Date: Mon, 26 Sep 2005 15:41:56 -0400 (EDT)
From: Dean Anderson <dean@xxxxxxx>
Message-ID: <Pine.LNX.4.44.0509261531270.32513-100000@xxxxxxxxxxxxxx>
| It is not DNSSEC that is broken.
I have not been following dnsop discussions, but from this summary, there
is nothing broken beyond your understanding of what is happening.
| Without getting into to much detail, Anycast doesn't work with TCP,
| but it also doesn't work with large UDP packets and fragments.
Anycast does not work (or perhaps more correctly, in some circumstances
when there is routing instability, will not work) with fragmented UDP packets
(the size of the packets is irrelevant, only whether they are fragmented),
when sending those fragments *to* an anycast address.
| DNSSEC requires large UDP packets and fragments.
DNSSEC might send large UDP packets, which might be fragmented, from the
server answering a query. A query itself will not be noticeably bigger
than it was without DNSSEC (and that is generally much smaller any reasonable
MTU).
We send queries to the root servers, and receive answers from them.
An anycast address at the root server cannot possibly have any noticeable
effect upon DNSSEC UDP.
| Your assumption below is common: You assume that everyone does course
| grained load balancing or no load balancing.
It is irrelevant what *everyone* does - only what the root nameservers do.
It is anycast at the root name servers that you seem to be complaining about.
If the root servers are going fine grained load balancing, then it would not
only be routing instability that would result in a switch of server. I am
by no means convinced that even that would be any kind of a serious problem
for the root servers (or those sending legitimate queries to them - they
should not be receiving large queries, and should never be sent a query via
TCP under any circumstances - unless they send you a reply with TC set, and
I doubt the root servers are going to start doing that).
But which of the root servers are doing fine grained load balancing using
anycast that way? And why would they even consider that? Spreading
root servers around the globe, using anycast (coarse grained anycast) makes
lots of sense, load balancing amongst several servers on the same cable
(that is, near the end of the same path) makes almost none.
Now, if you, the client, are using anycast, and you're sending DNS queries
from what is effectively an anycast address, then you're likely to have
all kinds of problems. But that's your problem, no-one else's.
But, even assume that there was some validity in your argument (which there
isn't), the way to make it, would be something more like what you have in the
message I am replying to. Note in this message there was no mention of ISC,
and no hints at some kind of conspiracy by anyone to do something with which
you disagree, and somehow sneak it in everywhere without your permission
(though why anyone would need that I fail to see either). It was that
part of your messages which is what I assume was objected to, plus, quite
probably, your seeming willingness to keep on making the same invalid
argument over and over, even though you're convincing no-one who can see
past the volume.
If you want to make what you believe is a valid technical argument, make
just that, and leave out the name calling. That is, if you're ever
allowed back onto the dnsop list in the first place.
Finally, just for your information - the IETF does not control the root
nameservers, and never has, and nothing the IETF says or does has any more
than an advisory impact upon how they operate.
kre
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf