Re: Anycast DNS - LB/LTM
I'm not familiar with LTM, so there is no need to check the pool with the script, LTM will know itself and stop advertising through some other mechanism when the pool is empty? therefore checking VIPA using the script is just redundant? From: David Klein To: ju wusuo Cc: "bind-users@lists.isc.org" Sent: Saturday, March 10, 2012 3:31 PM Subject: Re: Anycast DNS - LB/LTM Exactly. The script runs inside the LTM, and wraps "nslookup" or "dig". It should output a distinct output for success, and another distinct output for failure. It should only check the pool members, not the VIPA itself. If the pool is empty, the LTM will stop advertise the VIPA. -DTK On Fri, Mar 9, 2012 at 1:16 PM, ju wusuo wrote: so the script would run on the LTM, it will periodically check each physical DNS node, if one cannot resolve then takes it out of the pool; it will also check the VIP, if the VIP cannot resolve, pool is empty or LTM issue, stop the advertising? > > > > > From: David Klein >To: ju wusuo >Cc: "bind-users@lists.isc.org" >Sent: Wednesday, March 7, 2012 11:18 PM >Subject: Re: Anycast DNS > > > >You would need to create a custom script to use as your monitor, which does a >lookup of an address that you know will always be in your domain. If that >fails, force-down/inactive the node, and tie this script as a monitor to the >pool holding the DNS server nodes. > > >You can advertise the /32 containing the VIPA to the up-stream router via >either OSPF or IBGP, and if the pool goes empty, stop advertising the route >(the only option is stop advertising, not actively withdraw the route, since >that could cause a massive reconvergence cycle in your enterprise-wide RIB, if >done wrong, just because of a flapping interface). > > > > > > >HTH, > > > -DTK > > > >On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo wrote: > > >> >>thanks everyone for all responses with the great inputs .. >> >> >>now if I want to put the DNS servers behind LBs, 1) would the LTMs be able to >>announce the routes dynamically for the DNS servers, and a VIP can be >>withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS >>service failure and stop sending over DNS queries, i.e., in the case a named >>is still up but just not able to resolve names (assuming LTM can detect a >>named is down)? >> >> >>___ >>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >>from this list >> >>bind-users mailing list >>bind-users@lists.isc.org >>https://lists.isc.org/mailman/listinfo/bind-users >> > > > >-- > >david t. klein > >Cisco Certified Network Associate (CSCO11281885) >Linux Professional Institute Certification (LPI000165615) >Redhat Certified Engineer (805009745938860) > >Quis custodiet ipsos custodes? > > > > > > -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes?___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS - LB/LTM
Exactly. The script runs inside the LTM, and wraps "nslookup" or "dig". It should output a distinct output for success, and another distinct output for failure. It should only check the pool members, not the VIPA itself. If the pool is empty, the LTM will stop advertise the VIPA. -DTK On Fri, Mar 9, 2012 at 1:16 PM, ju wusuo wrote: > so the script would run on the LTM, it will periodically check each > physical DNS node, if one cannot resolve then takes it out of the pool; it > will also check the VIP, if the VIP cannot resolve, pool is empty or LTM > issue, stop the advertising? > > -- > *From:* David Klein > *To:* ju wusuo > *Cc:* "bind-users@lists.isc.org" > *Sent:* Wednesday, March 7, 2012 11:18 PM > *Subject:* Re: Anycast DNS > > > You would need to create a custom script to use as your monitor, which > does a lookup of an address that you know will always be in your domain. If > that fails, force-down/inactive the node, and tie this script as a monitor > to the pool holding the DNS server nodes. > > You can advertise the /32 containing the VIPA to the up-stream router via > either OSPF or IBGP, and if the pool goes empty, stop advertising the route > (the only option is stop advertising, not actively withdraw the route, > since that could cause a massive reconvergence cycle in your > enterprise-wide RIB, if done wrong, just because of a flapping interface). > > > > HTH, > > -DTK > > > On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo wrote: > > > thanks everyone for all responses with the great inputs .. > > now if I want to put the DNS servers behind LBs, 1) would the LTMs be able > to announce the routes dynamically for the DNS servers, and a VIP can be > withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS > service failure and stop sending over DNS queries, i.e., in the case a > named is still up but just not able to resolve names (assuming LTM can > detect a named is down)? > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > > > -- > > david t. klein > > Cisco Certified Network Associate (CSCO11281885) > Linux Professional Institute Certification (LPI000165615) > Redhat Certified Engineer (805009745938860) > > Quis custodiet ipsos custodes? > > > > > > -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS - LB/LTM
