North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

ISP network design of non-authoritative caches

  • From: Sean Donelan
  • Date: Sat Nov 17 05:36:21 2001

I appreciate the redirect, if there is a better list, but
my question is directed at network operators.  namedroppers
is for dns protocols, dnsops is for operators of authoritative
name servers.

The majority of users on today's Internet will never directly
query any root name server, or any other authoritative name
server.  Instead of a set of authoritative servers, the servers
which actually deliver direct DNS service to users/hosts are
non-authoritative, caching servers.  There are more caching,
name servers at the edge of the net than there are Akamai boxes
in the world.

In the late 1980's and early 1990's, when the net was much more
interesting (i.e. flaky, low-bandwidth, expensive circuits) network
operators carefully planning where to place caching-only name servers,
and configuring end-systems to use the appropriate set of servers.
A well-configured set of caching-only name servers can maintain
the illusion of DNS for several hours, even during a network partition
or loss of many authoritative name servers, at least for the "popular"
names.  They work so well, people forget they can still have problems.

During the boom times, ISPs couldn't individually configure millions
of DNS clients.  They generally told subscribers to use two statically
configured name servers, or more recently used DHCP to set them.  Several
national ISPs, including the one I use, with millions of subscribers,
appear to still do this.

We know this isn't good engineering practice, because another national
ISP with millions of subscribers configured their network the same way,
and experienced a multi-hour service disruption affecting most of their
users a couple of years ago when an error blocked access to their two
caching-only, name servers.

There is lots of "best practice" information for configuring authoritative
name servers (including the root and TLDs). The BOG, O'Reilly, DNSOPS,
RFCs, etc.  There are several "managed service" companies which will
maintain authoritative name servers for you.

Although most of this stuff seems obvious, network providers seem
to get bitten by the same obvious things over and over again.
Is there a white paper, best common practice, or book which shows
the naive ISP (whether they have 10 or 10 million subscribers) how
to architect their DNS system?  Medium and large organizations having
firewalls with internal/external DNS, which already includes local
caching.  This seems to be mostly a large, national ISP issue.  By
their nature, small ISP networks tend to have "shared fate" among
all of their systems anyway.