[dns-operations] Too Open (Was: OpenDNS makes your Internet work better

Rodney Joffe rjoffe at centergate.com
Fri Jul 14 02:30:11 UTC 2006


On Jul 13, 2006, at 4:12 PM, Brad Knowles wrote:

> At 9:07 AM +0200 2006-07-13, Jeroen Massar wrote:
>
>>  The only problems reported with the UltraDNS setup was that at a  
>> certain
>>  points one of the various clusters got broken. But then you only  
>> have 1
>>  broken cluster out of maybe 5 visible ones, see below.
>
> Right, but when the cluster nearest to you is broken and the  
> routing table forces all your packets to that IP address to be  
> delivered to that cluster, then all zones served by UltraDNS are  
> broken, at least as far as you can tell.

H'mmm. I'm interested in what form of routing foo you're apparently  
aware of that would allow packets from you to a specific IP address  
to *ever* go to a different location when the "closest" location to  
you is broken, but the route still exists. Could you share? And how  
that relates to "all zones served by UltraDNS are broken, at least as  
far as you can tell"? What do zones have to do with clusters, or routes?

>
> You don't have this issue with the root zone, because although f  
> and k might be anycast, there are other servers that are unicast  
> only, so even if your closest f and/or k cluster might be broken,  
> you should still be able to get to one of the other eleven machines  
> listed as root nameservers.

What does anycast or unicast have to do with the other eleven  
"machines" being reachable?

>
>
> This is a much bigger problem when you have only two advertised IP  
> addresses for a given service, because if your nearest cluster is  
> broken, then both of those IP addresses are likely to be routed to  
> the same broken cluster, and then all of your recursive DNS service  
> is going to get hosed

Huh? How does having only two advertised IP addresses for a given  
service get you to "both of those IP addresses are likely to be  
routed to the same broken cluster, and then all of your recursive DNS  
service is going to get hosed"?. How do you make that assumption of  
"likely"?. Oh, maybe thats because your understanding of "subnet" and  
how ASN's work is off kilter. And where did recursive come in to this?

It almost looks like you've been hearing things second or third hand  
again, and don't quite understand what is being said. Perhaps your  
knowledge of issues was picked up by reading the NANOG archives, and  
running across posts where someone saw some issues, but couldn't  
actually supply any evidence, or explain why the 15 million other  
domain holders had not seen the issue? Ahhh, yes, that seems to be  
the case, based on your next email. OK, I'll handle that in my follow- 
up.





More information about the dns-operations mailing list