RIPE "Golden Networks" Document ID - 229/210/178

Steve Gibbard scg at gibbard.org
Fri Sep 3 21:02:47 UTC 2004


On Thu, 2 Sep 2004, Rodney Joffe wrote:

> You are absolutely right in suggesting that .foo has to get its act
> together. You may even tell your users that. But you'll be telling
> every single one of them, because every single one of them is going to
> attempt to resolve .foo domain names during the hour you have them
> dampened. And your cost in dealing with those support calls will
> probably outweigh the benefits of dampening .foo.
>
> I am polling networks so that I can get an idea of who handles their
> network this way, and who doesn't. I don't know if it is stupid or not,
> because I don't know enough about the subject yet. What I do know is
> that dampening these special networks with long prefixes already causes
> real-world problems. In many cases, the pain is felt by networks who
> may have a policy of not dampening, but are downstream of a major

While I'm not going to encourage anybody to avoid doing something to make
their network stable because it should be somebody else's problem (just as
I wouldn't suggest that somebody cross the street in front of a speeding
truck just because pedestrians have the right of way at California
crosswalks), this whole discussion strikes me as something that needs to
be looked at in the context of DNS diversity.

In the case of the root servers, there are 13 IP addresses, announced from
different ASes, most of them by different organizations.  Some of them are
anycasted; I believe some of them still aren't.  As long as a network
still has reachability to one of them, things should work.  Anything that
causes a network to see all 13 of them flapping simultaneously is probably
a local problem, and probably leaves much of the rest of the Internet
inaccessible from that network

The same really can't be said for some of the TLDs, either on the
qorbit.net Golden Networks list or off (it omits all the ccTLDs, which
include some of the most important TLDs in some parts of the world).  I
suspect many of the TLDs that have only two or three listed name servers
are anycasted, and anycast does add a lot of reliability.  For most forms
of network or server failure, a good anycast implementation can force
fail-over to another server, and users not doing traceroutes to the name
servers will never notice.  But one thing anycast doesn't do is protect
against route flapping.  If a domain is served from two anycast addresses,
and two announced routes, all it takes to make it completely unreachable
from some part of the Internet is for the two local servers to start
flapping at the same time.  If reliability of the individual components is
equal, that should be a lot less robust than the root server architecture.

So, it seems to me that there are three questions here:

What is critical infrastructure?  DNS for which domains?  What about other
services?  Google?  Hotmail or Yahoo?  The answer to this presumably
varies considerably from place to place.

What should the providers of critical infrastructure be doing to make sure
their critical infrastructure remains available?

What should network operators be doing to make sure their networks can
access critical infrastructure?

-Steve



More information about the NANOG mailing list