ISP network design of non-authoritative caches
I appreciate the redirect, if there is a better list, but my question is directed at network operators. namedroppers is for dns protocols, dnsops is for operators of authoritative name servers. The majority of users on today's Internet will never directly query any root name server, or any other authoritative name server. Instead of a set of authoritative servers, the servers which actually deliver direct DNS service to users/hosts are non-authoritative, caching servers. There are more caching, name servers at the edge of the net than there are Akamai boxes in the world. In the late 1980's and early 1990's, when the net was much more interesting (i.e. flaky, low-bandwidth, expensive circuits) network operators carefully planning where to place caching-only name servers, and configuring end-systems to use the appropriate set of servers. A well-configured set of caching-only name servers can maintain the illusion of DNS for several hours, even during a network partition or loss of many authoritative name servers, at least for the "popular" names. They work so well, people forget they can still have problems. During the boom times, ISPs couldn't individually configure millions of DNS clients. They generally told subscribers to use two statically configured name servers, or more recently used DHCP to set them. Several national ISPs, including the one I use, with millions of subscribers, appear to still do this. We know this isn't good engineering practice, because another national ISP with millions of subscribers configured their network the same way, and experienced a multi-hour service disruption affecting most of their users a couple of years ago when an error blocked access to their two caching-only, name servers. There is lots of "best practice" information for configuring authoritative name servers (including the root and TLDs). The BOG, O'Reilly, DNSOPS, RFCs, etc. There are several "managed service" companies which will maintain authoritative name servers for you. Although most of this stuff seems obvious, network providers seem to get bitten by the same obvious things over and over again. Is there a white paper, best common practice, or book which shows the naive ISP (whether they have 10 or 10 million subscribers) how to architect their DNS system? Medium and large organizations having firewalls with internal/external DNS, which already includes local caching. This seems to be mostly a large, national ISP issue. By their nature, small ISP networks tend to have "shared fate" among all of their systems anyway.
> During the boom times, ISPs couldn't individually configure millions > of DNS clients. They generally told subscribers to use two statically > configured name servers. Many of them, like us, tell subscribers to use two statically configured _service addresses_ which describe the internal-DNS _service_, and are resident on all customer-facing DNS servers throughout our infrastructure. The only reason to give them two addresses rather than one is to keep the clueless ones from complaining about lack of redundancy. Both addresses are typically hosted on all machines, though. -Bill
On Sat, 17 Nov 2001, Bill Woodcock wrote:
> During the boom times, ISPs couldn't individually configure millions > of DNS clients. They generally told subscribers to use two statically > configured name servers.
Many of them, like us, tell subscribers to use two statically configured _service addresses_ which describe the internal-DNS _service_, and are resident on all customer-facing DNS servers throughout our infrastructure.
Some ISPs do this, its fairly easy to check. It is one of several methods an ISP could use. Is there a paper, book, etc which we could give to ISPs documenting such practices? Or do you have to hire the right consultant, who knows the proper incantation? If you look at some of largest consumer ISPs which outsource much of their infrastructure, they don't have customer-facing servers distributed throughout their infrastructure. Or they distribute customers among the servers using a very unusual algorithm. I'm using Mindspring/Earthlink tonight, and my DNS resolver is using a server in Dallas (if you believe the in-addr.arpa traceroute). Earthlink could intercept the DNS/UDP packets to port 53 and route them differently, but I don't think that's true. Tracing route to ns1.mindspring.com [207.69.188.185] over a maximum of 30 hops: 1 98 ms 88 ms 94 ms arc-6a.oak.mindspring.net [209.86.81.157] 2 95 ms 99 ms 99 ms cisco-g4-0-0.oak.mindspring.net [209.86.81.129] 3 110 ms 103 ms 104 ms cisco-s6-1-0.lax.mindspring.net [207.69.144.34] 4 105 ms 103 ms 104 ms cisco-1-s5-0-1.pas.mindspring.net [209.86.67.10] 5 130 ms 114 ms 119 ms cisco-s1-1-0.phx2.mindspring.net [209.86.67.13] 6 150 ms 159 ms 148 ms cisco-s3-1-1.dal.mindspring.net [209.86.66.173] 7 150 ms 149 ms 149 ms cisco-6-s2-0-0.dal2.mindspring.net [209.86.67.26] 8 150 ms 154 ms 155 ms foundry-5-ve4.dal2.mindspring.net [207.69.217.227] 9 160 ms 154 ms 153 ms ns1.mindspring.com [207.69.188.185] ATT Worldnet appears to have more DNS caching name servers spread around the country, but I get assigned servers in Missouri and DC when I dial into a California POP. The RTT matches a coast to coast trip.
