How to tell if something is anycasted?

Peter Boothe peter at
Fri May 19 00:16:04 UTC 2006

On Thu, 18 May 2006, Dean Anderson wrote:

> First, I would strongly recommend _against_ using DNS Anycast, since
> anycast does not work for stateful DNS, which is required for DNSSEC.
> Second, there are many problems involved in DNS Anycast management and
> problem tracking.

I agree with the second - it certainly does make debugging harder.  I also
agree that the method I mentioned is not foolproof.  But your first
statement is probably false.

We did a broad survey about 1.5 yrs ago and found that the average time
between switches was 14.4 minutes, but the median AS saw root switches
every 3 hours on average (
Some ASs had severe extant routing problems, and dragged the mean a long
ways away from the median.

Because stateful DNS queries are really short lived, let's assume a flow
of ~10 seconds duration.  14 minutes is 60 * 14 seconds, and the chance
that our flow to that given root is going to overlap is 10/(60*14), or
about 1.2%.  Which isn't great, but isn't too bad.  If we look at the
median AS, however, then things look a lot better.  Switching every 3
hours reduces that unreliability by a factor of 3*60/14 =~ 12.9, which
means that anycast reduces DNS reliability by just less than 0.1% for a
given root.

Given that the difference in reliability (according to DNSmon) between
anycasted and non-anycasted roots is 1% in anycast's favor
(, then for the majority of
ASs, anycast is a net win in reliability even for stateful DNS, as long as
the flows are short-lived.

Counter-intuitive, I agree.  But it seems to be true for the existing DNS
anycast deployment on the internet (or at least was true in late 2004).


Peter Boothe
PhD Student                         "Young man, you think you're very
Computer Science                    smart, but it's turtles all the way
University of Oregon                down!"

More information about the NANOG mailing list