[dns-operations] Too Open (Was: OpenDNS makes your Internet work better
Rodney Joffe
rjoffe at centergate.com
Fri Jul 14 02:30:11 UTC 2006
On Jul 13, 2006, at 4:12 PM, Brad Knowles wrote:
> At 9:07 AM +0200 2006-07-13, Jeroen Massar wrote:
>
>> The only problems reported with the UltraDNS setup was that at a
>> certain
>> points one of the various clusters got broken. But then you only
>> have 1
>> broken cluster out of maybe 5 visible ones, see below.
>
> Right, but when the cluster nearest to you is broken and the
> routing table forces all your packets to that IP address to be
> delivered to that cluster, then all zones served by UltraDNS are
> broken, at least as far as you can tell.
H'mmm. I'm interested in what form of routing foo you're apparently
aware of that would allow packets from you to a specific IP address
to *ever* go to a different location when the "closest" location to
you is broken, but the route still exists. Could you share? And how
that relates to "all zones served by UltraDNS are broken, at least as
far as you can tell"? What do zones have to do with clusters, or routes?
>
> You don't have this issue with the root zone, because although f
> and k might be anycast, there are other servers that are unicast
> only, so even if your closest f and/or k cluster might be broken,
> you should still be able to get to one of the other eleven machines
> listed as root nameservers.
What does anycast or unicast have to do with the other eleven
"machines" being reachable?
>
>
> This is a much bigger problem when you have only two advertised IP
> addresses for a given service, because if your nearest cluster is
> broken, then both of those IP addresses are likely to be routed to
> the same broken cluster, and then all of your recursive DNS service
> is going to get hosed
Huh? How does having only two advertised IP addresses for a given
service get you to "both of those IP addresses are likely to be
routed to the same broken cluster, and then all of your recursive DNS
service is going to get hosed"?. How do you make that assumption of
"likely"?. Oh, maybe thats because your understanding of "subnet" and
how ASN's work is off kilter. And where did recursive come in to this?
It almost looks like you've been hearing things second or third hand
again, and don't quite understand what is being said. Perhaps your
knowledge of issues was picked up by reading the NANOG archives, and
running across posts where someone saw some issues, but couldn't
actually supply any evidence, or explain why the 15 million other
domain holders had not seen the issue? Ahhh, yes, that seems to be
the case, based on your next email. OK, I'll handle that in my follow-
up.
More information about the dns-operations
mailing list