I've always advocated that at least one caching DNS be located in every POP. In the old days, I designed it right into the NAS router(s). In the original IPv6 Neighbor Discovery, the routers announced the DNS, so that it could be in the router or on a separate device. Then, as commercial NAS's became available without DNS built in, and SIP(P) IPv6 didn't take off, I've tried a "service" style using net 10, but it was hard to manage and explain (at least by our entry level support), so I gave up. Ideally, clients would use DHCP INFORM to find the local POP servers. But none of the clients seem to bother. Nowadays, we just give the customers that statically configure a pair of central site servers (still on separate subnets), and configure the NAS's with the local POP server using the bogus M$ PPP options. That seems to cover our users pretty well. If we could agree on a standard service (sometimes called anycast) set of IP addresses, that might work.... All these techniques should be written up in a BCP. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
dnsops is for operators of authoritative name servers.
dnsop (note singular) is for non-protocol, but still technical, aspects of the dns. i am not aware of an ietf wg which limits parcipitation by occupation. if you want cliques, go to icann :-).
Instead of a set of authoritative servers, the servers which actually deliver direct DNS service to users/hosts are non-authoritative, caching servers.
some measurements show a large number of combo servers, i.e. they are authoritative for their local domain(s), say foo.com, but also act as recursive caching servers for the users of a site.
During the boom times, ISPs couldn't individually configure millions of DNS clients. They generally told subscribers to use two statically configured name servers, or more recently used DHCP to set them. Several national ISPs, including the one I use, with millions of subscribers, appear to still do this.
We know this isn't good engineering practice
well, actually, a number of the large providers use many servers at the same v4 anycast address. so they get fairly rich geographic/topologic dispersion, but don't confuse users with a dozen addresses. i consider this reasonably good engineering practice. ymmv. setting up the routing for this is a bit of a hack, but not all that hard. and the magma wg's work may give us some simpler tools.
Is there a white paper, best common practice, or book which shows the naive ISP (whether they have 10 or 10 million subscribers) how to architect their DNS system?
not of which i am aware. wanna help write a dnsop i-d? randy
On Sat, 17 Nov 2001, Randy Bush wrote:
dnsops is for operators of authoritative name servers.
dnsop (note singular) is for non-protocol, but still technical, aspects of the dns. i am not aware of an ietf wg which limits parcipitation by occupation. if you want cliques, go to icann :-).
Thanks for the correction. I read the DNSOP charter and parts of the mailing list archive, and had the misconception the work was focused on authoritative name servers.
Is there a white paper, best common practice, or book which shows the naive ISP (whether they have 10 or 10 million subscribers) how to architect their DNS system?
not of which i am aware. wanna help write a dnsop i-d?
Yes. I didn't want to duplicate work. If it doesn't exist, I can put together at least a few obvious good practices any operator should consider.
Sean Donelan has declared that:
[ ... snip ... ]
Is there a white paper, best common practice, or book which shows the naive ISP (whether they have 10 or 10 million subscribers) how to architect their DNS system?
not of which i am aware. wanna help write a dnsop i-d?
Yes. I didn't want to duplicate work. If it doesn't exist, I can put together at least a few obvious good practices any operator should consider.
Please do (and post thots to nanog). Some of us impaired geeks that lurk about would benefit from the ideas that would surely be generated. Pat M/HW -- #include <std.disclaimer.h> Pat Myrto (pat at rwing dot ORG) Seattle WA "Buy things that increase in value, Lease things that do not." --Rockefeller
Is there a white paper, best common practice, or book which shows the naive ISP (whether they have 10 or 10 million subscribers) how to architect their DNS system? not of which i am aware. wanna help write a dnsop i-d? Yes. I didn't want to duplicate work. If it doesn't exist, I can put together at least a few obvious good practices any operator should consider.
the only work in this area of which i am aware is ripe-192, and that is for a simple leaf site. note that it tool over a year to get consensus on this document, but the authors were kinda busy folk. randy
Is there a white paper, best common practice, or book which shows the naive ISP (whether they have 10 or 10 million subscribers) how to architect their DNS system? not of which i am aware. wanna help write a dnsop i-d?
The first thing is to change your root cache file to contain A.ROOT-SERVERS.ORSC thru M.ROOT-SERVERS.ORSC or the PacRoot servers like CONDOR.TALLSHIP.NET So that your customers can see all of the internet and not just what ICANN wants you to see. There are instructions for ISPs on the website listed below. Its already done. John http://www.adns.net
nanog@adns.net ("John Palmer (NANOG Acct)") writes:
The first thing is to change your root cache file to contain ... or the PacRoot servers like ...
So that your customers can see all of the internet and not just what ICANN wants you to see.
bzeep. nonsequitur. there can only be one root zone. if you change your dns configuration to subscribe to something else, then you're off "the internet" in a technical sense. (that some root-looking zones incorporate all icann data past present and future is merely a testament to the fact that "the internet" means "what the one true official root zone includes", and should not be indicative of some kind off odd "value subtraction service" by a root-like zone publisher.)
On 18 Nov 2001, Paul Vixie wrote:
nanog@adns.net ("John Palmer (NANOG Acct)") writes:
The first thing is to change your root cache file to contain ... or the PacRoot servers like ...
So that your customers can see all of the internet and not just what ICANN wants you to see.
bzeep. nonsequitur. there can only be one root zone. if you change your dns configuration to subscribe to something else, then you're off "the internet" in a technical sense. (that some root-looking zones incorporate all icann data past present and future is merely a testament to the fact that "the internet" means "what the one true official root zone includes", and should not be indicative of some kind off odd "value subtraction service" by a root-like zone publisher.)
Sorry to burst your reality distortion bubble Paul, but there are a very large number of us who don't consider ICANN to be either representative of our best interests, nor the ultimate authority on "the Internet". -- Yours, J.A. Terranson sysadmin@mfn.org If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... --------------------------------------------------------------------
On Sun, 18 Nov 2001 measl@mfn.org wrote:
Sorry to burst your reality distortion bubble Paul, but there are a very large number of us who don't consider ICANN to be either representative of our best interests, nor the ultimate authority on "the Internet".
And there are a large number of trolls and horse beaters on this list also. Let us not fall into the dnsroot and email filtering hellholes yet again. Please... andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
At 01:14 PM 11/18/01 -0800, Paul Vixie wrote:
nanog@adns.net ("John Palmer (NANOG Acct)") writes:
So that your customers can see all of the internet and not just what ICANN wants you to see.
bzeep. nonsequitur. there can only be one root zone.
Nonsense. BCP32 (RFC 2606) specifically alters a root zone by adding reserved TLDs. How many combinations of the root does that provide for? And RFC2826 has been clarified here on the Nanog list as "one root at a time" and not mixing multiple roots. OK by me, but at some point sanity should prevail and that running code and rough consensus demands the peering of non-conflicting TLDs for everyone's benefit. It's a common practise in other spaces, so why not in the DNS space? I don't understand the "my way or the highway" mentality. http://www.ietf.org/internet-drafts/draft-higgs-virtual-root-00.txt
if you change your dns configuration to subscribe to something else, then you're off "the internet" in a technical sense.
