[dns-operations] IPv6 and Anycast

Bernhard Schmidt berni at birkenwald.de
Sat Nov 11 15:19:08 UTC 2006 

Hi,

quite a number of root, gTLD and ccTLD operators have received an 
allocation for critical infrastructure according to the address policies 
of (mostly) RIPE and ARIN. These allocations in theory allow anycasted 
operation of the root and TLD servers.

I've been following the availability of IPv6-enabled TLD servers closely 
and found some issues. I've concentrated on the root-servers, .com 
(Verisign), .org (UltraDNS) and .biz (Neustar), as they are probably the 
most important players out there.


root-servers.net
================

The root-servers are only in this list for completeness, as no AAAA 
record is yet listed in any official zone for any of those. But, as one 
can hear from various sources, this is hoped to be done at some time, so 
maybe one should have a look.

Out of the 13 root-servers six are known to have some IPv6 affiliation. 
Five of them are listed on root-servers.org, with B being the notable 
exception of not being in a critical infrastructure allocation and not 
being reachable for more than a year (the last successful reply I got 
was still 6bone space). The other four listed and I.root are reachable.

Among those five root-servers four are supposed to be anycasted. Yet, 
the only v6-anycasted root-server I could make out is F (ISC), which has 
a local node ten km away from my house (so 1ms latency for me). The 
others go to one global node (I in Stockholm, K in Amsterdam, M in Tokyo).


gtld-servers.net
================

.com has 13 nameservers, with two of them (a.gtld-servers.net and 
b.gtld-servers.net) being IPv6 enabled both with an AAAA record in zone 
and the appropriate glue records in the root zone. Both are apparently 
not anycasted, A.gtld is visible through Sprint, B.gtld through Verio. 
Due to their location both have quite some latency from Europe.

A.gtld is down (does not answer anymore) since Wednesday. I have 
verified that from several places. Apparently a standard BIND (9.3.2) 
does not cope with this situation too well, my queries for .com domains 
feel quite sluggish and I can see lots of outgoing queries on the 
resolvers to the broken server, none of them are getting answered.


.org (UltraDNS)
===============

.org has six nameservers, two of them (tld1.ultradns.net and 
tld4.ultradns.org) have AAAA records both in zone and as glue. Both seem 
not to be anycasted, both are only visible through Verio (tld1 in 
Chicago, tld4 in Los Angeles). Both locations have 100+ ms to Europe.

Both generally answer pretty well, although tld1 has been down for 
almost a full month in October, where the prefix was not visible in the 
DFZ at all.


.biz (Neustar)
==============

.biz has eight nameservers, again two of them (g.gtld.biz and 
h.gtld.biz) have AAAA records both in zone and glue. Both seem not to be 
anycasted, both are only visible through Verio (g in Ashburn, h in Palo 
Alto).

I have only started tracking them for two weeks now, but both have been 
up and running the whole time.


So why am I writing this mail? In general, I have the feeling that IPv6 
operation of the nameservers is usually not monitored. While this is 
acceptable for the root-servers (as they are not officially in 
production yet), all the TLD servers are officially IPv6-enabled and are 
queried by IPv6-enabled recursors around the globe. One of the most 
widely used recursors (BIND) seems not to have enough intelligence to 
avoid broken servers completely, yet the servers can fail for several 
days/weeks and noone gives a shit. How do TLD operators monitor their 
nameservers?

Second, I remember anycasting (global anycasting via BGP) being the new 
hype a few years ago. If I remember the discussion correctly TLD 
operators were granted the assignment and use of critical infrastructure 
  on consideration of the anycast ability, as per se using PA addresses 
on non-anycasted boxes would not be an issue (addresses of TLD servers 
can be changed quite easily, root-servers can't). Still, there is 
virtually no anycasting in the IPv6 world (even among productive 
networks) and even in IPv4 it could be better (2 of 13 gtld-servers stay 
in Europe, and those seem not to be anycasted).

What are the plans among the gTLD operators to deploy real anycasting? 
Together with a better monitoring it would probably have prevented the 
outages outlined above.

Regards,
Bernhard

More information about the dns-operations mailing list