BTW, Iljitsch notes that "he is worried, but not as much as Dean seems to be". As I told Iljitsch, I'm not saying the sky is falling, but I am saying there is a problem, and instead of addressing the problem, people are just making personal attacks. ---------- Forwarded message ---------- Date: Sun, 3 Oct 2004 23:01:42 +0200 From: Iljitsch van Beijnum <iljitsch@muada.com> To: Stephane Bortzmeyer <bortzmeyer@nic.fr> Cc: dnsop@lists.uoregon.edu Subject: Re: [dnsop] Re: Root Anycast On 2-okt-04, at 21:42, Stephane Bortzmeyer wrote:
Troll Bot <dean@av8.com> keeps mentioning PPLB. May be some people more knowledgeable about BGP than I am will explain to me why PPLB is such a new issue for anycasting?
I have no idea how new this is, but I have to admit I'm slightly worried. Not to the degree Dean seems to be, though. It is true that if you turn on load balancing over multiple paths in BGP and then per packet load balancing between several links, packets belonging to one session can end up on different anycast instances. (This would be harmful in the case of TCP, but TCP will probably recover by retransmitting. It would be quite deadly in the case of fragmented UDP packets.) What can happen is this: A / \ B1 B2 | | C D | | E1 E2 AS A connects to two different routers in AS B, and each of these routers prefers a different external path towards different anycast instances of AS E. In order for this to happen the paths from B to both anycast instances E1 and E2 must be completely identical, except that for one router in B one path is preferred and for another router the other. This will only happen if these routers connect to ASes C and D themselves, or if one sees a better IGP metric towards the router connecting to C and another sees a better IGP metric towards the router connecting to D. Now the part that worries me is what's happening in .org. They only use two addresses in the delegation from the root, and both are heavily anycasted. This makes no sense at all as it effectively hides all but two of the .org TLD servers while there are no reasons at all for not making at least have a dozen others visible. End-user impacting issues with this have been reported (but have predictably been almost impossible to reproduce) but the situation persists. Fortunately, the root operators have more sense (or inherited a better situation). Still, I'm not entirely comfortable with the fact that each of them seems to make anycasting decisions on their own. Anycast has many things going for it as it allows root servers to be installed in many more places than could be done otherwise, but it's also risky as more and more root servers seem to be in the same place from any given viewpoint, and especially from not so well connected viewpoints. Problems such as congestion and BGP blackholes or (temporary) BGP instability can then impact most or even all of the root servers. (Only for some places connected to the net, though.) So I feel it's very important to have a reasonable number of root servers that are NOT anycast. Preferably, those should be in locations that are far apart. . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
Responding to Iljitsch and Booloo's comments only, and recognizing that somehow or other 6 month old threads on other lists seem to have made their way onto NANOG...
---------- Forwarded message ---------- Date: Sun, 3 Oct 2004 23:01:42 +0200 From: Iljitsch van Beijnum <iljitsch@muada.com> To: Stephane Bortzmeyer <bortzmeyer@nic.fr> Cc: dnsop@lists.uoregon.edu Subject: Re: [dnsop] Re: Root Anycast
On 2-okt-04, at 21:42, Stephane Bortzmeyer wrote:
Troll Bot <dean@av8.com> keeps mentioning PPLB. May be some people more knowledgeable about BGP than I am will explain to me why PPLB is such a new issue for anycasting?
<snip>
Now the part that worries me is what's happening in .org. They only use two addresses in the delegation from the root, and both are heavily anycasted. This makes no sense at all as it effectively hides all but two of the .org TLD servers while there are no reasons at all for not making at least have a dozen others visible.
In October of 2004 this was the case. It has not been the case since early this year; $ dig @c.root-servers.net org. ns ; <<>> DiG 9.2.2 <<>> @c.root-servers.net org. ns ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40125 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 6 ;; QUESTION SECTION: ;org. IN NS ;; AUTHORITY SECTION: org. 172800 IN NS TLD1.ULTRADNS.NET. org. 172800 IN NS TLD2.ULTRADNS.NET. org. 172800 IN NS TLD3.ULTRADNS.org. org. 172800 IN NS TLD4.ULTRADNS.org. org. 172800 IN NS TLD5.ULTRADNS.INFO. org. 172800 IN NS TLD6.ULTRADNS.CO.UK. ;; ADDITIONAL SECTION: TLD1.ULTRADNS.NET. 172800 IN A 204.74.112.1 TLD2.ULTRADNS.NET. 172800 IN A 204.74.113.1 TLD3.ULTRADNS.org. 172800 IN A 199.7.66.1 TLD4.ULTRADNS.org. 172800 IN A 199.7.67.1 TLD5.ULTRADNS.INFO. 172800 IN A 192.100.59.11 TLD6.ULTRADNS.CO.UK. 172800 IN A 198.133.199.11 ;; Query time: 54 msec ;; SERVER: 192.33.4.12#53(c.root-servers.net) ;; WHEN: Tue May 3 15:59:03 2005 ;; MSG SIZE rcvd: 279 The IPv6 instances are awaiting resolution of some technical issues with the root, but we expect that in the next couple of weeks, tld1.ultradns.net and tld4.ultradns.org will also have AAAA records. Also anycast. We're currently doing some lab work to make sure we fully understand the effects of adding IPv6 records, plus glue, in terms of exceeding udp packet sizes. But that is grist for another mill, so to speak. See y'all in Seattle. Daniel Karrenberg and others will be providing loads of fuel to spark debate amongst non-kooks about the efficacy of anycast DNS ;-) Rodney Joffe CenterGate Research Group, LLC http://www.centergate.com "Technology so advanced, even WE don't understand it"(R)
On 03.05 16:06, Rodney Joffe wrote:
...
See y'all in Seattle. Daniel Karrenberg and others will be providing loads of fuel to spark debate amongst non-kooks about the efficacy of anycast DNS ;-)
Sneak preview: http://rosie.ripe.net/ripe/meetings/ripe-50/presentations/uploads/Tuesday/ka... Daniel
On 05.05 16:56, Daniel Karrenberg wrote:
Sneak preview:
http://rosie.ripe.net/ripe/meetings/ripe-50/presentations/uploads/Tuesday/ka...
Sorry, correct URL is: http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-tue-a...
participants (3)
-
Daniel Karrenberg
-
Dean Anderson
-
Rodney Joffe