Re: Anycast DNS - LB/LTM

[ju wusuo]

I'm not familiar with LTM, so there is no need to check the pool with the 
script, LTM will know itself and stop advertising through some other mechanism 
when the pool is empty?

therefore checking VIPA using the script is just redundant?





 From: David Klein 
To: ju wusuo  
Cc: "bind-users@lists.isc.org"  
Sent: Saturday, March 10, 2012 3:31 PM
Subject: Re: Anycast DNS - LB/LTM
 


Exactly. The script runs inside the LTM, and wraps "nslookup" or "dig". It 
should output a distinct output for success, and another distinct output for 
failure. It should only check the pool members, not the VIPA itself. If the 
pool is empty, the LTM will stop advertise the VIPA. 


 -DTK



On Fri, Mar 9, 2012 at 1:16 PM, ju wusuo  wrote:

so the script would run on the LTM, it will periodically check each physical 
DNS node, if one cannot resolve then takes it out of the pool; it will also 
check the VIP, if the VIP cannot resolve, pool is empty or LTM issue, stop the 
advertising?
>
>
>
>
> From: David Klein 
>To: ju wusuo  
>Cc: "bind-users@lists.isc.org"  
>Sent: Wednesday, March 7, 2012 11:18 PM
>Subject: Re: Anycast DNS
> 
>
>
>You would need to create a custom script to use as your monitor, which does a 
>lookup of an address that you know will always be in your domain. If that 
>fails, force-down/inactive the node, and tie this script as a monitor to the 
>pool holding the DNS server nodes. 
>
>
>You can advertise the /32 containing the VIPA to the up-stream router via 
>either OSPF or IBGP, and if the pool goes empty, stop advertising the route 
>(the only option is stop advertising, not actively withdraw the route, since 
>that could cause a massive reconvergence cycle in your enterprise-wide RIB, if 
>done wrong, just because of a flapping interface). 
>
>
>
>
>
>
>HTH,
>
>
> -DTK
>
>
>
>On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo  wrote:
>
>
>>
>>thanks everyone for all responses with the great inputs ..
>>
>>
>>now if I want to put the DNS servers behind LBs, 1) would the LTMs be able to 
>>announce the routes dynamically for the DNS servers, and a VIP can be 
>>withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS 
>>service failure and stop sending over DNS queries, i.e., in the case a named 
>>is still up but just not able to resolve names (assuming LTM can detect a 
>>named is down)?  
>>
>>
>>___
>>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
>>from this list
>>
>>bind-users mailing list
>>bind-users@lists.isc.org
>>https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
>
>-- 
>
>david t. klein
>
>Cisco Certified Network Associate (CSCO11281885)
>Linux Professional Institute Certification (LPI000165615)
>Redhat Certified Engineer (805009745938860)
>
>Quis custodiet ipsos custodes?
>
>
>
>
>
>


-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS - LB/LTM

[David Klein]

Exactly. The script runs inside the LTM, and wraps "nslookup" or "dig". It
should output a distinct output for success, and another distinct output
for failure. It should only check the pool members, not the VIPA itself. If
the pool is empty, the LTM will stop advertise the VIPA.


 -DTK


On Fri, Mar 9, 2012 at 1:16 PM, ju wusuo  wrote:

> so the script would run on the LTM, it will periodically check each
> physical DNS node, if one cannot resolve then takes it out of the pool; it
> will also check the VIP, if the VIP cannot resolve, pool is empty or LTM
> issue, stop the advertising?
>
>   --
> *From:* David Klein 
> *To:* ju wusuo 
> *Cc:* "bind-users@lists.isc.org" 
> *Sent:* Wednesday, March 7, 2012 11:18 PM
> *Subject:* Re: Anycast DNS
>
>
> You would need to create a custom script to use as your monitor, which
> does a lookup of an address that you know will always be in your domain. If
> that fails, force-down/inactive the node, and tie this script as a monitor
> to the pool holding the DNS server nodes.
>
> You can advertise the /32 containing the VIPA to the up-stream router via
> either OSPF or IBGP, and if the pool goes empty, stop advertising the route
> (the only option is stop advertising, not actively withdraw the route,
> since that could cause a massive reconvergence cycle in your
> enterprise-wide RIB, if done wrong, just because of a flapping interface).
>
>
>
> HTH,
>
>  -DTK
>
>
> On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo  wrote:
>
>
> thanks everyone for all responses with the great inputs ..
>
> now if I want to put the DNS servers behind LBs, 1) would the LTMs be able
> to announce the routes dynamically for the DNS servers, and a VIP can be
> withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS
> service failure and stop sending over DNS queries, i.e., in the case a
> named is still up but just not able to resolve names (assuming LTM can
> detect a named is down)?
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
> --
>
> david t. klein
>
> Cisco Certified Network Associate (CSCO11281885)
> Linux Professional Institute Certification (LPI000165615)
> Redhat Certified Engineer (805009745938860)
>
> Quis custodiet ipsos custodes?
>
>
>
>
>
>


-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS - LB/LTM

[ju wusuo]

so the script would run on the LTM, it will periodically check each physical 
DNS node, if one cannot resolve then takes it out of the pool; it will also 
check the VIP, if the VIP cannot resolve, pool is empty or LTM issue, stop the 
advertising?



 From: David Klein 
To: ju wusuo  
Cc: "bind-users@lists.isc.org"  
Sent: Wednesday, March 7, 2012 11:18 PM
Subject: Re: Anycast DNS
 


You would need to create a custom script to use as your monitor, which does a 
lookup of an address that you know will always be in your domain. If that 
fails, force-down/inactive the node, and tie this script as a monitor to the 
pool holding the DNS server nodes. 

You can advertise the /32 containing the VIPA to the up-stream router via 
either OSPF or IBGP, and if the pool goes empty, stop advertising the route 
(the only option is stop advertising, not actively withdraw the route, since 
that could cause a massive reconvergence cycle in your enterprise-wide RIB, if 
done wrong, just because of a flapping interface). 



HTH,

 -DTK



On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo  wrote:


>
>thanks everyone for all responses with the great inputs ..
>
>
>now if I want to put the DNS servers behind LBs, 1) would the LTMs be able to 
>announce the routes dynamically for the DNS servers, and a VIP can be 
>withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS 
>service failure and stop sending over DNS queries, i.e., in the case a named 
>is still up but just not able to resolve names (assuming LTM can detect a 
>named is down)?  
>
>
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
>from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
>


-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS

[David Klein]

You would need to create a custom script to use as your monitor, which does
a lookup of an address that you know will always be in your domain. If that
fails, force-down/inactive the node, and tie this script as a monitor to
the pool holding the DNS server nodes.

You can advertise the /32 containing the VIPA to the up-stream router via
either OSPF or IBGP, and if the pool goes empty, stop advertising the route
(the only option is stop advertising, not actively withdraw the route,
since that could cause a massive reconvergence cycle in your
enterprise-wide RIB, if done wrong, just because of a flapping interface).



HTH,

 -DTK


On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo  wrote:

>
> thanks everyone for all responses with the great inputs ..
>
> now if I want to put the DNS servers behind LBs, 1) would the LTMs be able
> to announce the routes dynamically for the DNS servers, and a VIP can be
> withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS
> service failure and stop sending over DNS queries, i.e., in the case a
> named is still up but just not able to resolve names (assuming LTM can
> detect a named is down)?
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS

[ju wusuo]

thanks everyone for all responses with the great inputs ..

now if I want to put the DNS servers behind LBs, 1) would the LTMs be able to 
announce the routes dynamically for the DNS servers, and a VIP can be withdrawn 
when the site is gone? 2) would the LTMs be able to detect a DNS service 
failure and stop sending over DNS queries, i.e., in the case a named is still 
up but just not able to resolve names (assuming LTM can detect a named is 
down)?  
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS

[Barry Margolin]

In article ,
 sth...@nethelp.no wrote:

> > > Have seen some anycast DNS implementations using more than one address,
> > > some times even on the same subnet, any considerations or reasons for
> > > doing that?
> > 
> > We do that.
> > 
> > We use two different, indepentent methods to route traffic to the IPs. 
> > We feel this provides a greater degree of resilience.
> 
> More than one address also lets you do some load balancing or traffic
> steering, if that is desirable.
> 
> (E.g.: Anycast group 1 announces prefix 1 with localpref 110, prefix 2
> with localpref 120. Anycast group 2 announces prefix 1 with localpref
> 120, prefix 2 with localpref 110.)
> 
> Steinar Haug, Nethelp consulting, sth...@nethelp.no

I was at BBN Planet/Genuity when we came up with the 4.2.2.{1,2,3} 
scheme.  Were we the first major ISP to deploy anycast DNS (it was the 
late 90's)?

I don't know if it's still the same since Level(3) took over, but here's 
how we did it.  There were around 15 4.2.2.1 locations, collocated with 
the major hubs of of our routing network.  These were intended to be the 
primary servers our customers used.  There were about a half dozen 
4.2.2.2 machines, spread evenly around the network.  And one or two 
4.2.2.3 machines, as the final resort if these were all down.

When I was there (until 2003), we didn't have any software that would 
monitor BIND on the nameserver and withdraw the route automatically if 
it went down.  We just had static routes on the upstream router; if a 
server went down, the NOCC had to reconfigure the router to take it out 
of anycast.  So we depended on clients timing out and failing over to 
the backup resolver IPs.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS

[sthaug]

> > Have seen some anycast DNS implementations using more than one address,
> > some times even on the same subnet, any considerations or reasons for
> > doing that?
> 
> We do that.
> 
> We use two different, indepentent methods to route traffic to the IPs. 
> We feel this provides a greater degree of resilience.

More than one address also lets you do some load balancing or traffic
steering, if that is desirable.

(E.g.: Anycast group 1 announces prefix 1 with localpref 110, prefix 2
with localpref 120. Anycast group 2 announces prefix 1 with localpref
120, prefix 2 with localpref 110.)

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS

[Phil Mayers]

On 29/02/12 03:55, ju wusuo wrote:

Have seen some anycast DNS implementations using more than one address,
some times even on the same subnet, any considerations or reasons for
doing that?


We do that.

We use two different, indepentent methods to route traffic to the IPs. 
We feel this provides a greater degree of resilience.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS

[Phil Mayers]

On 01/03/12 03:40, Beavis wrote:

Just want to piggy back on this topic is there any documentation
available online that shows a deployment guideline for Anycast?


There's not much to it:

 1. Create the anycast IP on your servers
 2. Route the anycast IP to your servers
 3. Make bind listen on the anycast IP

1 & 3 are easy.

2 can be accomplished using a very wide variety of methods. We use BGP, 
with a locally-created BGP speaker that checks port 53 for a reply and 
advertises/withdraws the route dynamically, but exabgp would be my 
recommendation, since it has a built-in facility to announce/withdraw 
routes via a "watchdog" script - see pages 5 & 6 of:


http://thomas.mangin.com/data/pdf/Linx%2074%20-%20Mangin%20-%20BGP.pdf

Alternatively you could use OSPF with Zebra/Quagga/Whatever. For example:

http://www.digriz.org.uk/ha-ospf-anycast

Cisco IP SLA probes, with "track" static routes are another option.

Or, if you don't care about dynamically withdrawing the route when bind 
goes away, just plain static routes.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS

[Peter Andreev]

2012/3/1 Beavis 

> Just want to piggy back on this topic is there any documentation
> available online that shows a deployment guideline for Anycast?
>
> -beavis
>

What about RFC 4786?


> On Wed, Feb 29, 2012 at 10:31 AM, Warren Kumari  wrote:
> >
> > On Feb 29, 2012, at 11:00 AM, Todd Snyder wrote:
> >
> >> The reason I’ve heard a few times is that users are uncomfortable using
> only 1 address.  In the past I’ve done 2 or 3 addresses just so that we can
> give out 3 addresses that all point to the same pool of servers.
> >>
> >> Silly, I know, but sometimes it’s easier to placate than to change
> someone/groups understanding of the
> world/networking/resilience/dns/loadbalancing.
> >
> > It's partly silly, it's also partly not wanting to have all your eggs in
> one basket.
> >
> > Having more than one anycast address provides protection against things
> like routing attacks / leaks, overenthusiastic ACLs, router blackholes and
> similar.
> > It also provides a backup in case the primary node chosen by your
> routing infrastructure is unavailable -- if you only have a single anycast
> address (192.0.2.1) and the instance chosen by your routing system is down
> (for example though a DoS, misconfiguration, etc) you have no service. If
> you have a second address (10.10.10.10) that is announced by a different
> constellation you have redundancy.
> >
> > Also, anycast  provide the closest instance according to the *network
> topology* -- this doesn't always equate to fastest response -- if is not
> uncommon for a longer BGP path to have a shorter latency. providing
> multiple addresses allows the resolver to choose based upon time.
> >
> > W
> >
> >>
> >>
> >> $0.02
> >> t.
> >>
> >> From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:
> bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of ju wusuo
> >> Sent: Tuesday, February 28, 2012 10:56 PM
> >> To: bind-users@lists.isc.org
> >> Subject: Anycast DNS
> >>
> >> Have seen some anycast DNS implementations using more than one address,
> some times even on the same subnet, any considerations or reasons for doing
> that?
> >>
> >>
> >>
> >> -
> >> This transmission (including any attachments) may contain confidential
> information, privileged material (including material protected by the
> solicitor-client or other applicable privileges), or constitute non-public
> information. Any use of this information by anyone other than the intended
> recipient is prohibited. If you have received this transmission in error,
> please immediately reply to the sender and delete this information from
> your system. Use, dissemination, distribution, or reproduction of this
> transmission by unintended recipients is not authorized and may be
> unlawful. ___
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >>
> >> bind-users mailing list
> >> bind-users@lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> --
> ()  ascii ribbon campaign - against html e-mail
> /\  www.asciiribbon.org   - against proprietary attachments
>
> Disclaimer:
> http://goldmark.org/jeff/stupid-disclaimers/
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS

[Beavis]

Just want to piggy back on this topic is there any documentation
available online that shows a deployment guideline for Anycast?

-beavis

On Wed, Feb 29, 2012 at 10:31 AM, Warren Kumari  wrote:
>
> On Feb 29, 2012, at 11:00 AM, Todd Snyder wrote:
>
>> The reason I’ve heard a few times is that users are uncomfortable using only 
>> 1 address.  In the past I’ve done 2 or 3 addresses just so that we can give 
>> out 3 addresses that all point to the same pool of servers.
>>
>> Silly, I know, but sometimes it’s easier to placate than to change 
>> someone/groups understanding of the 
>> world/networking/resilience/dns/loadbalancing.
>
> It's partly silly, it's also partly not wanting to have all your eggs in one 
> basket.
>
> Having more than one anycast address provides protection against things like 
> routing attacks / leaks, overenthusiastic ACLs, router blackholes and similar.
> It also provides a backup in case the primary node chosen by your routing 
> infrastructure is unavailable -- if you only have a single anycast address 
> (192.0.2.1) and the instance chosen by your routing system is down (for 
> example though a DoS, misconfiguration, etc) you have no service. If you have 
> a second address (10.10.10.10) that is announced by a different constellation 
> you have redundancy.
>
> Also, anycast  provide the closest instance according to the *network 
> topology* -- this doesn't always equate to fastest response -- if is not 
> uncommon for a longer BGP path to have a shorter latency. providing multiple 
> addresses allows the resolver to choose based upon time.
>
> W
>
>>
>>
>> $0.02
>> t.
>>
>> From: bind-users-bounces+tsnyder=rim@lists.isc.org 
>> [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of ju 
>> wusuo
>> Sent: Tuesday, February 28, 2012 10:56 PM
>> To: bind-users@lists.isc.org
>> Subject: Anycast DNS
>>
>> Have seen some anycast DNS implementations using more than one address, some 
>> times even on the same subnet, any considerations or reasons for doing that?
>>
>>
>>
>> -
>> This transmission (including any attachments) may contain confidential 
>> information, privileged material (including material protected by the 
>> solicitor-client or other applicable privileges), or constitute non-public 
>> information. Any use of this information by anyone other than the intended 
>> recipient is prohibited. If you have received this transmission in error, 
>> please immediately reply to the sender and delete this information from your 
>> system. Use, dissemination, distribution, or reproduction of this 
>> transmission by unintended recipients is not authorized and may be unlawful. 
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Disclaimer:
http://goldmark.org/jeff/stupid-disclaimers/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS

[Warren Kumari]

On Feb 29, 2012, at 11:00 AM, Todd Snyder wrote:

> The reason I’ve heard a few times is that users are uncomfortable using only 
> 1 address.  In the past I’ve done 2 or 3 addresses just so that we can give 
> out 3 addresses that all point to the same pool of servers.
>  
> Silly, I know, but sometimes it’s easier to placate than to change 
> someone/groups understanding of the 
> world/networking/resilience/dns/loadbalancing.

It's partly silly, it's also partly not wanting to have all your eggs in one 
basket.

Having more than one anycast address provides protection against things like 
routing attacks / leaks, overenthusiastic ACLs, router blackholes and similar.
It also provides a backup in case the primary node chosen by your routing 
infrastructure is unavailable -- if you only have a single anycast address 
(192.0.2.1) and the instance chosen by your routing system is down (for example 
though a DoS, misconfiguration, etc) you have no service. If you have a second 
address (10.10.10.10) that is announced by a different constellation you have 
redundancy.

Also, anycast  provide the closest instance according to the *network topology* 
-- this doesn't always equate to fastest response -- if is not uncommon for a 
longer BGP path to have a shorter latency. providing multiple addresses allows 
the resolver to choose based upon time.