Nonsense. I've not used the legacy root since I proposed the shared-TLD model (and explained it to Postel) back in 1995/6 (FYI, the last version of the Internet Draft is at the IAHC website). Everytime Verisign/NSI screws up the .COM glue I don't notice a thing. Something to be said for that. At least one ICANN board member recognizes the limitations under ROOT-SERVERS.NET and chooses another root for service. I don't blame 'em.
(that some root-looking zones incorporate all icann data past present and future is merely a testament to the fact that "the internet" means "what the one true official root zone includes", and should not be indicative of some kind off odd "value subtraction service" by a root-like zone publisher.)
F.ROOT-SERVERS.NET is a "value subtraction service". It misses published portions of the name space - so if you use it, it is of limited value. I can reach twice as many TLDs elsewhere. Oh yeah. It's "stable". I forgot. What ticks me off is the zero-sum game being played. Anyone saying "there can only be one root zone" and supporting a closed and non-inclusive root is playing a zero sum game. "We win, you lose" is not the spirit of the internet, running code and rough-consensus. Best Regards, Simon -- "You can't vote on facts" - Brian Carpenter
At 01:14 PM 11/18/01 -0800, Paul Vixie wrote:
nanog@adns.net ("John Palmer (NANOG Acct)") writes:
So that your customers can see all of the internet and not just what ICANN wants you to see.
bzeep. nonsequitur. there can only be one root zone.
Nonsense. BCP32 (RFC 2606) specifically alters a root zone by adding
s/a/the/
F.ROOT-SERVERS.NET is a "value subtraction service". It misses published portions of the name space - so if you use it, it is of limited value. I can reach twice as many TLDs elsewhere. Oh yeah. It's "stable". I forgot.
F publishes whatever the zone's owner has edited into it. Never more or less.
What ticks me off is the zero-sum game being played. Anyone saying "there can only be one root zone" and supporting a closed and non-inclusive root is playing a zero sum game. "We win, you lose" is not the spirit of the internet, running code and rough-consensus.
I'm making no arguments (at this time and in this place, at least) for one single-owner versus another. However, there's only one real root zone at any given moment, according to DNS's specification and at least one implementation. One expects that an argument as to who that single owner ought to be is welcome somewhere (other than nanog, that is), but any argument about how many different actual root zones there can be would not be welcome at all (except, I guess, if you're IPv8-connected.) "What ticks me off" is the folks who want the owner/contents of the root zone to be different than they are, and who therefore offer up completely bizarre misinterpretations of hard technical fact in order to support a de-facto ownership change (by changing one to many rather than arguing about the one.) If you don't like ICANN, fine, there's a mailing list somewhere and you ought to go make yourself heard on it. But don't pervert DNS, fragile and perverse as it already is, in order to make or avoid various political realities.
(subject rename with apologies to Peter, Paul, and Mary)
Date: 18 Nov 2001 19:23:37 -0800 From: Paul Vixie <vixie@vix.com>
However, there's only one real root zone at any given moment, according to DNS's specification and at least one implementation.
