Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?


Chronological Thread 
  • From: David Farmer <>
  • To:
  • Cc: Brad Fleming <>, Dave Diller <>, Akbar Kara <>, Bill Owens <>, NTAC <>, Kim Milford <>, "" <>
  • Subject: Re: [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?
  • Date: Fri, 3 Nov 2017 11:21:23 -0500
  • Ironport-phdr: 9a23:eEpZCBy04Qx3QszXCy+O+j09IxM/srCxBDY+r6Qd2+sWIJqq85mqBkHD//Il1AaPBtSLraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze6/9pnQbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyeKfhwcb7Hfd4CR2VBUMZfWSJCDI2hcYUAE/EMMvxEo4TnvVYCsQeyCAuqCejyyjFInHj23agi3uovCw7Gwg0gEM8Tu3rUttr1LqISXv6vzKLVyjjDYelZ2S346IfWaBAsuuyMXbd2ccbL10YgCh7Fg0yWpIf4MT2V0eENvHKa7+pmTe+jlmoqpgVrrjWt3MshiZfFipgJxlzc6Cl0xII4Kce6RUJhYtOpHoFcuz2cOoBrQc0iW3lltDs0x7AJo5K2fycHxI46yxPbavGLaZaE7g7hWeqJPzt0mHZodKi8ihuy60Ss1PDwW8mu3FtLqidIlMTHuGoX2BzJ8MeHT+Nw/ke/1jaL0ADe8uREIVwumqbCM54swKQ8lp0SsUTfBCP2hUD2jKmMeko65+eo9vzrYrTgppCCK495khzyP6ohl8ClAuk1PRICU3Wf9Om9zrHv41H1TbdSgv0ziKbZsZTaJcoBpq6+Bg9Yyogj5AylDzejztsYh2IKLE9AeBKBlYTmJUzBIO3gAfeln1usiCtrx+zBPrD5GZXCMGTMkKr7fbZ8905dyBM/zN5Q559PDrEBIenzWlPqtNDGFBM5Mgq0w/r5B9Vn0IMRR36PDrGDPKzMrFCI+7FnH+7Zf4IepSz8N+lg+PHGjHkllEUbcLXzm5YbdSOWBPNjdmmQf3vgyvkIC2IHpEJqQuXwjVCYeSNWYTC/U79qtWJzM56vEYqWHtPlu7eGxiruW8QOPm0=
I don't think these routes should be withdrawn from R&E or TR/CPS tables, but we should have a BGP community to tag these anycast routes for an exception to the normal R&E Local Preference many of us typically apply.

That's my 2 cents.

On Fri, Nov 3, 2017 at 10:42 AM, Steven Wallace <> wrote:
Brad,

I’m thinking out loud, so I wouldn't change anything without better advice :-)

steve


On Nov 3, 2017, at 11:35 AM, Brad Fleming <> wrote:


On Nov 3, 2017, at 10:03 AM, Dave Diller <> wrote:



I think we need to be careful WRT to routes to roots. Roots are anycast, and since most of us local-pref TR-CPS/I2, this could lead to suboptimal DNS requests, both in terms of path used, and concentrating queries to fewer serves. This may already be happening. It would be good for someone to check the I2/CPS routing tables for the root anycast prefixes.

MAX had an I2-facing instantiation of D-root for a while last year.  From what I remember, there really was not a lot of traffic to it, as compared to the commodity-facing ones, and they redeployed.

Kinda makes sense, due to lower visibility in an isolated network, versus worldwide.

But it did not seem to suck in a lot of traffic simply due to query concentration / localpref.

-dd


KanREN hosts and announces availability to an L-Root instance running on dedicated hardware in the Kansas City area. We announce:
2001:500:3::/48
2001:500:9e::/47 
2001:500:9f::/48
to TR-CPS as well as R&E. They requested we announce the prefixes at all peering points; however, it might make sense for us to withdraw the paths from I2 routing tables simply to avoid the situation Steve points out.

I don’t wanna drag the thread too far off it’s original purpose so feel free to hit me up unicast with any profanity-laden emails about our backwater, hair-brained schemes. :D
--
Brad Fleming
Assistant Director for Technology
Kansas Research and Education Network




--
===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

Archive powered by MHonArc 2.6.19.

Top of Page