To:
Randy Bush <randy@psg.com>, DNS Operations <dnsop@cafax.se>
From:
David Conrad <david.conrad@nominum.com>
Date:
Wed, 23 Oct 2002 00:31:29 -0700
In-Reply-To:
<E184471-0003F3-00@rip.psg.com>
Sender:
owner-dnsop@cafax.se
User-Agent:
Microsoft-Entourage/10.1.0.2006
Subject:
Re: anycast
Root server anycast as it exists today has the benefit that the people advertising the address are the people who are supposed to advertise the address. In theory, at least, there is an origin AS associated with the root IP address that can and should be locked down. You are proposing to destroy that relationship. On purpose. Maybe it's just me, but this seems like a really bad idea. Might seem like a good idea to folks in authoritarian governments who want to muck about with the contents of the zone though. Not sure how anyone would classify this as "prudent". Rgds, -drc -------- On 10/22/02 11:50 AM, "Randy Bush" <randy@psg.com> wrote: > smb made what seems like a good suggestion for how to prudently > deploy anycast root and gtld servers prior to dnssec deployment. > > an isp runs one or more anycast slaves for root and/or gtld servers > within their autonomous system and filters out other announcements > of that address at their border. just plain don't let it into your > igp. think of it as a degenerate case of the massey nanog paper. > > the question then becomes how to acquire an authentic copy of the > root and gtld zone files on a regular basis. this may be as much > of a layer nine pain as a layer four one. > > randy > > #---------------------------------------------------------------------- > # To unsubscripbe, send a message to <dnsop-request@cafax.se>. #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.