Re: Numbering nameservers and resolvers

[Robert E. Seastrom]

Mikael Abrahamsson swm...@swm.pp.se writes:

 On Tue, 17 Aug 2010, Nick Olsen wrote:

 So lets say that you have multiple DNS resolvers in the same ip space that
 you advertise from multiple locations. All would be fine for the most part.
 But if you had a location equidistant network wise from two POP's wouldn't
 it load balance and possibly break some TCP sessions? How would someone get
 around this? This is also what OpenDNS does from what I understand.

 Usually network do not loadshare per-packet on BGP, so a TCP session
 will always go to the same dns server, at least for the short
 duration this TCP session lives.

Occasionally I have seen networks (usually small dual-homed ones) that
attempt to equally utilize their network pipes by doing per-packet bgp
load balancing to both upstreams.  Then they wonder why their
performance is so irregular.  :-)

-r

Re: Numbering nameservers and resolvers

[Phil Vandry]

On Tue, Aug 17, 2010 at 08:52:20AM -0400, Jared Mauch wrote:
 Selecting a site outside of your control is valuable.  When I was
 hostmas...@cic.net, we traded with mr.net.  These days, if I were
 in the same role, I would want to have three instead of two.  Asia,
 Europe and US someplace.  If US only, east, west and central.

While this is good advice, I think it is also important to
consider your customer base. I could easily host an authoritative
nameserver for my domains in Japan, but I elected not to do so,
because most of the end users who would be querying it are in
Canada, and, with one nameserver in Canada and one in Japan,
they would get a long RTT on DNS queries roughly half the time.

-Phil

Re: Numbering nameservers and resolvers

[Lyndon Nerenberg]

because most of the end users who would be querying it are in
Canada, and, with one nameserver in Canada and one in Japan,
they would get a long RTT on DNS queries roughly half the time.


But only, say, once per week if you're running a reasonable TTL on your 
zone.

Re: Numbering nameservers and resolvers

[Matthew Palmer]

On Mon, Aug 16, 2010 at 06:08:02AM -0700, Owen DeLong wrote:
 On Aug 16, 2010, at 6:03 AM, Chris Adams wrote:
  Once upon a time, Patrick W. Gilmore patr...@ianai.net said:
  1) Use different prefixes.  A single prefix going down should not kill
  your entire network.  (Nameservers and resolvers being unreachable
  breaks the whole Internet as far as users are concerned.)
  
  How do you do this in the IPv6 world, where I get a single /32?  Will
  others accept announcements of two /33s to better handle things like
  this?
 
 The better solution is to trade secondary services with some other
 provider. Sure, it's a bit of a pain keeping up with the new zones
 to be added and old zones to be removed back and forth, but, it's
 a great way to have your authoritative servers truly diverse and
 independent.

At $JOB[3], where I was responsible for this sort of thing, a small amount
of shell scripting behind inetd on the master[1], and slightly more shell
scripting behind cron on the secondaries[2], and all our problems were
solved for all time.

- Matt

[1] Read /etc/named/zones/* mangled the (standardised) filenames to get a
list of the zones, and dumped it on stdout, which went out on a high port
that inetd was listening on.

[2] nc to the master on the relevant high port, read the list and write out
an automated named.conf fragment.  Also use a bit of md5sum to detect when
the list changed, so we know when to reload named on the slave.

[3] Subscript, not footnote.

Re: Numbering nameservers and resolvers

[Sven Olaf Kamphuis]

nowadays, i'd simply put them all on the same /24 which you simply 
announce on different pops


tcp/zonetransfer not working reliably is no longer a problem as you simply 
retreive those directly from the database over a seperate ip, no more old-fashioned 
bind related crap.


so 1 /24 prefix, with one ip for your authorative nameserver, and maybe 
one for a resolver if needed, and the rest you leave unused..


this you simply put right next to the routers where you pick up your 
transit for transport to your own facilities (bet you have some rackspace 
and power left there too ;)


making the network itself redundant rather than the 
nameserver...


not to mention ofcourse that you fit these nameservers with solid state 
hdd's and ramdisks for the changing files and no moving parts so they last 
forever, and that whatever nameserver software you run is either an init 
child with respawn..


as these boxes are actually an integrated solid state router+nameserver, 
they have a normal static ip for the bgp/ospf session/routing and 
therefore can use this ip to retreive information themselves from the 
database and other nameservers


once more and more parties buy/build routers with sufficient ram and 
therefore can handle larger routing tables (it's 2010 people, move on ;) 
you can also make the prefix smaller, let's say a /29..


our own setup is not yet a proper example here btw, so no bashing on that, 
but this is what our next setup will look like.


kinda like ripes k-root, just used for ordinary authorative 
servers/resolvers


pretty much plug and play (with ospf, with bgp it requires some 
additional configging ;) and nuke resistant, just the way we like it.


this whole you have to put 2 nameservers on two seperate subnets at two 
different locations seems a bit.. pre-1993 to me.
plus, why only 2, why not... 20 or so, all in different parts of the world 
and let bgp handle the rest.


--
Greetings,

Sven Olaf Kamphuis,
CB3ROB Ltd.  Co. KG
=
Address: Koloniestrasse 34 VAT Tax ID:  DE267268209
 D-13359   Registration:HRA 42834 B
 BERLINPhone:   +31/(0)87-8747479
 Germany   GSM: +49/(0)152-26410799
RIPE:CBSK1-RIPEe-Mail:  s...@cb3rob.net
=
penpen C3P0, der elektrische Westerwelle

=

Confidential: Please be advised that the information contained in this
email message, including all attached documents or files, is privileged
and confidential and is intended only for the use of the individual or
individuals addressed. Any other use, dissemination, distribution or
copying of this communication is strictly prohibited.


On Tue, 17 Aug 2010, Matthew Palmer wrote:


On Mon, Aug 16, 2010 at 06:08:02AM -0700, Owen DeLong wrote:

On Aug 16, 2010, at 6:03 AM, Chris Adams wrote:

Once upon a time, Patrick W. Gilmore patr...@ianai.net said:

1) Use different prefixes.  A single prefix going down should not kill
your entire network.  (Nameservers and resolvers being unreachable
breaks the whole Internet as far as users are concerned.)


How do you do this in the IPv6 world, where I get a single /32?  Will
others accept announcements of two /33s to better handle things like
this?


The better solution is to trade secondary services with some other
provider. Sure, it's a bit of a pain keeping up with the new zones
to be added and old zones to be removed back and forth, but, it's
a great way to have your authoritative servers truly diverse and
independent.


At $JOB[3], where I was responsible for this sort of thing, a small amount
of shell scripting behind inetd on the master[1], and slightly more shell
scripting behind cron on the secondaries[2], and all our problems were
solved for all time.

- Matt

[1] Read /etc/named/zones/* mangled the (standardised) filenames to get a
list of the zones, and dumped it on stdout, which went out on a high port
that inetd was listening on.

[2] nc to the master on the relevant high port, read the list and write out
an automated named.conf fragment.  Also use a bit of md5sum to detect when
the list changed, so we know when to reload named on the slave.

[3] Subscript, not footnote.

Re: Numbering nameservers and resolvers

[Joe Greco]

 nowadays, i'd simply put them all on the same /24 which you simply 
 announce on different pops
 
 tcp/zonetransfer not working reliably is no longer a problem as you simply 
 retreive those directly from the database over a seperate ip, no more 
 old-fashioned 
 bind related crap.

tcp/zonetransfer can also be configured to run off of a different IP
address, for example, the native IP of the box.

This works just fine.

In BIND, you're looking for

transfer-source ${qaddr} port ${qport};

IIRC.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: Numbering nameservers and resolvers

[Jared Mauch]

On Aug 17, 2010, at 8:56 AM, Chris Adams wrote:

 Once upon a time, Sven Olaf Kamphuis s...@cb3rob.net said:
 tcp/zonetransfer not working reliably is no longer a problem as you simply 
 retreive those directly from the database over a seperate ip, no more 
 old-fashioned bind related crap.
 
 TCP is not just for zone transfers (especially in the age of DNSSEC and
 still-broken firewalls).

Yeah.

there's a lot of bad networking voodoo out there.

I was on the NY State Thruway in recent weeks, and noticed a few things:

1) Don't query their website for an  record, nor attempt to report it to 
the state.  They say we don't support IPv6 - not understanding sending back a 
SERVFAIL is bad
2) Don't expect 1.1.1.1 to work, they use that as a HTTPS portal, so you not 
only get broken IP, but a broken certificate login page
3) Comcast will sometimes reply from a different IP than you sent the query 
if the dns query fails in such a manner.