Tired of domain inavailability? Burned by a scalper? Use us as your root, and buy domains from me! Get any domain that you really want! Once we start down the slippery slope of "I'm a root too", how many different ad hoc DNS "universes" (for lack of better term) must we have before we decide that things are "broken"? I'd hazard a guess that 99.9% of Internet users want things to "just work" cohesively and consistently. Crimony, users of a certain "get 1000 hours free your first month"[*] service have troubles realizing that ".com" is not optional and automatically assumed. I've seen countless people enter domain names in search boxes, not realizing the difference between a search engine input and an URL! [*] Lest I get reminded how many hours are in a month, I know. Note quotes. Interpret referenced text seriously at your own risk. May cause drowsiness. Maintaining a single, authoritative root seems, IMHO, to be a Good Thing. Given multiple registries, namespace collisions would get ugly -- and, even in the absence of collisions, let us consider "reachability" issues. This isn't a question of "I like ICANN" or not... it's a question of the system. Do people decide that they like or dislike our system of government based solely on specific elected officials? (I suppose that some do, and this will open a tangent thread, but I presently can't think of a better analogy.) Cheap domains from the EverQuick root! Guaranteed to work at a handful of local dialups and dedicated-line customers! :-) I think that I'll start handing out ASNs and IP space, too... Eddy --------------------------------------------------------------------------- Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence --------------------------------------------------------------------------- Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
On Mon, 19 Nov 2001, E.B. Dreger wrote: <snip>
Once we start down the slippery slope of "I'm a root too", how many different ad hoc DNS "universes" (for lack of better term) must we have before we decide that things are "broken"?
I'm pretty sure that if you were to ask most of us who use alternative roots, the reason would be that we are, in our own little way, trying to "fix" the DNS by doing so. In my case, I believe that ICANN is totally corrupt, *completely* oblivious [by choice] of how their corruption impacts the real world, and finally, that because of this deeply entrenched corruption, the DNS is de-facto "broken".
I'd hazard a guess that 99.9% of Internet users want things to "just work" cohesively and consistently.
I agree completely, and it is this belief that seems to be missing at ICANN. Unless of course a system can be set up whereby ICANN is the sole financial recipient of the fruits of this consistency: then ICANN can be most cooperative in "working for the public good". <snip>
Maintaining a single, authoritative root seems, IMHO, to be a Good Thing.
I agree totally. Pity we can't get ICANN to go along with this without forking over our life's savings and bribes^H^H^H^H^H^H donations of our first borns, huh?
Given multiple registries, namespace collisions would get ugly -- and, even in the absence of collisions, let us consider "reachability" issues.
I agree with all of this, but the issue is moot in my book: Since ICANN felt the need to either own the world or break it, I went elsewhere. So did a LOT of others. Look at the mass exodus from NS/Verisign - same issues. IMNSHO, ICANN cares not a rats a@@ about the internet, they are only interested in the money and the power. That makes their "positions" totally meaningless to me, and a lot of others who feel the same way.
This isn't a question of "I like ICANN" or not... it's a question of the system. Do people decide that they like or dislike our system of government based solely on specific elected officials?
No, but at least our [deeply flawed and bleeding] system keeps the *pretense* of following the laws of the land. As for your inference that the ICANN folken are all "elected" officials...
Cheap domains from the EverQuick root! Guaranteed to work at a handful of local dialups and dedicated-line customers! :-)
Oh, didn't you hear? EverQuick *also* includes the records of it's largest competitor, so you can go to ALL of the places you wanted, not just the ones that live on EverQuik.
I think that I'll start handing out ASNs and IP space, too...
It's called subdelegation. Go for it. Totally different system, which for the most part works. (Yes, there are flaws there too, but...)
Eddy
-- Yours, J.A. Terranson sysadmin@mfn.org If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... --------------------------------------------------------------------
On Mon, Nov 19, 2001, measl@mfn.org wrote:
I agree with all of this, but the issue is moot in my book: Since ICANN felt the need to either own the world or break it, I went elsewhere. So did a LOT of others. Look at the mass exodus from NS/Verisign - same issues. IMNSHO, ICANN cares not a rats a@@ about the internet, they are only interested in the money and the power. That makes their "positions" totally meaningless to me, and a lot of others who feel the same way.
