netsec-sig - [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?

Subject: Internet2 Network Security SIG

List archive

[Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?

From: Dave Diller <>
To: Steven Wallace <>
Cc: Akbar Kara <>, Bill Owens <>, "" <>, NTAC <>, Kim Milford <>, "" <>
Subject: [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?
Date: Fri, 3 Nov 2017 11:03:47 -0400
Ironport-phdr: 9a23:LMnssxaPKnR5n2ccObfVstD/LSx+4OfEezUN459isYplN5qZoMqybnLW6fgltlLVR4KTs6sC0LuG9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQtFiT6+bL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjm58axlVAHnhzsGNz4h8WHYlMpwjL5AoBm8oxBz2pPYbJ2JOPZ7eK7WYNEUSndbXstJSyNODZ6yYYsNAOQPMuhWrIf9qUUJoxalGQmsHebvxiNIhnPqw6E31fkqHwHc3AwnGtIDqHrao8/rNKgMTOu7wqjIzTHHb/xIwzf29Y/FfQ07rvGSQ719as/RxlMgFgPKj1WQppbqPyuS1uQVqWSb6fRvVf62hmMhtgp/oSCvy98th4TKnI4Z1F7J+TtjzIooKtC1RlR3bN2rHZdIqS2WK4p7Ttk/T2xsuSs20KAKtJy6cSQQxpkqwQPUZeadfIiS+B3jUf6cITdmi3Jhf7Kynwi98VO6xeHiTMW0zVNKoTdfntnNrnAN1xnT68edRvRh+Ueh3C6D1wHV6u5aPUA5javWJp07zrIumJcfr17PEjL5lUj4lqObdUop9vCt6+v9Y7XmopGcN5VzigH7Kqkhh9GwAeU8MggKQWeb4/+x1KDm/ULkWrlFkOA5krTBvJDAOcsbvrK5AxNS0os78BawESup0MkCnXkGMFJEeAuLjobmO1zVJPD4DOy/g0i3kDt13fzGP7vhAonTIXjZlrfuY6p951BGxAUt0N9f+sEcNrZUG+7+REL3/OPRChswOAH8l/38F/18y8UTVX/ZUYGDN6aHnVaW66oDIu2IaZVd7Dr0NfUN4vf+gn42kEcaZe+v0IdBOyPwJehvP0jMOSmkudwGC2pf+1NmFOE=

>
>
> I think we need to be careful WRT to routes to roots. Roots are anycast,
> and since most of us local-pref TR-CPS/I2, this could lead to suboptimal
> DNS requests, both in terms of path used, and concentrating queries to
> fewer serves. This may already be happening. It would be good for someone
> to check the I2/CPS routing tables for the root anycast prefixes.

MAX had an I2-facing instantiation of D-root for a while last year. From
what I remember, there really was not a lot of traffic to it, as compared to
the commodity-facing ones, and they redeployed.

Kinda makes sense, due to lower visibility in an isolated network, versus
worldwide.

But it did not seem to suck in a lot of traffic simply due to query
concentration / localpref.

-dd

[Security-WG] DNS Serving Stale to the rescue?, Steven Wallace, 11/02/2017
- [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Bill Owens, 11/03/2017
  - [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, David Farmer, 11/03/2017
  - [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Steven Wallace, 11/03/2017
    - [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Akbar Kara, 11/03/2017
      - [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Steven Wallace, 11/03/2017
        
        [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Dave Diller, 11/03/2017
        
        [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Brad Fleming, 11/03/2017
        
        [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Steven Wallace, 11/03/2017
        Re: [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, David Farmer, 11/03/2017
        
        [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Jeff Bartig, 11/03/2017
        
        Re: [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Paul Howell, 11/03/2017
        
        Re: [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, David Farmer, 11/06/2017
        
        Re: [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, David Farmer, 11/03/2017
        
        Re: [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Steven Wallace, 11/03/2017
        
        Re: [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Paul Howell, 11/03/2017
        Re: [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, David Farmer, 11/03/2017

List archive

[Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?