Re: [dnsext] Re: RFC 3484 section 6 rule 9 causing more operational problems
Ask Bjørn Hansen <ask@develooper.com> Mon, 09 March 2009 06:38 UTC
Return-Path: <ask@develooper.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA5E03A69FF for <ietf@core3.amsl.com>; Sun, 8 Mar 2009 23:38:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fKxgBJQs0dha for <ietf@core3.amsl.com>; Sun, 8 Mar 2009 23:38:11 -0700 (PDT)
Received: from x8.develooper.com (x8.develooper.com [216.52.237.208]) by core3.amsl.com (Postfix) with ESMTP id 16A423A69CA for <ietf@ietf.org>; Sun, 8 Mar 2009 23:38:10 -0700 (PDT)
Received: (qmail 31924 invoked from network); 9 Mar 2009 06:38:42 -0000
Received: from gw.develooper.com (HELO embla.bn.dev) (ask@mail.dev@64.81.84.140) by smtp.develooper.com with ESMTPA; 9 Mar 2009 06:38:42 -0000
Message-Id: <30A508ED-E5E9-4C0C-AF66-DEE0F65229B0@develooper.com>
From: Ask Bjørn Hansen <ask@develooper.com>
To: mayer@gis.net
In-Reply-To: <49B49A19.7090805@gis.net>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v930.3)
Subject: Re: [dnsext] Re: RFC 3484 section 6 rule 9 causing more operational problems
Date: Sun, 08 Mar 2009 23:38:41 -0700
References: <alpine.LSU.2.00.0903041400220.8701@hermes-2.csi.cam.ac.uk> <20090304145901.GC6574@shinkuro.com> <alpine.LSU.2.00.0903041505260.7093@hermes-2.csi.cam.ac.uk> <25201.1236185908@nsa.vix.com> <alpine.LSU.2.00.0903041704350.8701@hermes-2.csi.cam.ac.uk> <37326.1236199403@nsa.vix.com> <823adswazg.fsf@mid.bfk.de> <93327.1236275992@nsa.vix.com> <49B49A19.7090805@gis.net>
X-Mailer: Apple Mail (2.930.3)
X-Mailman-Approved-At: Mon, 09 Mar 2009 10:08:49 -0700
Cc: Paul Vixie <vixie@isc.org>, namedroppers@ops.ietf.org, ietf@ietf.org, Florian Weimer <fweimer@bfk.de>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2009 06:58:21 -0000
On Mar 8, 2009, at 21:24, Danny Mayer wrote: >> i'm not sure we're in the same discussion. pool.ntp.org is using >> short >> ttl and silent truncation and round robin. there's no geo-ip >> stability >> that could be hurt by client-side reordering or rerandomizing. and >> the >> nameserver examples you gave are all subject to rdns RTT sorting. >> the >> "large RRset" approach works just fine, and is not related to Rule 9. >> > > pool.ntp.org divides itself up into subdomains (okay they are really > hostnames) for each country-code so that you get addresses in that > country code. NTP in the future will take advantage of the fact that > it > gets back multiple addresses and will use more than just one of them > to > find NTP servers. The order does not really matter and it's better > that > there be no particular order so that we do not overload any one > server. Hi everyone, Funny the NTP Pool was brought up as an example. I'm looking after pool.ntp.org and I actually subscribed earlier in the week to comment on the round robin issue. :-) It's a little more complicated than what Paul described above (although it worked like that until ~2005 when I took over maintaining the system). When you query pool.ntp.org (or 1.pool.ntp.org etc), the DNS server does the "IP to geo-location" thing to automatically select the "sub- zone". You can also explicitly ask for the sub-zone with 0.us.pool.ntp.org, 0.north-america.pool.ntp.org, etc. Paul is right that there's no problems with geo-stability because the DNS server will generally just give you servers from one area anyway; but we can get hurt by dumb re-ordering. For distributing the load[1] we depend on clients making mostly random picks when receiving multiple A records. Within each "zone" we have anywhere from a dozen to 1000+ servers[2]. The DNS server will return a list of A records weighted by the bandwidth the server administrator have told us they have. This is absolutely crucial. Before I implemented the current system, we just used a frequently updated zone with rotating A records and once or twice a day server operators with a small pipe (say a T1) or a small scale "router" would get overloaded enough that they'd leave the pool. It's critical to the longevity and the geographic diversity of the pool that "small operators" are able to contribute; even if they handle much less traffic than others. If "RFC 3484 section 6 rule 9" really is implemented with "matching" prefixes