so the script would run on the LTM, it will periodically check each physical DNS node, if one cannot resolve then takes it out of the pool; it will also check the VIP, if the VIP cannot resolve, pool is empty or LTM issue, stop the advertising? From: David Klein To: ju wusuo Cc: "bind-users@lists.isc.org" Sent: Wednesday, March 7, 2012 11:18 PM Subject: Re: Anycast DNS You would need to create a custom script to use as your monitor, which does a lookup of an address that you know will always be in your domain. If that fails, force-down/inactive the node, and tie this script as a monitor to the pool holding the DNS server nodes. You can advertise the /32 containing the VIPA to the up-stream router via either OSPF or IBGP, and if the pool goes empty, stop advertising the route (the only option is stop advertising, not actively withdraw the route, since that could cause a massive reconvergence cycle in your enterprise-wide RIB, if done wrong, just because of a flapping interface). HTH, -DTK On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo wrote: > >thanks everyone for all responses with the great inputs .. > > >now if I want to put the DNS servers behind LBs, 1) would the LTMs be able to >announce the routes dynamically for the DNS servers, and a VIP can be >withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS >service failure and stop sending over DNS queries, i.e., in the case a named >is still up but just not able to resolve names (assuming LTM can detect a >named is down)? > > >___ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >from this list > >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users > -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes?___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
You would need to create a custom script to use as your monitor, which does a lookup of an address that you know will always be in your domain. If that fails, force-down/inactive the node, and tie this script as a monitor to the pool holding the DNS server nodes. You can advertise the /32 containing the VIPA to the up-stream router via either OSPF or IBGP, and if the pool goes empty, stop advertising the route (the only option is stop advertising, not actively withdraw the route, since that could cause a massive reconvergence cycle in your enterprise-wide RIB, if done wrong, just because of a flapping interface). HTH, -DTK On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo wrote: > > thanks everyone for all responses with the great inputs .. > > now if I want to put the DNS servers behind LBs, 1) would the LTMs be able > to announce the routes dynamically for the DNS servers, and a VIP can be > withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS > service failure and stop sending over DNS queries, i.e., in the case a > named is still up but just not able to resolve names (assuming LTM can > detect a named is down)? > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
thanks everyone for all responses with the great inputs .. now if I want to put the DNS servers behind LBs, 1) would the LTMs be able to announce the routes dynamically for the DNS servers, and a VIP can be withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS service failure and stop sending over DNS queries, i.e., in the case a named is still up but just not able to resolve names (assuming LTM can detect a named is down)? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
In article , sth...@nethelp.no wrote: > > > Have seen some anycast DNS implementations using more than one address, > > > some times even on the same subnet, any considerations or reasons for > > > doing that? > > > > We do that. > > > > We use two different, indepentent methods to route traffic to the IPs. > > We feel this provides a greater degree of resilience. > > More than one address also lets you do some load balancing or traffic > steering, if that is desirable. > > (E.g.: Anycast group 1 announces prefix 1 with localpref 110, prefix 2 > with localpref 120. Anycast group 2 announces prefix 1 with localpref > 120, prefix 2 with localpref 110.) > > Steinar Haug, Nethelp consulting, sth...@nethelp.no I was at BBN Planet/Genuity when we came up with the 4.2.2.