[dns-operations] Too Open (Was: OpenDNS makes your Internet work better

Brad Knowles brad at stop.mail-abuse.org
Fri Jul 14 10:11:50 UTC 2006

At 7:30 PM -0700 2006-07-13, Rodney Joffe wrote:

>  H'mmm. I'm interested in what form of routing foo you're apparently aware
>  of that would allow packets from you to a specific IP address to *ever* go
>  to a different location when the "closest" location to you is broken, but
>  the route still exists.

That's entirely my point.  So far as I know, this isn't possible.

As I understand it, the only way to resolve this issue is to have 
some non-anycast IP addresses that are also advertised, and for which 
the route would presumably remain stable (and the same) for all 
parties on the Internet, and then hope that site doesn't get hosed as 

>  What does anycast or unicast have to do with the other eleven "machines"
>  being reachable?

Because f.root-servers.net and k.root-servers.net are anycast, 
whereas there are presumably some other members of root-servers.net 
that are not anycast.  Hence, they do not have the problem that 
UltraDNS had (has?), because in their advertised nameservers they 
have both anycast and non-anycast IP addresses represented.

>  Huh? How does having only two advertised IP addresses for a given service
>  get you to "both of those IP addresses are likely to be routed to the
>  same broken cluster, and then all of your recursive DNS service is going
>  to get hosed"?.

If they're part of the same network advertisement, then packets for 
them would route to the same site.  If that site is broken, then any 
queries to either address would suffer the same problem.

If they're not part of the same network advertisement and the packets 
to them happen to route to the same site for a given subset of 
customers, then if that site goes Tango-Uniform, then all their DNS 
services is completely hosed.

Therefore, adding more anycast IP addresses to the list would only 
partially resolve the problem, and only to the degree that you could 
guarantee that no one customer site would see the same route to those 
IP addresses.

>                                                 Perhaps your knowledge of
>  issues was picked up by reading the NANOG archives, and running across
>  posts where someone saw some issues, but couldn't actually supply any
>  evidence, or explain why the 15 million other domain holders had not seen
>  the issue?

My understanding is that other parties had seen the same problems, 
because their packets to the same advertised UltraDNS nameservers 
were being routed to the same broken site.

But I'll go back and look through my NANOG archives to see if I can 
provide more specifics.

Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  Founding Individual Sponsor of LOPSA.  See <http://www.lopsa.org/>.

More information about the dns-operations mailing list