all the way up to /2, I'd worry that could mess up the weighting we do and cause operators on "unlucky" IP addresses to have to stop offering their service. Since the DNS server does most of the weighting by giving just a few records from a usually much larger set, I could just return fewer A records to force "my choice". But returning ~5 A records is valuable - some NTP servers knows how to use multiple A records from one lookup (ntpd in the future being one of them, as Danny pointed out). Having the client be "smart" would be absolutely unhelpful. Someone was arguing that the client might have useful network knowledge to apply. I don't know of any actual implementations of that whereas there are lots of deployed implementations with the DNS server being smart and/or deliberate about the records returned. - ask [1] The NTP Pool is used a lot. You'd have an unlikely network to not have some local users. It's the default in for example most Linux distributions and many consumer devices. Practically none of the manufacturers contribute anything back; but the whole point of the NTP Pool is to preserve NTP as a useful public resource, so better us than some poor overloaded NIST server! I don't know how many clients we have; but the name servers do about 20m requests a day; and that's basically only counting "dumb" ntp clients because the long running daemons generally just do one set of lookups on startup. It also, obviously, doesn't count the effects of local caches. In any case: It's a lot of users. [2] There are ~1743 active server in the pool right now distributed around the world: http://www.pool.ntp.org/zone - about 1000 in Europe and just under 600 in North America, http://www.pool.ntp.org/zone/ europe and http://www.pool.ntp.org/zone/north-america -- http://develooper.com/ - http://askask.com/
- RFC 3484 section 6 rule 9 causing more operationa… Tony Finch
- Re: RFC 3484 section 6 rule 9 causing more operat… Andrew Sullivan
- Re: RFC 3484 section 6 rule 9 causing more operat… Tony Finch
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Tony Finch
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Tony Finch
- Re: [dnsext] Re: RFC 3484 section 6 rule 9 causin… Tony Finch
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Tony Finch
- RE: [dnsext] RFC 3484 section 6 rule 9 causing mo… Christian Huitema
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Florian Weimer
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Nicholas Weaver
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Ondřej Surý
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Paul Vixie
- Re: [dnsext] Re: RFC 3484 section 6 rule 9 causin… Tony Finch
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Tony Finch
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Mark Andrews
- Re: RFC 3484 section 6 rule 9 causing more operat… Jari Arkko
- Re: RFC 3484 section 6 rule 9 causing more operat… Tim Chown
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Tony Finch
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… bmanning
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Chris Thompson
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Florian Weimer
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Florian Weimer
- Re: [dnsext] Re: RFC 3484 section 6 rule 9 causin… Florian Weimer
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Ondřej Surý
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Ondřej Surý
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Paul Vixie
- Re: [dnsext] Re: RFC 3484 section 6 rule 9 causin… Paul Vixie
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Paul Vixie
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Tony Finch
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Paul Vixie
- Re: [dnsext] RFC 3484 section 6 rule 9 causing mo… Paul Vixie
- Re: [dnsext] Re: RFC 3484 section 6 rule 9 causin… Paul Vixie
- Re: [dnsext] Re: RFC 3484 section 6 rule 9 causin… Danny Mayer
- Re: [dnsext] Re: RFC 3484 section 6 rule 9 causin… Ask Bjørn Hansen
- Re: [dnsext] Re: RFC 3484 section 6 rule 9 causin… Florian Weimer
- Re: [dnsext] Re: RFC 3484 section 6 rule 9 causin… Danny Mayer
- Re: RFC 3484 section 6 rule 9 causing more operat… Arifumi Matsumoto