{1,2,3} scheme. Were we the first major ISP to deploy anycast DNS (it was the late 90's)? I don't know if it's still the same since Level(3) took over, but here's how we did it. There were around 15 4.2.2.1 locations, collocated with the major hubs of of our routing network. These were intended to be the primary servers our customers used. There were about a half dozen 4.2.2.2 machines, spread evenly around the network. And one or two 4.2.2.3 machines, as the final resort if these were all down. When I was there (until 2003), we didn't have any software that would monitor BIND on the nameserver and withdraw the route automatically if it went down. We just had static routes on the upstream router; if a server went down, the NOCC had to reconfigure the router to take it out of anycast. So we depended on clients timing out and failing over to the backup resolver IPs. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
> > Have seen some anycast DNS implementations using more than one address, > > some times even on the same subnet, any considerations or reasons for > > doing that? > > We do that. > > We use two different, indepentent methods to route traffic to the IPs. > We feel this provides a greater degree of resilience. More than one address also lets you do some load balancing or traffic steering, if that is desirable. (E.g.: Anycast group 1 announces prefix 1 with localpref 110, prefix 2 with localpref 120. Anycast group 2 announces prefix 1 with localpref 120, prefix 2 with localpref 110.) Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
On 29/02/12 03:55, ju wusuo wrote: Have seen some anycast DNS implementations using more than one address, some times even on the same subnet, any considerations or reasons for doing that? We do that. We use two different, indepentent methods to route traffic to the IPs. We feel this provides a greater degree of resilience. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
On 01/03/12 03:40, Beavis wrote: Just want to piggy back on this topic is there any documentation available online that shows a deployment guideline for Anycast? There's not much to it: 1. Create the anycast IP on your servers 2. Route the anycast IP to your servers 3. Make bind listen on the anycast IP 1 & 3 are easy. 2 can be accomplished using a very wide variety of methods. We use BGP, with a locally-created BGP speaker that checks port 53 for a reply and advertises/withdraws the route dynamically, but exabgp would be my recommendation, since it has a built-in facility to announce/withdraw routes via a "watchdog" script - see pages 5 & 6 of: http://thomas.mangin.com/data/pdf/Linx%2074%20-%20Mangin%20-%20BGP.pdf Alternatively you could use OSPF with Zebra/Quagga/Whatever. For example: http://www.digriz.org.uk/ha-ospf-anycast Cisco IP SLA probes, with "track" static routes are another option. Or, if you don't care about dynamically withdrawing the route when bind goes away, just plain static routes. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
2012/3/1 Beavis > Just want to piggy back on this topic is there any documentation > available online that shows a deployment guideline for Anycast? > > -beavis > What about RFC 4786? > On Wed, Feb 29, 2012 at 10:31 AM, Warren Kumari wrote: > > > > On Feb 29, 2012, at 11:00 AM, Todd Snyder wrote: > > > >> The reason I’ve heard a few times is that users are uncomfortable using > only 1 address. In the past I’ve done 2 or 3 addresses just so that we can > give out 3 addresses that all point to the same pool of servers. > >> > >> Silly, I know, but sometimes it’s easier to placate than to change > someone/groups understanding of the > world/networking/resilience/dns/loadbalancing. > > > > It's partly silly, it's also partly not wanting to have all your eggs in > one basket. > > > > Having more than one anycast address provides protection against things > like routing attacks / leaks, overenthusiastic ACLs, router blackholes and > similar. > > It also provides a backup in case the primary node chosen by your > routing infrastructure is unavailable -- if you only have a single anycast > address (192.0.2.1) and the instance chosen by your routing system is down > (for example though a DoS, misconfiguration, etc) you have no service. If > you have a second address (10.10.10.10) that is announced by a different > constellation you have redundancy. > > > > Also, anycast provide the closest instance according to the *network > topology* -- this doesn't always equate to fastest response -- if is not > uncommon for a longer BGP path to have a shorter latency. providing > multiple addresses allows the resolver to choose based upon time. > > > > W > > > >> > >> > >> $0.02 > >> t. > >> > >> From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto: > bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of ju wusuo > >> Sent: Tuesday, February 28, 2012 10:56 PM > >> To: bind-users@lists.isc.org > >> Subject: Anycast DNS > >> > >> Have seen some anycast DNS implementations using more than one address, > some times even on the same subnet, any considerations or reasons for doing > that? > >> > >> > >> > >> - > >> This transmission (including any attachments) may contain confidential > information, privileged material (including material protected by the > solicitor-client or other applicable privileges), or constitute non-public > information. Any use of this information by anyone other than the intended > recipient is prohibited. If you have received this transmission in error, > please immediately reply to the sender and delete this information from > your system. Use, dissemination, distribution, or reproduction of this > transmission by unintended recipients is not authorized and may be > unlawful. ___ > >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > >> > >> bind-users mailing list > >> bind-users@lists.isc.org > >> https://lists.isc.org/mailman/listinfo/bind-users > > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > > -- > () ascii ribbon campaign - against html e-mail > /\ www.asciiribbon.org - against proprietary attachments > > Disclaimer: > http://goldmark.org/jeff/stupid-disclaimers/ > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
Just want to piggy back on this topic is there any documentation available online that shows a deployment guideline for Anycast? -beavis On Wed, Feb 29, 2012 at 10:31 AM, Warren Kumari wrote: > > On Feb 29, 2012, at 11:00 AM, Todd Snyder wrote: > >> The reason I’ve heard a few times is that users are uncomfortable using only >> 1 address. In the past I’ve done 2 or 3 addresses just so that we can give >> out 3 addresses that all point to the same pool of servers. >> >> Silly, I know, but sometimes it’s easier to placate than to change >> someone/groups understanding of the >> world/networking/resilience/dns/loadbalancing. > > It's partly silly, it's also partly not wanting to have all your eggs in one > basket. > > Having more than one anycast address provides protection against things like > routing attacks / leaks, overenthusiastic ACLs, router blackholes and similar. > It also provides a backup in case the primary node chosen by your routing > infrastructure is unavailable -- if you only have a single anycast address > (192.0.2.1) and the instance chosen by your routing system is down (for > example though a DoS, misconfiguration, etc) you have no service. If you have > a second address (10.10.10.10) that is announced by a different constellation > you have redundancy. > > Also, anycast provide the closest instance according to the *network > topology* -- this doesn't always equate to fastest response -- if is not > uncommon for a longer BGP path to have a shorter latency. providing multiple > addresses allows the resolver to choose based upon time. > > W > >> >> >> $0.02 >> t. >> >> From: bind-users-bounces+tsnyder=rim@lists.isc.org >> [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of ju >> wusuo >> Sent: Tuesday, February 28, 2012 10:56 PM >> To: bind-users@lists.isc.org >> Subject: Anycast DNS >> >> Have seen some anycast DNS implementations using more than one address, some >> times even on the same subnet, any considerations or reasons for doing that? >> >> >> >> - >> This transmission (including any attachments) may contain confidential >> information, privileged material (including material protected by the >> solicitor-client or other applicable privileges), or constitute non-public >> information. Any use of this information by anyone other than the intended >> recipient is prohibited. If you have received this transmission in error, >> please immediately reply to the sender and delete this information from your >> system. Use, dissemination, distribution, or reproduction of this >> transmission by unintended recipients is not authorized and may be unlawful. >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
On Feb 29, 2012, at 11:00 AM, Todd Snyder wrote: > The reason I’ve heard a few times is that users are uncomfortable using only > 1 address. In the past I’ve done 2 or 3 addresses just so that we can give > out 3 addresses that all point to the same pool of servers. > > Silly, I know, but sometimes it’s easier to placate than to change > someone/groups understanding of the > world/networking/resilience/dns/loadbalancing. It's partly silly, it's also partly not wanting to have all your eggs in one basket. Having more than one anycast address provides protection against things like routing attacks / leaks, overenthusiastic ACLs, router blackholes and similar. It also provides a backup in case the primary node chosen by your routing infrastructure is