Anycast 101

Mon Dec 20 16:32:58 UTC 2004

> [Warning: I've never actually deployed an anycast DNS setup so you are
> free to ignore my message.]

i'm not ignoring you because you raised two important issues.

> > 1. There should always be non-anycast alternatives
> 
> I believe there is a strong consensus about that. And therefore a
> strong agreement that ".org" is seriously wrong.

i believe that icann/afilias/ultradns would be very receptive to input
from the ietf-dnsop wg on this topic.  but it's not cut and dried -- if
you have two widely anycast'd servers plus one non-anycast server "just
in case something bad happens to anycast" you're doing two questionable
things: (1) treating anycast as new/unstable/experimental which it's not,
and (2) limiting your domain's availability to the strength of that one
non-anycast server.

in the root server system we're about half anycast and half not, at the
maximum practical NS RRset size, which as you certainly know, is 13.  if
.ORG's NS RRset were to be changed to include non-anycast nodes, i'd hope
for 11 of them, or however many underlying servers there actually are.
but at that point, the only thing anycast would buy you is ddos resistance
and the ability to have more than 13 physical servers... which is all the
root server system wants from anycast, but maybe not all that afilias and
ultradns and icann want from anycast in .ORG.

> This is after all a good engineering practice: when you deploy
> something new, do it carefully and not everywhere at the same time.

this is the second important point you raise.  anycast isn't new.  rodney
pioneered it commercially in 1997 or so.  it had been in campus-area use
for at least six years by that time and perhaps 10 years depending on how
you count.  akamai has been using it since 1999 or so.  if there were any
stability problems like the pplb assertions made elsewhere in this thread,
we'd've all been seeing them for a long time by now.