[dns-operations] IPv6 and Anycast

Paul Vixie paul at vix.com
Sat Nov 11 16:55:39 UTC 2006


a lot of different entities monitor internet infrastructure for either their
own risk management purposes, or for curiousity, or for science or history.
the trouble is that there's no reliable way to know who is responsible for
each infrastructure element, and so there's no easy way to notify that party
when something's broken.  so what happens is, when things break, infrastructure
operators get a lot of e-mail from a lot of helpful people.  this usually adds
workload when the operator already knows about the outage and is trying to fix
it, or when the outage was planned but the monitoror wasn't notifiable in
advance.  so, internet infrastructure monitoring is currently ad-hoc and the
notifications of planned and unplanned outages all tend to go to different
public forums which by definition not every interested party knows about.

the original OARC plan included monitoring, in hopes that with participation
by enough of the existing infrastructure operators, and enough of monitorors,
there could be critical mass around outage notifications (planned or not).
one important element of all this is to get the infrastructure operators to
register their contact information and set up specific nagios-style tests to
run.  we'll know after this week's membership meeting whether this is still a
useful idea and whether it's going to be a priority for OARC going forward.
(by my own read, it still ought to be done.)

your point about TLD servers being able to renumber more easily than root
operators is a good one.  but they will still need PI address space to anycast,
no matter how easy it will be to renumber it in comparison to a root server.

re:

> Date: Sat, 11 Nov 2006 16:19:08 +0100
> From: Bernhard Schmidt <berni at birkenwald.de>
> User-Agent: Thunderbird 1.5.0.7 (X11/20060918)
> To: dns-operations at lists.oarci.net
> Subject: [dns-operations] IPv6 and Anycast
> Sender: dns-operations-bounces at lists.oarci.net
> 
> Hi,
> 
> quite a number of root, gTLD and ccTLD operators have received an 
> allocation for critical infrastructure according to the address policies 
> of (mostly) RIPE and ARIN. These allocations in theory allow anycasted 
> operation of the root and TLD servers.
> 
> I've been following the availability of IPv6-enabled TLD servers closely 
> and found some issues. I've concentrated on the root-servers, .com 
> (Verisign), .org (UltraDNS) and .biz (Neustar), as they are probably the 
> most important players out there.
> 
> 
> root-servers.net
> ================
> 
> The root-servers are only in this list for completeness, as no AAAA 
> record is yet listed in any official zone for any of those. But, as one 
> can hear from various sources, this is hoped to be done at some time, so 
> maybe one should have a look.
> 
> Out of the 13 root-servers six are known to have some IPv6 affiliation. 
> Five of them are listed on root-servers.org, with B being the notable 
> exception of not being in a critical infrastructure allocation and not 
> being reachable for more than a year (the last successful reply I got 
> was still 6bone space). The other four listed and I.root are reachable.
> 
> Among those five root-servers four are supposed to be anycasted. Yet, 
> the only v6-anycasted root-server I could make out is F (ISC), which has 
> a local node ten km away from my house (so 1ms latency for me). The 
> others go to one global node (I in Stockholm, K in Amsterdam, M in Tokyo).
> 
> 
> gtld-servers.net
> ================
> 
> .com has 13 nameservers, with two of them (a.gtld-servers.net and 
> b.gtld-servers.net) being IPv6 enabled both with an AAAA record in zone 
> and the appropriate glue records in the root zone. Both are apparently 
> not anycasted, A.gtld is visible through Sprint, B.gtld through Verio. 
> Due to their location both have quite some latency from Europe.
> 
> A.gtld is down (does not answer anymore) since Wednesday. I have 
> verified that from several places. Apparently a standard BIND (9.3.2) 
> does not cope with this situation too well, my queries for .com domains 
> feel quite sluggish and I can see lots of outgoing queries on the 
> resolvers to the broken server, none of them are getting answered.
> 
> 
> .org (UltraDNS)
> ===============
> 
> .org has six nameservers, two of them (tld1.ultradns.net and 
> tld4.ultradns.org) have AAAA records both in zone and as glue. Both seem 
> not to be anycasted, both are only visible through Verio (tld1 in 
> Chicago, tld4 in Los Angeles). Both locations have 100+ ms to Europe.
> 
> Both generally answer pretty well, although tld1 has been down for 
> almost a full month in October, where the prefix was not visible in the 
> DFZ at all.
> 
> 
> .biz (Neustar)
> ==============
> 
> .biz has eight nameservers, again two of them (g.gtld.biz and 
> h.gtld.biz) have AAAA records both in zone and glue. Both seem not to be 
> anycasted, both are only visible through Verio (g in Ashburn, h in Palo 
> Alto).
> 
> I have only started tracking them for two weeks now, but both have been 
> up and running the whole time.
> 
> 
> So why am I writing this mail? In general, I have the feeling that IPv6 
> operation of the nameservers is usually not monitored. While this is 
> acceptable for the root-servers (as they are not officially in 
> production yet), all the TLD servers are officially IPv6-enabled and are 
> queried by IPv6-enabled recursors around the globe. One of the most 
> widely used recursors (BIND) seems not to have enough intelligence to 
> avoid broken servers completely, yet the servers can fail for several 
> days/weeks and noone gives a shit. How do TLD operators monitor their 
> nameservers?
> 
> Second, I remember anycasting (global anycasting via BGP) being the new 
> hype a few years ago. If I remember the discussion correctly TLD 
> operators were granted the assignment and use of critical infrastructure 
>   on consideration of the anycast ability, as per se using PA addresses 
> on non-anycasted boxes would not be an issue (addresses of TLD servers 
> can be changed quite easily, root-servers can't). Still, there is 
> virtually no anycasting in the IPv6 world (even among productive 
> networks) and even in IPv4 it could be better (2 of 13 gtld-servers stay 
> in Europe, and those seem not to be anycasted).
> 
> What are the plans among the gTLD operators to deploy real anycasting? 
> Together with a better monitoring it would probably have prevented the 
> outages outlined above.
> 
> Regards,
> Bernhard
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list