IETF Logo Mail Archive

Re: [dnsext] Re: RFC 3484 section 6 rule 9 causing more operational problems

Florian Weimer <fweimer@bfk.de> Mon, 09 March 2009 07:43 UTC

Return-Path: <fweimer@bfk.de>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 308693A6A86 for <ietf@core3.amsl.com>; Mon, 9 Mar 2009 00:43:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.295
X-Spam-Level:
X-Spam-Status: No, score=-1.295 tagged_above=-999 required=5 tests=[AWL=0.954, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uZlGCNLw0d4n for <ietf@core3.amsl.com>; Mon, 9 Mar 2009 00:43:28 -0700 (PDT)
Received: from mx01.bfk.de (mx01.bfk.de [193.227.124.2]) by core3.amsl.com (Postfix) with ESMTP id 20E723A691B for <ietf@ietf.org>; Mon, 9 Mar 2009 00:43:26 -0700 (PDT)
Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) id 1Lga91-000825-CR; Mon, 09 Mar 2009 08:43:27 +0100
Received: from fweimer by bfk.de with local id 1Lga9G-0001zQ-IY; Mon, 09 Mar 2009 08:43:42 +0100
To: Paul Vixie <vixie@isc.org>
Subject: Re: [dnsext] Re: RFC 3484 section 6 rule 9 causing more operational problems
References: <alpine.LSU.2.00.0903041400220.8701@hermes-2.csi.cam.ac.uk> <20090304145901.GC6574@shinkuro.com> <alpine.LSU.2.00.0903041505260.7093@hermes-2.csi.cam.ac.uk> <25201.1236185908@nsa.vix.com> <alpine.LSU.2.00.0903041704350.8701@hermes-2.csi.cam.ac.uk> <37326.1236199403@nsa.vix.com> <823adswazg.fsf@mid.bfk.de> <93327.1236275992@nsa.vix.com>
From: Florian Weimer <fweimer@bfk.de>
Date: Mon, 09 Mar 2009 08:43:42 +0100
In-Reply-To: <93327.1236275992@nsa.vix.com> (Paul Vixie's message of "Thu, 05 Mar 2009 17:59:52 +0000")
Message-ID: <8263ijdtu9.fsf@mid.bfk.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Mon, 09 Mar 2009 10:08:48 -0700
Cc: namedroppers@ops.ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2009 07:43:29 -0000

* Paul Vixie:

>> > some number of vendors have depended on revenue from selling this
>> > feature but i'd say that only a small number of sites ever saw any
>> > benefit from it.
>> 
>> pool.ntp.org, security.debian.org, rsync.gentoo.org,
>> [a-o].ns.spamhaus.org, [a-n].surbl.org.  In general the "large RRset"
>> approach is used by those who do not buy special DNS appliance to serve
>> their zones, I think.
>
> i'm not sure we're in the same discussion.  pool.ntp.org is using short
> ttl and silent truncation and round robin.  there's no geo-ip stability
> that could be hurt by client-side reordering or rerandomizing.

The NTP issue is rather specific and affected ntpd when you had

server pool.ntp.org
server pool.ntp.org
server pool.ntp.org

in your configuration.

And some those mirrors I mentioned are affected by *deterministic*
reordering.  They don't care if traffic hits the closest instance,
they want to spread the load (security.debian.org, for instance, is
difficult to serve from a single node from time to time).

> and the nameserver examples you gave are all subject to rdns RTT
> sorting.

If you follow Rule 9, you haven't got that many RTTs to sort by: Rule
10 ensures that there is a single IP address you should use as long as
the service on it is reachable.  Unless you cheat, deviate from Rule
9, contact additional servers, and gather additional RTTs--but you
have to cheat to get that data.

> and they have to use drastically low TTL's to prevent mobility from
> breaking their assumptions.  and they have no way to cope with opendns or
> any other global or semi-coherent caching layer.  and even when they use
> TTL=0 and happen to be talking to an rdns who shares topology with the
> stub, they're making an educated guess without knowing what kinds of
> wormholes the stub may have access to, whether VPN, private interconnects
> that don't show up in global BGP, or whatever.

Well, if it's not a good idea, why are most large web sites served
this way?

I suspect there is currently no better way to distribute initial
client requests than to play DNS tricks.

-- 
Florian Weimer                <fweimer@bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

v2.23.0 | Report a Bug | By Email