[dns-operations] glitch on [ip6|in-addr].arpa?

Joe Abley jabley at hopcount.ca
Fri Oct 11 18:51:43 UTC 2019


On 11 Oct 2019, at 14:21, Paul Vixie <paul at redbarn.org> wrote:

> in the earlier days of DNS-OARC (where dnsviz migrated to recently), there was a server at cogent, which was not reachable over IPv6 from users are hurricane. i don't remember anybody blaming hurricane for this, which is why it seems odd to blame cogent today when DNS-OARC is hosted at hurricane. hurricane has transit for their IPv4 network but not for their IPv6 network. cogent's peering policy isn't fully "open." it's hard for me to see that either of them is "in the wrong."

For me, too. People need to put their pitchforks away.

The root server system as a whole accomplishes this kind of redundancy in connectivity by having multiple root servers that are each differently-connected to the Internet. Many of those individual root servers are further distributed across multiple connectivity providers using anycast. C is one that is not, but since it's an active goal of the system as a whole to be diverse it's hard to see that as a problem. I guarantee that there are attack scenarios where having all the anycast nodes (and hence the attack traffic) in one AS is going to be an advantage for measurement, or mitigation, or something.

There is a ridiculous amount of diversity in this system precisely so that nobody has to lose any hair when one (or even many) specific components are not reachable.

What some people are seeing in this thread as a problem is actually a nice demonstration that the system as a whole is immune to damage due to partial-table peering disagreements.


Joe




More information about the dns-operations mailing list