To:
Paul Vixie <vixie@vix.com>
Cc:
dnsop@cafax.se
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Mon, 28 Apr 2003 23:23:38 +0200
In-Reply-To:
<g3d6j7w4ci.fsf@sa.vix.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: draft-ietf-dnsop-serverid-01.txt
At 5:58 AM +0000 2003/04/28, Paul Vixie wrote:
> in other words, before we can decide how to encode or solicit or carry
> nameserver identity, we have to decide the conceptual meaning of identity
> as applied to nameservers. if i loadbalance by running two processes on
> a dual-processor system, but they respond to the same address/port combos
> even though each one could have its own configuration, how many identities
> do i have? that sort of thing.
Indeed, when I set up the caching nameserver farm at AOL in '96,
I had four DEC Alpha 4100s with four processors each, 4GB of RAM, and
four copies of BIND 8 running on each machine, each process listening
to a different virtual interface/IP address that was bound to the
same physical address. I benchmarked the processes, and each one
could handle about 2000 queries per second, regardless of whether I
was running one or four processes, or anywhere in-between.
Dunno what happened to that farm. I'll have to ask some friends
& former co-workers who might still be there.
I'm thinking we might be able to do this with hashes of public
crypto keys. Each process would need a unique public key/private key
pair for successful secure control via remote processes (e.g., rndc
and such like), and this key could be kept in a separate file for
each instance of each nameserver. You could either include the
public part (or hash thereof) in each EDNS response, or include a
portion.
However, I fear that we're getting well away from operational
issues, and this aspect of the discussion should probably be taken up
within DNSEXT.
--
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.