unavailable -- if you only have a single anycast address (192.0.2.1) and the instance chosen by your routing system is down (for example though a DoS, misconfiguration, etc) you have no service. If you have a second address (10.10.10.10) that is announced by a different constellation you have redundancy. Also, anycast provide the closest instance according to the *network topology* -- this doesn't always equate to fastest response -- if is not uncommon for a longer BGP path to have a shorter latency. providing multiple addresses allows the resolver to choose based upon time. W > > > $0.02 > t. > > From: bind-users-bounces+tsnyder=rim@lists.isc.org > [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of ju > wusuo > Sent: Tuesday, February 28, 2012 10:56 PM > To: bind-users@lists.isc.org > Subject: Anycast DNS > > Have seen some anycast DNS implementations using more than one address, some > times even on the same subnet, any considerations or reasons for doing that? > > > > - > This transmission (including any attachments) may contain confidential > information, privileged material (including material protected by the > solicitor-client or other applicable privileges), or constitute non-public > information. Any use of this information by anyone other than the intended > recipient is prohibited. If you have received this transmission in error, > please immediately reply to the sender and delete this information from your > system. Use, dissemination, distribution, or reproduction of this > transmission by unintended recipients is not authorized and may be unlawful. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Anycast DNS
The reason I've heard a few times is that users are uncomfortable using only 1 address. In the past I've done 2 or 3 addresses just so that we can give out 3 addresses that all point to the same pool of servers. Silly, I know, but sometimes it's easier to placate than to change someone/groups understanding of the world/networking/resilience/dns/loadbalancing. $0.02 t. From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of ju wusuo Sent: Tuesday, February 28, 2012 10:56 PM To: bind-users@lists.isc.org Subject: Anycast DNS Have seen some anycast DNS implementations using more than one address, some times even on the same subnet, any considerations or reasons for doing that? - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
In article , Oliver Garraux wrote: > On Wed, Feb 29, 2012 at 8:33 AM, takizo wrote: > > Ju, > > > > What do you mean on more than one address? > > > > -- > > Paul Ooi > > > > > > > > On Feb 29, 2012, at 11:55 AM, ju wusuo wrote: > > > > Have seen some anycast DNS implementations using more than one address, some > > times even on the same subnet, any considerations or reasons for doing > > that? > > > > > > I assume he's asking why Google has 8.8.8.8 and 8.8.4.4, and why > whoever runs 4.2.2.2 has 4.2.2.1, 4.2.2.2, etc. I don't have an > answer. They may have to announce at least a /24 for BGP peers to > accept the routes. But 8.8.8.8 and 8.8.4.4 aren't in the same /24, so > that doesn't make sense there. The difference is that Google is running a public DNS, while Level(3) is an ISP and their DNS was intended just for their customers (allowing public access is mostly a legacy of inheriting these servers from Genuity, nee BBN Planet -- we never had a central database of all customer address blocks from which to formulate an ACL). So Google has to be concerned about having diverse routes from many different ISPs, and announcing two /24's facilitates this. Level(3) is only concerned with routing within their network, and their OSPF routing can achieve diversity at the /32 level. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
On Wed, Feb 29, 2012 at 8:33 AM, takizo wrote: > Ju, > > What do you mean on more than one address? > > -- > Paul Ooi > > > > On Feb 29, 2012, at 11:55 AM, ju wusuo wrote: > > Have seen some anycast DNS implementations using more than one address, some > times even on the same subnet, any considerations or reasons for doing > that? > > I assume he's asking why Google has 8.8.8.8 and 8.8.4.4, and why whoever runs 4.2.2.2 has 4.2.2.1, 4.2.2.2, etc. I don't have an answer. They may have to announce at least a /24 for BGP peers to accept the routes. But 8.8.8.8 and 8.8.4.4 aren't in the same /24, so that doesn't make sense there. Oliver ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
Ju, What do you mean on more than one address? -- Paul Ooi On Feb 29, 2012, at 11:55 AM, ju wusuo wrote: > Have seen some anycast DNS implementations using more than one address, some > times even on the same subnet, any considerations or reasons for doing that? > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users