|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: possible ORG problems, maybe?
Randy Bush wrote: > and what assurance do you have that the traceroute is to the same > server to which the original query failed? > > difficulty debugging anycast dns was the major reason for sceptisim > re anycast auth servers. You're right, Randy. However, things are never black or white. In a non-anycast implementation, a typical failure like this would not immediately tell which of the masters or slaves was at fault, if any. The application would just fail. When troubleshooting began, there is no guarantee which slave was queried originally. However as the dns was walked, if indeed a server had a problem, in a non-anycast implementation you could tell which server ip address had the problem. But you could not always tell which actual machine had a problem if it was behind a load balancer of any kind, something increasingly common in large installations. Anycast is no different. Notwithstanding all of this, it would appear that given the large scale ddos attacks against networks, and dns in particular over the last year, an anycast implementation is the *only* way that dns has a chance of surviving. So hopefully you'll be involved actively and positively in the dns WG in developing some BCPs and standards for operating anycast implementations for anycast, rather than dismissing anycast out-of-hand. In terms of UltraDNS, we try to make it easier by having the following two records on every server: dig @[UltraDNS Anycast name or ip address] whoareyou.ultradns.net A and dig @[UltraDNS Anycast name or ip address] whoami.ultradns.net A where whoareyou.ultradns.net provides the unique ip address of the machine being queried, and whoami.ultradns.net provides the ip address of the machine doing the querying (so that a user querying a recursive server can identify which recursive server is actually querying the UltraDNS server). Dan Senie has suggest the inclusion of a TXT record with teh same data so that the actual ip address of the actual server that responded to the query that had a problem was available. Certainly more standardized and elegant, but a subject for the WG mailing lists. I believe that there is an anycast tutorial or session in Chicago, if anyone wants to weigh in. -- Rodney Joffe CenterGate Research Group, LLC. http://www.centergate.com "Technology so advanced, even we don't understand it!"(R)
|