You know, I'm sick of hearing that some particular part of the internet "governance" (be it ICANN, ARIN, AuDA, APNIC..) is corrupt, doesn't give a rats ass about the internet, cares about money, power .. Hey. If you were in their position, * what would you have had to do to get there, * what would you have to do to stay there, and * what would you do to make it work reasonably well? Helllllooo! Money is involved. Of course in a capitalist setup you're going to feel this way. The wealth isn't "evenly spread enough". Just like any other mega-monopolostic-guaranteed-income organisation. Sigh. (Personally, I wish to all hell that part of the DNS registration fees still went to "research funds" like they were _supposed_ to way back when.) Do you want to change it? * write/adapt an existing directory technology to replace the really stupid flat namespace DNS has become * write a plugin for IE * write modules for the other popular browsers (w3m, links, lynx, netscape/mozilla, perhaps even Opera if you can figure it out..) * don't turn it into a bloody private thing - open source the software, write the protocol documentation, encourage other people to work on collectively making it better. * Come back to the internet community with it. :) The new.net guys, even though I (a) don't wish to bring them up in polite NANOG conversation and (b) don't agree with what they were trying to do with the DNS space at -LEAST- attempted to gather momentum by end-user adoption/acceptance. It doesn't have to be perfect. It just has to be "catchy". Adrian -- Adrian Chadd "Auntie Em, Hate you. Hate Kansas. <adrian@creative.net.au> Taking the dog." -- Dorothy
On Tue, 20 Nov 2001 00:23:11 +0800, Adrian Chadd said:
* write a plugin for IE * write modules for the other popular browsers (w3m, links, lynx, netscape/mozilla, perhaps even Opera if you can figure it out..)
The Internet is not the Web. Proof: This mailing list. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Mon, Nov 19, 2001, Valdis.Kletnieks@vt.edu wrote:
On Tue, 20 Nov 2001 00:23:11 +0800, Adrian Chadd said:
* write a plugin for IE * write modules for the other popular browsers (w3m, links, lynx, netscape/mozilla, perhaps even Opera if you can figure it out..)
The Internet is not the Web.
Proof: This mailing list.
Yes, but I don't see the majority of the "DNS problems" people complain about stemming from IRC servers, or even email addresses. Its a "corporate identity" thing, or at least it seems like its being marketed that way to me. But yes, you're right - any neo-DNS solution should also take into account other "things" such as email. Think "service location" and "service searching/indexing" rather than "website keyword". Adrian -- Adrian Chadd "Auntie Em, Hate you. Hate Kansas. <adrian@creative.net.au> Taking the dog." -- Dorothy
On Sun, 18 Nov 2001 17:56:44 PST, Simon Higgs said:
prevail and that running code and rough consensus demands the peering of non-conflicting TLDs for everyone's benefit. It's a common practise in
Hmm.. "non-conflicting". Let's think about this for a moment. Let's assume we have 3 TLD managment groups called A, B, and C. In order for there to be non-conflicting roots, A, B, and C have to enter into some sort of agreement that if A registers a TLD .frobozz, that B and C will promise to not register a conflicting definition of said TLD. So what we really have here is (A+B+C) functioning as a single root, but A, B, and C individually publishing only a subset of the root to their customers (although why the customers want a value-subtracted view of the DNS is beyond me). So, to name names - if the ORSC crew and the ICANN crew were to collaborate on a non-conflicting definition of "the root", then the composite of the two of them would be a root, with each feeding only a subset to their customers. Of course, such collaboration is *NOT* happening in the real world, so we *will* eventually see a conflict. It will probably happen the first time ICANN allocates a new TLD that ORSC carries, but nominates a different registrar or a different server on the NS record for the TLD. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
At 11:13 AM 11/19/01 -0500, Valdis.Kletnieks@vt.edu wrote:
On Sun, 18 Nov 2001 17:56:44 PST, Simon Higgs said:
prevail and that running code and rough consensus demands the peering of non-conflicting TLDs for everyone's benefit. It's a common practise in
Hmm.. "non-conflicting". Let's think about this for a moment.
Let's assume we have 3 TLD managment groups called A, B, and C. In order for there to be non-conflicting roots, A, B, and C have to enter into some sort of agreement that if A registers a TLD .frobozz, that B and C will promise to not register a conflicting definition of said TLD.
