To:
Jesper Skriver <jesper@skriver.dk>
cc:
dnsop@cafax.se, Michael Lyngbøl <michael@lyngbol.dk>
From:
Måns Nilsson <mansaxel@sunet.se>
Date:
Tue, 05 Nov 2002 00:31:17 +0100
Content-Disposition:
inline
In-Reply-To:
<20021104204008.GA12739@skriver.dk>
Sender:
owner-dnsop@cafax.se
Subject:
Re: DoS and anycast
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Monday, November 04, 2002 21:40:09 +0100 Jesper Skriver <jesper@skriver.dk> wrote: > The reason it's not listed, is that we don't advertise it globally - > only to peers in Denmark - but as this now include Sprint, traffic to > the boxes increased significantly (peaks of 16 Mbps seen), causing the > instability. And I get them from Sprint to Nordunet in Copenhagen, as well as from Sprint in Stockholm when I'm on my home ISP. (I also do remember seeing Tele Danmark as an AS112 advertiser back during RIPE 42.) Your actions to participate come in the right time, and this (to justify keeping the thread on dnsop..) is a prime example of why global synchronisation of an anycast resource (to prevent chaos and confusion) is vital. One of the more compelling reasons for OOB communication regarding operation of anycast systems is the potential for new services to be directed to name servers within an already used anycast block. Those operators not informed of this might end up auto-DoSing themselves, since a potentially important part of DNS namespace now is pointed to something they themselves are responsible for. Is there any prior thinking done on this? I still believe that dnssec holds some of the necessary means to reestablish whatever trust was lost in the deployment of anycast, but until dnssec is feasible and deployed, we need to talk and agree over suitable beverages to make this work. (Not that we can stop talking operations after our holy Grail of signed records has been carried in procession through the breakfast halls of a suitable IETF meeting, but the uncertainity of data in unsigned anycast makes it much more fragile -- with dnssec we know when the data is broken, since the sigs won't match.) /måns, pondering an AS112 setup for himself... - -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE9xwNF02/pMZDM1cURAlbIAJ44lkKTAnl6wPcVeCO3LNQxgWEYvgCcDkzz CPg2ECgg5qv4DpgdukjiVrU= =U6VW -----END PGP SIGNATURE----- #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.