In <7230.1127829972@xxxxxxxxxxxxx> Robert Elz <kre@xxxxxxxxxxxxx> writes: > | Without getting into to much detail, Anycast doesn't work with TCP, > | but it also doesn't work with large UDP packets and fragments. > > Anycast does not work (or perhaps more correctly, in some circumstances > when there is routing instability, will not work) with fragmented UDP packets > (the size of the packets is irrelevant, only whether they are fragmented), > when sending those fragments *to* an anycast address. In order for anycast DNS to fail, either due to the use of TCP or in cases where the UDP DNS query was fragmented, doesn't the network routing instability have to be such that retries also fail? A single failure isn't fatal, after all. The routes would have to be flapping pretty badly to most of the root servers (anycast or not) for this to cause any problems, in which case, I think we would be far more worried about other things. > It is anycast at the root name servers that you seem to be complaining about. > If the root servers are going fine grained load balancing, then it would not > only be routing instability that would result in a switch of server. I am > by no means convinced that even that would be any kind of a serious problem > for the root servers (or those sending legitimate queries to them [...] I'm not sure I see any problem at all here, serious or not. Even if a root server is doing fine grained load balancing, all the packets will still end up at the destination address, where fragments can be reassembled and out of order reception can be resolved. > Now, if you, the client, are using anycast, and you're sending DNS queries > from what is effectively an anycast address, then you're likely to have > all kinds of problems. But that's your problem, no-one else's. Yeah, I can't see how a DNS client could work as an anycast destination. Getting an answer on a machine that you didn't send the query from isn't going to be very useful. This is all theoretical arguing and theory is different than practice. Can someone show an actual case where the use of anycast DNS servers cause problems? Using standard commands like dig or nslookup would be best, but even if you have to create a specialized DNS client and/or server, that would make any real problems much clearer. I'm not looking for rock solid, can-not-get-around examples even, just like I don't think you need to show that a buffer overrun can actually cause an exploit. Just a proof of concept will do. Right now, it looks like in theory, the use of anycast DNS servers can't be a significant problem. So far, I have seen no demonstrations of practical problems. To the best of my understanding, this has been the state of the debate for years now. This looks like a tempest in a teapot to me. -wayne _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf