[dns-operations] Default route or not default route for anycast *local* nodes?
Colin Petrie
colin at spakka.net
Sat Mar 11 20:39:09 UTC 2017
On 11/03/2017 17:29, Barry Raveendran Greene wrote:
>
>> On Mar 11, 2017, at 3:48 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>>
>> I didn't talk yet with the operators of this root name server, but,
>> before I do, I wonder if there are existing good practices (may be
>> having no default route helps against reflection attacks?)
>
> No putting default on IX peering is the best practice (unless something has changed). It sounds more like people have not done the anycast engineering. I get the impression that people think that “if I just advertise” an anycast service via eBGP that “all will be well” and it would work. Not true.
Indeed. I always assume asymmetric routing to be standard behaviour :)
You can never guarantee that you won't receive queries at an anycast
site with a source address from a prefix that is not advertised to you
by the BGP peers at that site.
IMHO, there should always be a route of last resort (or full table etc)
Cheers,
Colin
More information about the dns-operations
mailing list