North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Slashdot: Providers Ignoring DNS TTL?

  • From: Dean Anderson
  • Date: Sat Apr 30 00:24:09 2005

On Mon, 25 Apr 2005, Stephen J. Wilcox wrote:

> So agreeing for a second with Dean that indeed this behaviour would appear to be 
> prohibited or at least inconsistent with the RFCs, the fact is anycast is widely 
> deployed and is proven to be stable.

"vixie-cast" is deployed on around 60 or so root DNS servers.  (don't know
the exact number)  That covers a wide spread of root DNS servers, but I
wouldn't call that 'widely deployed'.  I haven't been able to find any
users of HTTP anycast/'vixie-cast' that Patrick Gilmore referred.  There
are also very few TCP DNS queries to the roots, so it isn't widely used at
present, and hasn't been widely used in the past. I don't think it can be
claimed that "vixie-cast" has been proven to be stable.  ISC's assertions
of stablity at a 2002 Nanog are what probably brought it to Dr.
Bernstein's attention. Those assertions of stability are what's being
challenged. You cannot assume them true.

> Perhaps a solution to this is to look at what would be the best consistent view 
> and to write an RFC to clarify this and obsolete the old ones that produce the 
> inconsistency. I'm not sure what that would look like but that would appear to 
> be a way to eliminate the theoretical problem..

Another solution is to urge OS vendors to implement RFC 1546 TCP anycast.  
In order to use RFC 1546 TCP anycast, it is necessary to implement changes
in all clients that might access TCP anycast servers (as well as in the
servers). This would probably require a long time frame, but still good to
encourage.  It might be easier to require this for IPV6---though I don't
know that it isn't already required for IPV6.

Another solution is not to do Vixie-cast.  This may require clarification
to DNS RFCs to specify that TCP queries will not be made to root DNS
servers.  It was previously thought that DNSSEC would require TCP, but
this isn't the case in the latest round of RFC drafts.  I can't think of
anything else in the pipe that might require TCP DNS queries to root
servers. Non-root servers usually don't need to do anycast, and aren't
required to do TCP.  So one could do anycast without TCP, if one wanted.  
But one ought know that anycast'ing DNS precludes TCP DNS.

The "vixie-cast" HTTP doesn't *seem* to be widely in use, and there are 
numerous other solutions for HTTP. So simply recommending a halt to that 
would seem to be low-impact.

		--Dean

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000