[dns-operations] Too Open (Was: OpenDNS makes your Internet work better
Brad Knowles
brad at stop.mail-abuse.org
Fri Jul 14 10:11:50 UTC 2006
At 7:30 PM -0700 2006-07-13, Rodney Joffe wrote:
> H'mmm. I'm interested in what form of routing foo you're apparently aware
> of that would allow packets from you to a specific IP address to *ever* go
> to a different location when the "closest" location to you is broken, but
> the route still exists.
That's entirely my point. So far as I know, this isn't possible.
As I understand it, the only way to resolve this issue is to have
some non-anycast IP addresses that are also advertised, and for which
the route would presumably remain stable (and the same) for all
parties on the Internet, and then hope that site doesn't get hosed as
well.
> What does anycast or unicast have to do with the other eleven "machines"
> being reachable?
Because f.root-servers.net and k.root-servers.net are anycast,
whereas there are presumably some other members of root-servers.net
that are not anycast. Hence, they do not have the problem that
UltraDNS had (has?), because in their advertised nameservers they
have both anycast and non-anycast IP addresses represented.
> Huh? How does having only two advertised IP addresses for a given service
> get you to "both of those IP addresses are likely to be routed to the
> same broken cluster, and then all of your recursive DNS service is going
> to get hosed"?.
If they're part of the same network advertisement, then packets for
them would route to the same site. If that site is broken, then any
queries to either address would suffer the same problem.
If they're not part of the same network advertisement and the packets
to them happen to route to the same site for a given subset of
customers, then if that site goes Tango-Uniform, then all their DNS
services is completely hosed.
Therefore, adding more anycast IP addresses to the list would only
partially resolve the problem, and only to the degree that you could
guarantee that no one customer site would see the same route to those
IP addresses.
> Perhaps your knowledge of
> issues was picked up by reading the NANOG archives, and running across
> posts where someone saw some issues, but couldn't actually supply any
> evidence, or explain why the 15 million other domain holders had not seen
> the issue?
My understanding is that other parties had seen the same problems,
because their packets to the same advertised UltraDNS nameservers
were being routed to the same broken site.
But I'll go back and look through my NANOG archives to see if I can
provide more specifics.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
Founding Individual Sponsor of LOPSA. See <http://www.lopsa.org/>.
More information about the dns-operations
mailing list