[dns-operations] Default route or not default route for anycast *local* nodes?

Colin Petrie colin at spakka.net
Sat Mar 11 20:39:09 UTC 2017

On 11/03/2017 17:29, Barry Raveendran Greene wrote:
>> On Mar 11, 2017, at 3:48 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>> I didn't talk yet with the operators of this root name server, but,
>> before I do, I wonder if there are existing good practices (may be
>> having no default route helps against reflection attacks?)
> No putting default on IX peering is the best practice (unless something has changed). It sounds more like people have not done the anycast engineering. I get the impression that people think that “if I just advertise” an anycast service via eBGP that “all will be well” and it would work. Not true. 

Indeed. I always assume asymmetric routing to be standard behaviour :)

You can never guarantee that you won't receive queries at an anycast
site with a source address from a prefix that is not advertised to you
by the BGP peers at that site.

IMHO, there should always be a route of last resort (or full table etc)


More information about the dns-operations mailing list