Anycast DNS [some tech] was RE: [dnsop] [dean@av8.com: Mismanagement of the DNSOP list]
Dean Anderson <dean@av8.com> Wed, 28 September 2005 09:50 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EKYZq-0004et-Vt; Wed, 28 Sep 2005 05:50:14 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EKYZo-0004ej-LN; Wed, 28 Sep 2005 05:50:12 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA25507; Wed, 28 Sep 2005 05:50:10 -0400 (EDT)
Received: from cirrus.av8.net ([130.105.36.66]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EKYhF-0007lR-CP; Wed, 28 Sep 2005 05:57:53 -0400
Received: from cirrus.av8.net (cirrus.av8.net [130.105.36.66]) (authenticated bits=0) by cirrus.av8.net (8.12.11/8.12.11) with ESMTP id j8S9nv3u011127 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 28 Sep 2005 05:50:02 -0400
Date: Wed, 28 Sep 2005 05:49:57 -0400
From: Dean Anderson <dean@av8.com>
X-X-Sender: dean@cirrus.av8.net
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
In-Reply-To: <198A730C2044DE4A96749D13E167AD375A2B8B@MOU1WNEXMB04.vcorp.ad.vrsn.com>
Message-ID: <Pine.LNX.4.44.0509280445230.2370-100000@cirrus.av8.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 2.7 (++)
X-Scan-Signature: 057ebe9b96adec30a7efb2aeda4c26a4
Cc: Tim Bray <tbray@textuality.com>, IESG <iesg@ietf.org>, ietf@ietf.org
Subject: Anycast DNS [some tech] was RE: [dnsop] [dean@av8.com: Mismanagement of the DNSOP list]
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
On Tue, 27 Sep 2005, Hallam-Baker, Phillip wrote: > > > From: Dean Anderson [mailto:dean@av8.com] > > > It is not DNSSEC that is broken. > > Anycast has been deployed for four years. I think it is three years. But it has been controversial from the start. > Any change to the DNS infrastructure that is incompatible with use of anycast > is not acceptable and will not be deployed. I don't think you get to make that demand. Or rather, I don't think you get to impose that demand. But Root server operators have to comply with RFC2870. RFC2870 does get imposed. > Anycast significantly improves the response time and the robustness of > DNS operations and allows operations to be made more scalable and run > more economically. This is not true, either. But it is yet another Nanog legend. I've analyzed this in detail previously. But I'm not going to get into it in detail now. Here's the short answer: The following is predicated on BGP anycasting (without PPLB), in which a subset of clients talk to only one anycast instance. If you do Lan anycasting, the analysis is similar, but not exactly the same. Response time: Response time is primarily dependent on network latency. This has nothing to do with choice of anycast or unicast. Robustness, scalability: If you have only 4 servers to configure, then 4 unique IP address better distribute load than 4 anycast servers on the same IP. Given the same resources, A DOS against a single IP is more effective than a DOS distributed against 4 IPs. With unicast servers, all 4 servers have to go down before service is cut to clients. Nor is anycast more robust for DOS: suppose the DOS is sufficient to take down 2 servers of 4 anycast. All of clients of those 2 servers with be out of service. This may not be half of the clients because load isn't evenly distributed. It may be more than half, or less than half. So, more servers with unique IP addresses is better. Does it get better if you take your 4 servers and make 2 IPs with 2 Anycast each? No. Because a DOS only has to divide its resources in half, instead of by fout. Given our same premise, that they can take out 2 servers, they attack each anycast server and take out one for each IP. This will affect something like 25% of the clients with a total outage (but again, not exactly, because load isn't distributed evenly. The number of servers in this analysis can be 13, 26, 52, etc. With fewer than 13 servers, we can easily have 13 IP addresses. With more than 13 servers, people think they have no option but anycast. There are alternatives. > Core DNS is subject to continuous DDoS attacks. Without anycast there is > a possibility that at some point in the future it might not be possible > to support the bandwidth needed to defeat these attacks. We'll have to deal with that in the future. I think it would be better to find a way to allow more than 13 root servers. There are several ways to do that: allow an EDNSO or perhaps a truncated response, or limit authoritive data from the root response. so one would have more than 13 servers in the nameserver root hints but only 13 in the authoritive response. As long as the responding server is in the authoritative list, the resolver and cache should have no problems. Those caches that overwrite the in-memory hints with the authoritive response would then be limited to a subset of only 13 servers. But this isn't a bad thing. There are a number of things that can be worked out to have allow more than 13 servers without breaking DNS. But of course, its also possible to build bigger servers. Anycast is not the only solution to DDOS attacks. > The DNS has operated successfully without DNSSEC up to this point. The > onus is always on those proposing a change to work within the deployed > infrastructure. Well, thats one view. There are other views about the operation of DNS up to this point, with respect to Anycast Extension. Since the Anycast Extension isn't approved, the onus seems to be on root server operators to use approved practices. The deployment of unworkable technology seems to go against the view of "successfully operated". > The DNSSEC spec makes several proposals that appear to address the > packet fragmentation issue. If you think these are inadequate you should > explain why. I have explained. You just don't seem to understand. DNSSEC can't address the problem. Its at a layer below DNSSEC. The problem has nothing to do specifically with DNSSEC in any way that DNS could possibly change. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- RE: [dean@av8.com: Mismanagement of the DNSOP lis… Nick Staff
