IETF Logo Mail Archive

Re: DNS when target services are unavailable (was: Re: Transitioning IETF DNS services)

Mark Andrews <Mark_Andrews@isc.org> Fri, 14 December 2007 00:54 UTC

Return-path: <ietf-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1J2yoh-0003DP-Nh; Thu, 13 Dec 2007 19:54:15 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J2yof-0003Bt-S1 for ietf@ietf.org; Thu, 13 Dec 2007 19:54:13 -0500
Received: from mx.isc.org ([2001:4f8:0:2::1c]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J2yod-0007Bf-GP for ietf@ietf.org; Thu, 13 Dec 2007 19:54:13 -0500
Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.isc.org (Postfix) with ESMTP id 4DC7411401E for <ietf@ietf.org>; Fri, 14 Dec 2007 00:54:10 +0000 (UTC) (envelope-from Mark_Andrews@isc.org)
Received: from drugs.dv.isc.org (localhost.isc.org [IPv6:::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (verified OK)) by farside.isc.org (Postfix) with ESMTP id 61BEDE6076 for <ietf@ietf.org>; Fri, 14 Dec 2007 00:54:10 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.1) with ESMTP id lBE0s2VL089343; Fri, 14 Dec 2007 11:54:02 +1100 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200712140054.lBE0s2VL089343@drugs.dv.isc.org>
To: John C Klensin <john-ietf@jck.com>
From: Mark Andrews <Mark_Andrews@isc.org>
In-reply-to: Your message of "Thu, 13 Dec 2007 13:44:02 CDT." <084ECD0FA962ACBB1CD8C0E8@p3.JCK.COM>
Date: Fri, 14 Dec 2007 11:54:02 +1100
X-Spam-Score: -1.4 (-)
X-Scan-Signature: f4c2cf0bccc868e4cc88dace71fb3f44
Cc: dcrocker@bbiw.net, ietf maillist <ietf@ietf.org>
Subject: Re: DNS when target services are unavailable (was: Re: Transitioning IETF DNS services)
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org

> > On Thu, Dec 13, 2007 at 11:25:27AM -0500,
> >  John C Klensin <john-ietf@jck.com> wrote 
> >  a message of 40 lines which said:
> > 
> >> IMO, it would be really helpful if relevant WGs or other
> >> groups concerned with DNS operations and configurations would
> >> take the question up again, review it, and make some sort of
> >> definitive contemporary statement (even if that were only "it
> >> depends" with an explanation of the tradeoffs).
> > 
> > An important reason why we SHOULD have DNS reliability
> > (including geographical variety) even if service X is down is
> > because there are several services, not just the Web. OK, if
> > the Web site is down, it is not *too* important (but it is
> > important, for the reasons you mention) if I cannot resolve
> > www.ietf.org but email, jabber, etc, continue to live and need
> > the DNS.
> 
> This is consistent with my instincts (and has been for many
> years), but Dave is not the first person to take the other
> position.

And it is a essentially very bad position to take.

The DNS was designed to handle many more "connections" per second
than any TCP based server can handle but to achieve that it needs
to get it needs to be able to find a working server for every zone
it is querying.  If it doesn't the list of outstand recursive queries
quickly becomes a resource issue on the caching server as the amount
of time connection state needs to be remembered goes from sub second
to multi second.

If everyone took the attitude that if the services pointed to by
the DNS are offline then the DNS can be offline then the DNS just
would not work.  Luckily most don't or we would have a "tragesty
of the commons" here.

DNS servers are also often a shared shared resource for thousands
if not hundreds of thousands of clients machines.  This means that
lookup failures don't just affect the user making the lookup.  They
are cumulative and affect all the users of the shared resource.

We see these effects with spam runs which use host names which point
to lame / non-existant servers so this is not just idle speculation.

If the DNS lookup succeeds then the impact of the failure moves
away from the shared resource and back towards individual resources
(browers) or to shared resources which don't have the volume of
lookups (MTAs) and have different failure recovery strategies (store
to disk rather than in memory of a caching server).

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email