W

>  
>  
> $0.02
> t.
>  
> From: bind-users-bounces+tsnyder=rim@lists.isc.org 
> [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of ju 
> wusuo
> Sent: Tuesday, February 28, 2012 10:56 PM
> To: bind-users@lists.isc.org
> Subject: Anycast DNS
>  
> Have seen some anycast DNS implementations using more than one address, some 
> times even on the same subnet, any considerations or reasons for doing that? 
>  
>  
> 
> - 
> This transmission (including any attachments) may contain confidential 
> information, privileged material (including material protected by the 
> solicitor-client or other applicable privileges), or constitute non-public 
> information. Any use of this information by anyone other than the intended 
> recipient is prohibited. If you have received this transmission in error, 
> please immediately reply to the sender and delete this information from your 
> system. Use, dissemination, distribution, or reproduction of this 
> transmission by unintended recipients is not authorized and may be unlawful. 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Anycast DNS

[Todd Snyder]

The reason I've heard a few times is that users are uncomfortable using only 1 
address.  In the past I've done 2 or 3 addresses just so that we can give out 3 
addresses that all point to the same pool of servers.

Silly, I know, but sometimes it's easier to placate than to change 
someone/groups understanding of the 
world/networking/resilience/dns/loadbalancing.

$0.02
t.

From: bind-users-bounces+tsnyder=rim@lists.isc.org 
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of ju wusuo
Sent: Tuesday, February 28, 2012 10:56 PM
To: bind-users@lists.isc.org
Subject: Anycast DNS

Have seen some anycast DNS implementations using more than one address, some 
times even on the same subnet, any considerations or reasons for doing that?



-
This transmission (including any attachments) may contain confidential 
information, privileged material (including material protected by the 
solicitor-client or other applicable privileges), or constitute non-public 
information. Any use of this information by anyone other than the intended 
recipient is prohibited. If you have received this transmission in error, 
please immediately reply to the sender and delete this information from your 
system. Use, dissemination, distribution, or reproduction of this transmission 
by unintended recipients is not authorized and may be unlawful.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS

[Barry Margolin]

In article ,
 Oliver Garraux  wrote:

> On Wed, Feb 29, 2012 at 8:33 AM, takizo  wrote:
> > Ju,
> >
> > What do you mean on more than one address?
> >
> > --
> > Paul Ooi
> >
> >
> >
> > On Feb 29, 2012, at 11:55 AM, ju wusuo wrote:
> >
> > Have seen some anycast DNS implementations using more than one address, some
> > times even on the same subnet, any considerations or reasons for doing
> > that?
> >
> >
> 
> I assume he's asking why Google has 8.8.8.8 and 8.8.4.4, and why
> whoever runs 4.2.2.2 has 4.2.2.1, 4.2.2.2, etc.  I don't have an
> answer.  They may have to announce at least a /24 for BGP peers to
> accept the routes.  But 8.8.8.8 and 8.8.4.4 aren't in the same /24, so
> that doesn't make sense there.

The difference is that Google is running a public DNS, while Level(3) is 
an ISP and their DNS was intended just for their customers (allowing 
public access is mostly a legacy of inheriting these servers from 
Genuity, nee BBN Planet -- we never had a central database of all 
customer address blocks from which to formulate an ACL).

So Google has to be concerned about having diverse routes from many 
different ISPs, and announcing two /24's facilitates this.  Level(3) is 
only concerned with routing within their network, and their OSPF routing 
can achieve diversity at the /32 level.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS

[Oliver Garraux]

On Wed, Feb 29, 2012 at 8:33 AM, takizo  wrote:
> Ju,
>
> What do you mean on more than one address?
>
> --
> Paul Ooi
>
>
>
> On Feb 29, 2012, at 11:55 AM, ju wusuo wrote:
>
> Have seen some anycast DNS implementations using more than one address, some
> times even on the same subnet, any considerations or reasons for doing
> that?
>
>

I assume he's asking why Google has 8.8.8.8 and 8.8.4.4, and why
whoever runs 4.2.2.2 has 4.2.2.1, 4.2.2.2, etc.  I don't have an
answer.  They may have to announce at least a /24 for BGP peers to
accept the routes.  But 8.8.8.8 and 8.8.4.4 aren't in the same /24, so
that doesn't make sense there.

Oliver
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS

[takizo]

Ju, 
 
What do you mean on more than one address? 

--
Paul Ooi 



On Feb 29, 2012, at 11:55 AM, ju wusuo wrote:

> Have seen some anycast DNS implementations using more than one address, some 
> times even on the same subnet, any considerations or reasons for doing that? 
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users