- RE: [dnsop] [dean@av8.com: Mismanagement of the D… Hallam-Baker, Phillip
- Re: delegating (portions of) ietf list disciplina… Marshall Eubanks
- Re: delegating (portions of) ietf list disciplina… Brian E Carpenter
- [dean@av8.com: Mismanagement of the DNSOP list] David Kessens
- RE: [dean@av8.com: Mismanagement of the DNSOP lis… Nicholas Staff
- Re: [dean@av8.com: Mismanagement of the DNSOP lis… Steven M. Bellovin
- RE: [dean@av8.com: Mismanagement of the DNSOP lis… Nicholas Staff
- Re: [dean@av8.com: Mismanagement of the DNSOP lis… Dean Anderson
- Re: [dnsop] [dean@av8.com: Mismanagement of the D… Dean Anderson
- RE: [dean@av8.com: Mismanagement of the DNSOP lis… bill
- RE: [dean@av8.com: Mismanagement of the DNSOP lis… Nick Staff
- Re: [dean@av8.com: Mismanagement of the DNSOP lis… David Kessens
- Re: [dean@av8.com: Mismanagement of the DNSOP lis… Brian E Carpenter
- Re: [dnsop] [dean@av8.com: Mismanagement of the D… Tim Bray
- RE: [dean@av8.com: Mismanagement of the DNSOP lis… Nick Staff
- Re: [dean@av8.com: Mismanagement of the DNSOP lis… Dave Crocker
- RE: [dnsop] [dean@av8.com: Mismanagement of the D… Hallam-Baker, Phillip
- Re: [dean@av8.com: Mismanagement of the DNSOP lis… Dean Anderson
- RE: [dean@av8.com: Mismanagement of the DNSOP lis… Dean Anderson
- Re: [dean@av8.com: Mismanagement of the DNSOP lis… Dean Anderson
- RE: [dnsop] [dean@av8.com: Mismanagement of the D… Dean Anderson
- Re: [dean@av8.com: Mismanagement of the DNSOP lis… Steven M. Bellovin
- RE: [dean@av8.com: Mismanagement of the DNSOP lis… Nick Staff
- RE: [dean@av8.com: Mismanagement of the DNSOP lis… Wijnen, Bert (Bert)
- RE: [dean@av8.com: Mismanagement of the DNSOP lis… Nick Staff
- Re: [dean@av8.com: Mismanagement of the DNSOP lis… John Leslie
- RE: [dean@av8.com: Mismanagement of the DNSOP lis… Nick Staff
- delegating (portions of) ietf list disciplinary p… Dave Crocker
- Procedures for the IETF list (RE: [dean@av8.com: … Harald Tveit Alvestrand
- RE: [dean@av8.com: Mismanagement of the DNSOP lis… C. M. Heard
- Re: [dean@av8.com: Mismanagement of the DNSOP lis… JFC (Jefsey) Morfin
- Re: [dnsop] [dean@av8.com: Mismanagement of the D… Robert Elz
- Re: [dean@av8.com: Mismanagement of the DNSOP lis… Steven M. Bellovin
- Re: [dnsop] [dean@av8.com: Mismanagement of the D… wayne
- Re: [dnsop] [dean@av8.com: Mismanagement of the D… Bill Sommerfeld
- Re: [dnsop] [dean@av8.com: Mismanagement of the D… Stephen Sprunk
- Re: [dnsop] [dean@av8.com: Mismanagement of the D… usphoenix
- RE: [dean@av8.com: Mismanagement of the DNSOP lis… Nick Staff
- RE: delegating (portions of) ietf list disciplina… Nick Staff
- Re: [dnsop] [dean@av8.com: Mismanagement of the D… Dean Anderson
- Re: delegating (portions of) ietf list disciplina… Theodore Ts'o
- Re: [dean@av8.com: Mismanagement of the DNSOP lis… Brian E Carpenter
- Re: [dnsop] [dean@av8.com: Mismanagement of the D… Dean Anderson
- Re: delegating (portions of) ietf list disciplina… Dean Anderson
- Re: [dnsop] [dean@av8.com: Mismanagement of the D… Kevin Loch
- Anycast DNS [some tech] was RE: [dnsop] [dean@av8… Dean Anderson
- Re: delegating (portions of) ietf list disciplina… Brian E Carpenter
- Re: delegating (portions of) ietf list disciplina… JFC (Jefsey) Morfin
- Re: [dean@av8.com: Mismanagement of the DNSOP lis… JFC (Jefsey) Morfin
- Re: delegating (portions of) ietf list disciplina… Michael Thomas
- Re: delegating (portions of) ietf list disciplina… Scott W Brim
- Re: [dnsop] [dean@av8.com: Mismanagement of the D… Dave Crocker
- Re: delegating (portions of) ietf list disciplina… Alexis Turner
- RE: [dnsop] [dean@av8.com: Mismanagement of the D… Thomas Gal
- RE: delegating (portions of) ietf list disciplina… Thomas Gal
- Re: [dnsop] [dean@av8.com: Mismanagement of the D… grenville armitage
- RE: [dnsop] [dean@av8.com: Mismanagement of the D… Thomas Gal
- Re: delegating (portions of) ietf list disciplina… Dave Crocker
- RE: delegating (portions of) ietf list disciplina… Nick Staff
- Minority opinions [Re: [dean@av8.com: Mismanageme… Brian E Carpenter
- Re: [dnsop] [dean@av8.com: Mismanagement of the D… Dean Anderson
- RE: delegating (portions of) ietf list disciplina… Dean Anderson
- Re: Minority opinions [Re: [dean@av8.com: Mismana… JFC (Jefsey) Morfin
- RE: Minority opinions [Re: [dean@av8.com: Mismana… Thomas Gal
- RE: delegating (portions of) ietf list disciplina… Nick Staff
- Re: delegating (portions of) ietf list disciplina… grenville armitage
- Re: delegating (portions of) ietf list disciplina… Theodore Ts'o
- RE: delegating (portions of) ietf list disciplina… Nick Staff