ietf
[Top] [All Lists]

Re: [dnsop] [dean(_at_)av8(_dot_)com: Mismanagement of the DNSOP list]

2005-09-27 09:44:44
In <7230(_dot_)1127829972(_at_)munnari(_dot_)OZ(_dot_)AU> Robert Elz 
<kre(_at_)munnari(_dot_)OZ(_dot_)AU> writes:

  | Without getting into to much detail, Anycast doesn't work with TCP, 
  | but it also doesn't work with large UDP packets and fragments.

Anycast does not work (or perhaps more correctly, in some circumstances
when there is routing instability, will not work) with fragmented UDP packets
(the size of the packets is irrelevant, only whether they are fragmented),
when sending those fragments *to* an anycast address.

In order for anycast DNS to fail, either due to the use of TCP or in
cases where the UDP DNS query was fragmented, doesn't the network
routing instability have to be such that retries also fail?  A single
failure isn't fatal, after all.  The routes would have to be flapping
pretty badly to most of the root servers (anycast or not) for this to
cause any problems, in which case, I think we would be far more
worried about other things.


It is anycast at the root name servers that you seem to be complaining about.
If the root servers are going fine grained load balancing, then it would not
only be routing instability that would result in a switch of server.   I am
by no means convinced that even that would be any kind of a serious problem
for the root servers (or those sending legitimate queries to them [...]

I'm not sure I see any problem at all here, serious or not.  Even if a
root server is doing fine grained load balancing, all the packets will
still end up at the destination address, where fragments can be
reassembled and out of order reception can be resolved.


Now, if you, the client, are using anycast, and you're sending DNS queries
from what is effectively an anycast address, then you're likely to have
all kinds of problems.   But that's your problem, no-one else's.

Yeah, I can't see how a DNS client could work as an anycast
destination.  Getting an answer on a machine that you didn't send the
query from isn't going to be very useful.



This is all theoretical arguing and theory is different than
practice.

Can someone show an actual case where the use of anycast DNS servers
cause problems?  Using standard commands like dig or nslookup would be
best, but even if you have to create a specialized DNS client and/or
server, that would make any real problems much clearer.  I'm not
looking for rock solid, can-not-get-around examples even, just like I
don't think you need to show that a buffer overrun can actually cause
an exploit.  Just a proof of concept will do.

Right now, it looks like in theory, the use of anycast DNS servers
can't be a significant problem.  So far, I have seen no demonstrations
of practical problems. To the best of my understanding, this has been
the state of the debate for years now.


This looks like a tempest in a teapot to me.


-wayne


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf