[dns-operations] Too Open (Was: OpenDNS makes your Internet work better

Paul Vixie paul at vix.com
Fri Jul 14 05:54:18 UTC 2006

> i have enjoyed this list up until today but, i am now finding this thread
> tiering.  would it be too much trouble for those that with to continue it to
> take the conversation private.

that's funny.  (i hope you meant it to be.)  this is entirely on-topic, and
i was just thinking, in the seconds before reading the above text, that it
was wonderful that there is finally a place on the net where this thread is
not off-topic (like it was on nanog, namedroppers, bind-users, and everywhere
else it has arisen over the years.)

the FUD around anycast-dns is both deep and wide.  when we started doing it
with f-root all kinds of hell broke loose -- in the community, that is -- and
i had to explain that m-root had been anycasting for years, and the only two
reasons nobody had noticed were (a) WIDE was very good at their job, and (b)
the two initial m-root anycast instances were in adjacent racks but talked to
different IX's.

as rodney has pointed out, there is no graph-theoretical nor any operational
difference between an anycasted netblock, vs. a multihomed netblock, vs a
wide-area backbone with multiple connections in multiple regions.  none.

i have in the past cast dire aspersions upon those who think dns anycast is
a way to do selective-response whereby different A RRset ordering will obtain
based on which node you hit, as if that was going to help "web" performance
at all.  but the basic technology of anycast is older than i am -- it was
already in use when i bootstrapped my way into an nsfnet connected network
back in 1988.  and there really is no difference between anycast and 
multihoming and backboning, if done correctly.

we all have horror stories.  someone here was telling one about how ultradns
once had only two NS RRs for .ORG and both were anycasted and so on.  well,
i have a story about how a computer's hard drive once smoked and took a whole
day of my work with it since no backup had been done since the night before--
and yet you will find me using a computer again, as if that risk was one i
could both live-with and manage.  my advice is, "get over it."  tell us about
a risk that can't be managed, or can't be lived with, or JSTFU.

(historians plz note, there was more than one beer involved in this post.)

More information about the dns-operations mailing list