To:
Paul Vixie <vixie@vix.com>
Cc:
dnsop@cafax.se
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Mon, 28 Apr 2003 23:23:38 +0200
In-Reply-To:
<g3d6j7w4ci.fsf@sa.vix.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: draft-ietf-dnsop-serverid-01.txt
At 5:58 AM +0000 2003/04/28, Paul Vixie wrote: > in other words, before we can decide how to encode or solicit or carry > nameserver identity, we have to decide the conceptual meaning of identity > as applied to nameservers. if i loadbalance by running two processes on > a dual-processor system, but they respond to the same address/port combos > even though each one could have its own configuration, how many identities > do i have? that sort of thing. Indeed, when I set up the caching nameserver farm at AOL in '96, I had four DEC Alpha 4100s with four processors each, 4GB of RAM, and four copies of BIND 8 running on each machine, each process listening to a different virtual interface/IP address that was bound to the same physical address. I benchmarked the processes, and each one could handle about 2000 queries per second, regardless of whether I was running one or four processes, or anywhere in-between. Dunno what happened to that farm. I'll have to ask some friends & former co-workers who might still be there. I'm thinking we might be able to do this with hashes of public crypto keys. Each process would need a unique public key/private key pair for successful secure control via remote processes (e.g., rndc and such like), and this key could be kept in a separate file for each instance of each nameserver. You could either include the public part (or hash thereof) in each EDNS response, or include a portion. However, I fear that we're getting well away from operational issues, and this aspect of the discussion should probably be taken up within DNSEXT. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++) #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.