- Jared

Re: Numbering nameservers and resolvers

[Joe Greco]

 One of my former employers backhauled all their legacy nameservers to a =
 single site, eg: e[0-2].ns.voyager.net.
 
 While they were originally on diverse subnets and geographical =
 locations, this appears to have changed.

As one of the people who originally worked on that setup, I'll note that
they're all being announced by 7321, which is certainly not the ideal 
for purposes of diversity, but I notice some variation in the ping times,
so it's not clear to me that there's a reliable basis for expecting that
they're not at least diverse geographically.

The original locations were in Dayton, Kalamazoo, and New Berlin, all
of which are several ms away from Chicago, and while several of the
facilities have been shuffled around or closed, it's not clear that
there aren't still nameservers in those states.  AS diversity wasn't
there for all that long to begin with; I seem to recall that a lot of
it was being announced from 8011 as the integration efforts went on.

It seems to me that for very small or very large organizations, there
are significant benefits to finding AS diversity, but for mid-size 
ones, the picture is a bit less clear.  In the Voyager case, the 
existence of separate networks was something that came along as more
of a bonus and side effect of acquistions, and nameserver engineering
took advantage of it, but network engineering's goal was to get all
the networks integrated and connected, so eventually things got rolled
into 8011.  That would definitely count as somewhat suboptimal from
the point of nameserver reliability, but the network grew generally
more reliable since there weren't twenty slightly different ways of
doing things and lots of legacy crud that neteng needed to just know.

While that did a lot to increase the overall reliability of the network,
it certainly is putting your eggs all in one basket, and then you have
to be ready for the hazards.  We had, for example, this guy in Michigan
who liked to load up routers in remote locations with unreleased 
versions of Cisco code that he'd get from his contacts at Cisco, which
led to several cases of network downtime when they didn't work as
expected (or at all).  I believe that Wisconsin network engineering
was generally fearful that one day it would turn ugly and something
bad would happen that would take down the whole network; this is the
downside to having less compartmentalization.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: Numbering nameservers and resolvers

[John Kristoff]

On Tue, 17 Aug 2010 12:11:56 + (UTC)
Sven Olaf Kamphuis s...@cb3rob.net wrote:

 nowadays, i'd simply put them all on the same /24 which you simply 
 announce on different pops

I would raise a red flag of caution with this approach especially for
services that need to be reachable outside your network  If there
is a a snafu with said /24 prefix, particularly outside your own routing
domain, a reachability problem could persist for an extended period
and you'd be in a difficult position to solve it on your own.

For instance, if it flaps and someone, for better or worse, dampens that
route, that could mean an extended outage for all those hosts until the
damping period timer expires.

On a related note, some systems and folks have taken multiple unique
origin ASNs as a measure of diversity.  In pratice, unless there is
some odd AS path mangling going on for your specific routes, which is
unlikely, one can properly instrument diversity using a single origin
ASN with multiple prefixes.  Its the path and the prefix that matters,
much less the ASN.

John

Re: Numbering nameservers and resolvers

[Doug Barton]

On 08/17/2010 05:11, Sven Olaf Kamphuis wrote:

tcp/zonetransfer not working reliably is no longer a problem


TCP is a MUST for DNS.

It's used as a fallback in the normal resolution process if an answer 
can't fit in a UDP packet for whatever reason. This is true even for 
common things like large A record lists, but is only becoming more 
frequent in the age of DNSSEC, , etc. It is unfortunately even more 
necessary than we had hoped it would be due to many local network 
operators not getting the memo regarding EDNS.



hth,

Doug

--

Improve the effectiveness of your Internet presence with
a domain name makeover!http://SupersetSolutions.com/

Computers are useless. They can only give you answers.
-- Pablo Picasso

Re: Numbering nameservers and resolvers

[Nick Olsen]

So lets say that you have multiple DNS resolvers in the same ip space that 
you advertise from multiple locations. All would be fine for the most part. 
But if you had a location equidistant network wise from two POP's wouldn't 
it load balance and possibly break some TCP sessions? How would someone get 
around this? This is also what OpenDNS does from what I understand.