So what we really have here is (A+B+C) functioning as a single root, but A, B, and C individually publishing only a subset of the root to their customers (although why the customers want a value-subtracted view of the DNS is beyond me).
Most alt.roots started off in order to support a specific set of TLDs which were supplemental to the legacy root. The legacy root was used as a baseline, and for whatever reason, the TLDs in question were not able to be added directly to the legacy root. So root A publishes the legacy root plus .FOO, and root B publishes the legacy root plus .BAR - and remember this occurred totally independently. Later, these roots discover each other and decide it would be easier for all their users if they peered their non-conflicting TLDs. So root A adds a stub for .BAR and root B adds a stub for .FOO. OK so far. But this doesn't address conflicts.
So, to name names - if the ORSC crew and the ICANN crew were to collaborate on a non-conflicting definition of "the root", then the composite of the two of them would be a root, with each feeding only a subset to their customers.
In the unlikely event this happens, it needs to be a true peering where ORSC publishes all the non-conflicting ICANN TLDs in its zone, and ICANN publishes all the non-conflicting ICANN TLDs in its zone. Any conflicting TLDs are noted by which zone is used. Ideally, the goal is zero collisions. You know, "rough code" and "running consensus" and good stuff like that. ;-) This type of cooperation exists outside of the legacy root. Just not inside it. :-(
Of course, such collaboration is *NOT* happening in the real world, so we *will* eventually see a conflict. It will probably happen the first time ICANN allocates a new TLD that ORSC carries, but nominates a different registrar or a different server on the NS record for the TLD.
You're right. But ICANN has already done this. The conflict already exists. The collider is .BIZ and it was introduced by ICANN a few months ago. In addition, moving .US to the ICANN .BIZ name servers only screws things up worse. Even ICANN's Karl Auerbach has already noticed the cache pollution problems. If you use a name server within .US, your cache will eventually be polluted. I say let it break, but folks in the ORSC think they can stop the NS pollution at least within ORSC, which just lets ICANN's uncooperative behavior continue to go unnoticed by the masses. Best Regards, Simon -- ###
--On Saturday, 17 November, 2001 4:48 AM -0500 Sean Donelan <sean@donelan.com> wrote:
We know this isn't good engineering practice, because another national ISP with millions of subscribers configured their network the same way, and experienced a multi-hour service disruption affecting most of their users a couple of years ago when an error blocked access to their two caching-only, name servers.
You mean there are national ISPs out there, who have exactly 2 caching nameservers, as opposed to configure their clients with 2 IP addresses (perhaps always the same 2) which perform name resolution? Wow. Is this some sort of retro fashion? -- Alex Bligh Personal Capacity
On Sun, Nov 18, 2001 at 10:19:22AM -0000, Alex Bligh wrote:
--On Saturday, 17 November, 2001 4:48 AM -0500 Sean Donelan <sean@donelan.com> wrote:
We know this isn't good engineering practice, because another national ISP with millions of subscribers configured their network the same way, and experienced a multi-hour service disruption affecting most of their users a couple of years ago when an error blocked access to their two caching-only, name servers.
You mean there are national ISPs out there, who have exactly 2 caching nameservers, as opposed to configure their clients with 2 IP addresses (perhaps always the same 2) which perform name resolution? Wow. Is this some sort of retro fashion?
Yes, there are. No, it's not fashion. Though it's about as foolish. Names avoided to prevent NDA lawsuits. You can fill in the blanks. -- *************************************************************************** Joel Baker System Administrator - lightbearer.com lucifer@lightbearer.com http://users.lightbearer.com/lucifer/
participants (16)
-
Adrian Chadd -
Alex Bligh -
Andy Walden -
Bill Woodcock -
E.B. Dreger -
Joel Baker -
John Palmer (NANOG Acct) -
Mathias Koerber -
measl@mfn.org -
Pat Myrto -
Paul Vixie -
Randy Bush -
Sean Donelan -
Simon Higgs -
Valdis.Kletnieks@vt.edu -
William Allen Simpson