the same example.com, so  
> that it looks like you're eating your own dog food?

Oh, you mean, like:

rjoffe$ dig vix.com ns

; <<>> DiG 9.2.2 <<>> vix.com ns
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30623
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 7

;vix.com.                       IN      NS

vix.com.                697     IN      NS      ns-ext.isc.org.
vix.com.                697     IN      NS      ns.sql1.vix.com.
vix.com.                697     IN      NS      ns.lah1.vix.com.
vix.com.                697     IN      NS      ns1.gnac.com.

rjoffe$ dig verisign.net ns

; <<>> DiG 9.2.2 <<>> verisign.net ns
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5505
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3

;verisign.net.                  IN      NS

verisign.net.           172271  IN      NS      ns1.crsnic.net.
verisign.net.           172271  IN      NS      bay-w1- 
verisign.net.           172271  IN      NS      goldengate-w2- 


rjoffe$ dig ripe.net ns

; <<>> DiG 9.2.2 <<>> ripe.net ns
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55523
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 10

;ripe.net.                      IN      NS

ripe.net.               166666  IN      NS      ns-ext.isc.org.
ripe.net.               166666  IN      NS      ns-pri.ripe.net.
ripe.net.               166666  IN      NS      sec3.apnic.net.
ripe.net.               166666  IN      NS      sunic.sunet.se.
ripe.net.               166666  IN      NS      ns3.nic.fr.

Well, maybe a stretch. I'm not sure that it indicates clue, one way  
or the other.

More information about the dns-operations mailing list