[dns-operations] Anycast vs. unicast NS

Jim Reid jim at rfc1035.com
Sun Mar 20 19:21:33 UTC 2011


On 18 Mar 2011, at 15:18, David Miller wrote:

> Please provide exactly what the "single point of failure" is with  
> anycast that isn't present in unicast?

Here are a few:

Extra complexity in server configuration
Extra complexity in router setups
More complicated systems & network management (procedures)
More complicated monitoring arrangements
More elaborate network operations and support (procedures)
"Special" filtering/peering treatment for anycast ASNs and prefixes

Further SPoFs arise if the anycasting service for the NS RRset comes  
from one source => one set of operating procedures; a single design/ 
architecture; one contract (maybe) with the partners providing co-lo/ 
peering/transit for the anycast nodes; etc, etc.

In short, there are potential SPoFs in pretty much all the extra goop  
that's needed to make an anycast node work and isn't needed for  
unicast. Or at least not to the same extent. After all, there's  
usually some attention paid to the reachability and operation of  
important DNS servers even when they're unicast.

This is where a second, independent anycast provider is beneficial  
because they presumably have a different set of vulnerabilities to  
your own.




More information about the dns-operations mailing list