[dns-operations] Too Open (Was: OpenDNS makes your Internet work better

Florian Weimer fw at deneb.enyo.de
Fri Jul 21 05:23:42 UTC 2006

* Paul Vixie:

> BIND's res_send() has had logic like this inside it since 4.9 or so.  Not
> the RTT sorting thing, just the don't-keep-retrying-dead-servers thing.

This only helps with long-lived processes.  A lot of services are
still implemented as short-lived processes, so the reachability
information needs to be learnt over and over again.

>> Ah, good point.  I had authoritative name servers on my mind, despite
>> the subject of the thread.  Resolvers face very different issues.
> Authoritative name servers don't send queries, so I think what you mean is
> "caching recursive nameservers"

To further beat a dead horse, I meant to say that typcial caching
resolvers stop sending queries to dead NS addresses (unicast or
anycast, they can't tell anyway).

Perhaps I should elaborate on my comment on the difference between
anycasting caching resolvers and authoritative name servers.  For
example, you cannot assign arbitrary long lists of resolvers using
typical dynamic host configuration implementations (a popular
operating system only accepts two addresses in an LCP handshake,
IIRC), and some systems are notoriously poor at spotting dead
resolvers (see above).  Consequently, some ISPs apply routing magic to
their resolver addresses, to pamper over cache outages.

[thread join]

>> You can't do such optimizations at the application level if all name
>> servers are hidden behind very few anycast addresses.
> this is an argument for multiple NS RRs and/or multiple A RRs per NS,
> with each A RR being a distinct anycast cloud (or a distinct stripe of
> a non-fate-sharing anycast cloud, as in UltraDNS's case).  it is not,
> in and of itself, an argument for mixed anycast/unicast nameservers.

True.  I don't think there is any observable difference between an
anycast cloud and a unicast server, perhaps with the exception of
inferred intra-AS packet transmission speeds which exceed the speed of
light (which would rule out the X-reachable-from-Y scenario in your
other message).  Stateful middleboxen can result in broken TCP
connections during route flaps, too.  And it's generally hard to bring
forth convencing technical arguments against something which does not
cause an observable difference.

On the other hand, anycast is sometimes used with the explicit desire
to cut down the set of NS/A records for a zone, e.g. to make room for
AAAA records.  I think that in the past, some operators of
authoritative servers went too far and only offered two or three
addresses, so that path optimization was mostly done by the network,
and not at the (arguably more efficient) application layer.

More information about the dns-operations mailing list