Nick Olsen
Network Operations
(321) 205-1100 x106



From: Doug Barton do...@dougbarton.us
Sent: Tuesday, August 17, 2010 2:12 PM
To: Sven Olaf Kamphuis s...@cb3rob.net
Subject: Re: Numbering nameservers and resolvers

On 08/17/2010 05:11, Sven Olaf Kamphuis wrote:
 tcp/zonetransfer not working reliably is no longer a problem

TCP is a MUST for DNS.

It's used as a fallback in the normal resolution process if an answer 
can't fit in a UDP packet for whatever reason. This is true even for 
common things like large A record lists, but is only becoming more 
frequent in the age of DNSSEC, , etc. It is unfortunately even more 
necessary than we had hoped it would be due to many local network 
operators not getting the memo regarding EDNS.

hth,

Doug

-- 

Improve the effectiveness of your Internet presence with
a domain name makeover!http://SupersetSolutions.com/

Computers are useless. They can only give you answers.
-- Pablo Picasso

Re: Numbering nameservers and resolvers

[Mikael Abrahamsson]

On Tue, 17 Aug 2010, Nick Olsen wrote:


So lets say that you have multiple DNS resolvers in the same ip space that
you advertise from multiple locations. All would be fine for the most part.
But if you had a location equidistant network wise from two POP's wouldn't
it load balance and possibly break some TCP sessions? How would someone get
around this? This is also what OpenDNS does from what I understand.


Usually network do not loadshare per-packet on BGP, so a TCP session will 
always go to the same dns server, at least for the short duration this 
TCP session lives.


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: Numbering nameservers and resolvers

[Graham Beneke]

On 16/08/2010 08:49, Mike wrote:

   I am needing to renumber some core infrastructure - namely, my
nameservers and my resolvers - and I was wondering if the collective
wisdom still says heck yes keep this stuff all on seperate subnets away
from eachother? Anyone got advice either way? Should I try to give
sequential numbers to my resolvers for the benefit of consultants ...
like .11, .22 and .33 for my server ips?


We have 4 authoritative nameservers with a management backend to make 
sure that their records are in sync. The servers are located on 3 
separate continents, originated on 4 different ASNs, numbered from 4 
different /8's and not sharing any common data centre or power 
infrastructure. The software platform is still a single point of failure 
and some people have recommended a mix of software vendors for 
additional redundancy.


With resolvers the approach is a bit different:
You want an easy to remember address and also an address that will not 
be subject to renumbering in the future. Even though they shouldn't we 
see many users statically configuring their DNS resolvers.


A dedicated prefix for each resolver would be my first choice. You can 
then move that prefix to different hardware if necessary even if the 
routing to the hardware changes. A dedicated prefix also allows you to 
anycast the service if required. Since this is only internal routing it 
doesn't need to be a full /24.


I have also found it helpful to have the upstream queries originating 
from IPs in separate prefixes and this is quite easy to move around 
transparently to users or even in an emergency.


On IPv6 I have reserved 4 x /48s for DNS resolvers. The prefixes were 
chosen to be short and easy to remember and they are routed to existing 
resolvers. The :1 of each prefix is added to the loopback on the resolver.


--
Graham Beneke

Numbering nameservers and resolvers

[Mike]

Hi Folks,

   I am needing to renumber some core infrastructure - namely, my 
nameservers and my resolvers - and I was wondering if the collective 
wisdom still says heck yes keep this stuff all on seperate subnets away 
from eachother? Anyone got advice either way? Should I try to give 
sequential numbers to my resolvers for the benefit of consultants ... 
like .11, .22 and .33 for my server ips?


Mike-

Re: Numbering nameservers and resolvers

[Patrick W. Gilmore]

Composed on a virtual keyboard, please forgive typos. 

On Aug 16, 2010, at 7:49, Mike mike-na...@tiedyenetworks.com wrote:

 Hi Folks,
 
   I am needing to renumber some core infrastructure - namely, my nameservers 
 and my resolvers - and I was wondering if the collective wisdom still says 
 heck yes keep this stuff all on seperate subnets away from eachother? Anyone 
 got advice either way? Should I try to give sequential numbers to my 
 resolvers for the benefit of consultants ... like .11, .22 and .33 for my 
 server ips?

