On Thu, 2 Sep 2004, Rodney Joffe wrote:
You are absolutely right in suggesting that .foo has to get its act together. You may even tell your users that. But you'll be telling every single one of them, because every single one of them is going to attempt to resolve .foo domain names during the hour you have them dampened. And your cost in dealing with those support calls will probably outweigh the benefits of dampening .foo.
I am polling networks so that I can get an idea of who handles their network this way, and who doesn't. I don't know if it is stupid or not, because I don't know enough about the subject yet. What I do know is that dampening these special networks with long prefixes already causes real-world problems. In many cases, the pain is felt by networks who may have a policy of not dampening, but are downstream of a major
While I'm not going to encourage anybody to avoid doing something to make their network stable because it should be somebody else's problem (just as I wouldn't suggest that somebody cross the street in front of a speeding truck just because pedestrians have the right of way at California crosswalks), this whole discussion strikes me as something that needs to be looked at in the context of DNS diversity. In the case of the root servers, there are 13 IP addresses, announced from different ASes, most of them by different organizations. Some of them are anycasted; I believe some of them still aren't. As long as a network still has reachability to one of them, things should work. Anything that causes a network to see all 13 of them flapping simultaneously is probably a local problem, and probably leaves much of the rest of the Internet inaccessible from that network The same really can't be said for some of the TLDs, either on the qorbit.net Golden Networks list or off (it omits all the ccTLDs, which include some of the most important TLDs in some parts of the world). I suspect many of the TLDs that have only two or three listed name servers are anycasted, and anycast does add a lot of reliability. For most forms of network or server failure, a good anycast implementation can force fail-over to another server, and users not doing traceroutes to the name servers will never notice. But one thing anycast doesn't do is protect against route flapping. If a domain is served from two anycast addresses, and two announced routes, all it takes to make it completely unreachable from some part of the Internet is for the two local servers to start flapping at the same time. If reliability of the individual components is equal, that should be a lot less robust than the root server architecture. So, it seems to me that there are three questions here: What is critical infrastructure? DNS for which domains? What about other services? Google? Hotmail or Yahoo? The answer to this presumably varies considerably from place to place. What should the providers of critical infrastructure be doing to make sure their critical infrastructure remains available? What should network operators be doing to make sure their networks can access critical infrastructure? -Steve