[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: Jesper Skriver <jesper@skriver.dk>
cc: dnsop@cafax.se, Michael Lyngbøl <michael@lyngbol.dk>
From: Måns Nilsson <mansaxel@sunet.se>
Date: Tue, 05 Nov 2002 00:31:17 +0100
Content-Disposition: inline
In-Reply-To: <20021104204008.GA12739@skriver.dk>
Sender: owner-dnsop@cafax.se
Subject: Re: DoS and anycast

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --On Monday, November 04, 2002 21:40:09 +0100 Jesper Skriver
<jesper@skriver.dk> wrote:

> The reason it's not listed, is that we don't advertise it globally -
> only to peers in Denmark - but as this now include Sprint, traffic to
> the boxes increased significantly (peaks of 16 Mbps seen), causing the
> instability.

And I get them from Sprint to Nordunet in Copenhagen, as well as from
Sprint in Stockholm when I'm on my home ISP. (I also do remember seeing
Tele Danmark as an AS112 advertiser back during RIPE 42.) Your actions to
participate come in the right time, and this (to justify keeping the thread
on dnsop..) is a prime example of why global synchronisation of an anycast
resource (to prevent chaos and confusion) is vital.

One of the more compelling reasons for OOB communication regarding
operation of anycast systems is the potential for new services to be
directed to name servers within an already used anycast block. Those
operators not informed of this might end up auto-DoSing themselves, since a
potentially important part of DNS namespace now is pointed to something
they themselves are responsible for. Is there any prior thinking done on
this? 

I still believe that dnssec holds some of the necessary means to
reestablish whatever trust was lost in the deployment of anycast, but until
dnssec
is feasible and deployed, we need to talk and agree over suitable beverages
to make this work. (Not that we can stop talking operations after our holy
Grail of signed records has been carried in procession through the
breakfast halls of a suitable IETF meeting, but the uncertainity of data in
unsigned anycast makes it much more fragile -- with dnssec we know when the
data is broken, since the sigs won't match.)

/måns, pondering an AS112 setup for himself... 
- -- 
Måns Nilsson            Systems Specialist
+46 70 681 7204         KTHNOC  MN1334-RIPE

We're sysadmins. To us, data is a protocol-overhead.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE9xwNF02/pMZDM1cURAlbIAJ44lkKTAnl6wPcVeCO3LNQxgWEYvgCcDkzz
CPg2ECgg5qv4DpgdukjiVrU=
=U6VW
-----END PGP SIGNATURE-----


#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.

Home | Date list | Subject list