Someone has suggested 'anycasting' what do people (particually you Paul) think of using anycasting for a DNSbl? (- AS112 anyone?)
unowned anycast, such as that used in as112, is only possible when the replies have no value (and thus need not be synchronized or centrally authorized.) conversely, unowned anycast only adds value if the replies really ought to be sent anonymously. in the case of sorbs, you can enumerate authorized servers and thus get better management and control than you would with unowned anycast. now, that doesn't mean anycast per se is a bad idea for sorbs. it's just that you'd want to own or at least "manage and control" each instance. this is what we do for f-root and it's what ultradns and nominum and i think akamai have been doing for some years now.
I think it may work well... however I am a novice in terms of BGP... As far as I can tell it involves getting a portable address block (somone suggested anything less than a /24 would get filtered) and announcing it in various locations around the Net with local servers behind each of those announcements.... is this fundamentally correct?
yes. see http://www.isc.org/tn/ for some background materials on all this.
Assuming I am right in my current understanding, I am about to start looking at the proceedure to get an ASN and then I'll be looking for some portable IP space if the consensus and thoughts are this will work. I am thinking along the lines of talking with the other large DNSbls (particually Easynet (wirehub) and DSBL) about setting up a set of combined DNSbl servers all anycast'd. This after all will bring an DDoS machines to the attention of the local networks they are attacking .... ;-)
putting multiple dnsbl's on the same /24 sounds like a lot of eggs for only one basket. among the root server operators, we like to chant that "diversity is good".
participants (1)
-
Paul Vixie