1) Use different prefixes.  A single prefix going down should not kill your 
entire network.  (Nameservers and resolvers being unreachable breaks the whole 
Internet as far as users are concerned.)

2) Consider trading secondary NS with another AS.  This is for authorities 
only, recursive NSes should be on-net only. 

3) Try not to use the first /24 in a large prefix.  See as7007 incident for 
why, although that is probably less likely today. 

4) Using easily memorized numbers for at least one authority  one resolved 
will help your NOC, but should not override other considerations. 

That's a start, I'm sure others will have more suggestions. 

-- 
TTFN,
patrick

Re: Numbering nameservers and resolvers

[Aria Stewart]

On Aug 16, 2010, at 12:49 AM, Mike wrote:

 Hi Folks,
 
   I am needing to renumber some core infrastructure - namely, my nameservers 
 and my resolvers - and I was wondering if the collective wisdom still says 
 heck yes keep this stuff all on seperate subnets away from eachother? Anyone 
 got advice either way? Should I try to give sequential numbers to my 
 resolvers for the benefit of consultants ... like .11, .22 and .33 for my 
 server ips?

Resolvers being easily memorable is nice, since they get keyed in by IP.

Authority servers are referred to by name, so IP matters less.

Definitely keep an authority server in another prefix if you can, and resolvers 
in different prefixes is also nice -- but that's more a question of redundancy, 
not numbering.

Other than that, go dense. Addresses are starting to get scarce.

Aria Stewart

Re: Numbering nameservers and resolvers

[Valdis . Kletnieks]

On Sun, 15 Aug 2010 23:49:05 PDT, Mike said:
 I am needing to renumber some core infrastructure - namely, my 
 nameservers and my resolvers - and I was wondering if the collective 
 wisdom still says heck yes keep this stuff all on seperate subnets away 
 from eachother? Anyone got advice either way

Microsoft used to have all their DNS servers on one /24.  Nine years later,
you can still use Google on just 'microsoft dns server failure subnet' and
find this on the second page of over a million hits:

http://www.wired.com/techbiz/media/news/2001/01/41423

(OK, so our local resolvers are in one /24, but it's a bridged VLAN across our
entire campus, the servers are physically in buildings several miles apart, and
if you can't reach at least one of them, it probably means our campus core
network is hosed enough that you're not going to do anything with a DNS
response anyhow... Our authoritative servers are split across 2 different AS's
in 2 different states.)

Whatever gave you the idea that collective wisdom could *possibly* have
moved away from spread it out as far as you can to avoid single points of
failure?


pgpkapCX4BnWZ.pgp
Description: PGP signature

Re: Numbering nameservers and resolvers

[Jeremy Kister]

On 8/16/2010 2:49 AM, Mike wrote:
from eachother? Anyone got advice either way? Should I try to give 


If you have a dedicated subnet for /32s (e.g., router loopback 
interfaces), i'd pick from there.


if you eventually require geo-redundancy or want to load balance your 
queries, it's much neater injecting them into your igp rather than 
having a few /32's injected from an otherwise nice clean /24.


I am also a fan of keeping your recursive and authoritative ip addresses 
separate.  Not only is this much more modular, it can be more secure; 
see http://cr.yp.to/djbdns/separation.html



--

Jeremy Kister
http://jeremy.kister.net./

Re: Numbering nameservers and resolvers

[Randy Bush]

for authoritatuve servers, i try to have one on a very different
backbone on a distant continent.  i make deals with friends.  there have
been just too many failures where servers were in the same facility, or
behind the same routing, or on a single backbone.  see rfc 2182.

for customer- and infrastructure-facing caches, i try for as different
routing domains and peering/x-stream exits as i can while keeping them
easily reachable by their clients.

randy

Re: Numbering nameservers and resolvers

[Arie Vayner]

For resolvers, I guess it would make sense to advertise them as /32s as
dynamic prefixes coming from some SLB device...
You can have multiple VIPs, each representing a different POP/network
domain...

Arie

On Mon, Aug 16, 2010 at 9:49 AM, Mike mike-na...@tiedyenetworks.com wrote:

 Hi Folks,

   I am needing to renumber some core infrastructure - namely, my
 nameservers and my resolvers - and I was wondering if the collective wisdom
 still says heck yes keep this stuff all on seperate subnets away from
 eachother? Anyone got advice either way? Should I try to give sequential
 numbers to my resolvers for the benefit of consultants ... like .11, .22 and
 .33 for my server ips?

 Mike-

Re: Numbering nameservers and resolvers

[Jeroen Massar]

On 2010-08-16 08:49, Mike wrote:
 Hi Folks,
 
I am needing to renumber some core infrastructure - namely, my
 nameservers and my resolvers - and I was wondering if the collective
 wisdom still says heck yes keep this stuff all on seperate subnets away
 from eachother? Anyone got advice either way? Should I try to give
 sequential numbers to my resolvers for the benefit of consultants ...
 like .11, .22 and .33 for my server ips?

Take a IPv4 /24, /28, whatever size you might think you need and an IPv6
/64 and make it your 'service prefix', then anycast this inside your
network and do the standard 'bgp daemon on the box, monitor the local
service' trick and kill the announcement when the service does not work,
presto.

As for the actually numbers, just keep them simple. Using port-numbers
(53 = DNS, 25 = SMTP etc etc etc) where possible is easy for at least
the more technical folks, of course IPv4 only goes up to 255, IPv6 does
not have that issue.

Greets,
 Jeroen

Re: Numbering nameservers and resolvers

[Chris Adams]

Once upon a time, Patrick W. Gilmore patr...@ianai.net said:
 1) Use different prefixes.  A single prefix going down should not kill
 your entire network.  (Nameservers and resolvers being unreachable
 breaks the whole Internet as far as users are concerned.)

How do you do this in the IPv6 world, where I get a single /32?  Will
others accept announcements of two /33s to better handle things like
this?

-- 
Chris Adams cmad...@hiwaay.net
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Re: Numbering nameservers and resolvers

[Owen DeLong]

On Aug 16, 2010, at 6:03 AM, Chris Adams wrote:

 Once upon a time, Patrick W. Gilmore patr...@ianai.net said:
 1) Use different prefixes.  A single prefix going down should not kill
 your entire network.  (Nameservers and resolvers being unreachable
 breaks the whole Internet as far as users are concerned.)
 
 How do you do this in the IPv6 world, where I get a single /32?  Will
 others accept announcements of two /33s to better handle things like
 this?
 
The better solution is to trade secondary services with some other
provider. Sure, it's a bit of a pain keeping up with the new zones
to be added and old zones to be removed back and forth, but, it's
a great way to have your authoritative servers truly diverse and
independent.

Owen

Re: Numbering nameservers and resolvers

[Patrick W. Gilmore]

On Aug 16, 2010, at 9:03 AM, Chris Adams wrote:
 Once upon a time, Patrick W. Gilmore patr...@ianai.net said:
 1) Use different prefixes.  A single prefix going down should not kill
 your entire network.  (Nameservers and resolvers being unreachable
 breaks the whole Internet as far as users are concerned.)
 
 How do you do this in the IPv6 world, where I get a single /32?  Will
 others accept announcements of two /33s to better handle things like
 this?

Oobviously I was not thinking clearly, since I was only considering v4. 
=)

But you do what you can.  Some people have only a single v4 prefixes as well.  
If you can't use more than one prefix, then don't.

Other good suggestions were things like ensuring the default exit point for 
each NS was a different vector.  If you have only one exit point, that is not 
possible.  But it does not mean the suggestion is bad.

-- 
TTFN,
patrick

Re: Numbering nameservers and resolvers

[Arie Vayner]

In IPv6 you should be able to advertise up to /48 with no problem...
Arie

On Mon, Aug 16, 2010 at 4:03 PM, Chris Adams cmad...@hiwaay.net wrote:

 Once upon a time, Patrick W. Gilmore patr...@ianai.net said:
  1) Use different prefixes.  A single prefix going down should not kill
  your entire network.  (Nameservers and resolvers being unreachable
  breaks the whole Internet as far as users are concerned.)

 How do you do this in the IPv6 world, where I get a single /32?  Will
 others accept announcements of two /33s to better handle things like
 this?

 --
 Chris Adams cmad...@hiwaay.net
 Systems and Network Administrator - HiWAAY Internet Services
 I don't speak for anybody but myself - that's enough trouble.