[dns-operations] Too Open (Was: OpenDNS makes your Internet work better

John Payne john at sackheads.org
Fri Jul 14 03:02:32 UTC 2006


On Jul 13, 2006, at 10:53 PM, Nicholas Suan wrote:

> On 7/13/06, Rodney Joffe <rjoffe at centergate.com> wrote:
>
>>> Right, but when the cluster nearest to you is broken and the
>>> routing table forces all your packets to that IP address to be
>>> delivered to that cluster, then all zones served by UltraDNS are
>>> broken, at least as far as you can tell.
>>
>> H'mmm. I'm interested in what form of routing foo you're apparently
>> aware of that would allow packets from you to a specific IP address
>> to *ever* go to a different location when the "closest" location to
>> you is broken, but the route still exists. Could you share? And how
>> that relates to "all zones served by UltraDNS are broken, at least as
>> far as you can tell"? What do zones have to do with clusters, or  
>> routes?
>>
>
> Who says there's any routing-fu involved? In the root zone, (I use it
> as an example since some of the nodes are anycasted) if one server
> times out, it's no problem for a resolver to go and check another
> instance of the root, which will most likely be located someplace that
> isn't malfunctioning. This was not the case with UltraDNS, as both IP
> addresses in the NS records for org. were anycasted.

OK... this is tiring now.  Why do you think things are any different  
now?

There definately seems to be some confusion here.

 From an _outsiders_ point of view, what appeared to happen is two  
ultradns pods in Virginia had a problem answering queries, but still  
continued advertising their routes.

Now, how is this ANY different to a unicasted pod having problems  
answering queries?

(I'll give you a clue... the only difference is that with anycast,  
only those "close" to the failing pods were affected, everyone else  
in the world had no problem at all).

Again, from an outsiders point of view, the problem I saw when the  
now infamous incident occurred was that UltraDNS only had two NS  
records for .org, so recursers only had 2 choices, and so 2 failures  
would have some impact.  This is no longer the case.




More information about the dns-operations mailing list