Internet2 Network Security SIG

[Jeff Bartig <>]

On 11/3/17, 10:03 AM, Dave Diller wrote:

MAX had an I2-facing instantiation of D-root for a while last year.  From what I remember, there really was not a lot of traffic to it, as compared to the commodity-facing ones, and they redeployed. 

Kinda makes sense, due to lower visibility in an isolated network, versus worldwide.

But it did not seem to suck in a lot of traffic simply due to query concentration / localpref.

DNS resolvers generally track the response time of root servers and tend to prefer using those that respond the fastest.  Could D-Root via MAX not have gotten a lot of traffic from R&E because there were geographically closer options available?

I took a look at root server routes via the R&E and TR-CPS route tables a few months back as a tangent off a question about .edu TLD server access.  Here is a link to the results:

https://docs.google.com/spreadsheets/d/138pHua9U1tG1S6o08cNJiM3RWsYpUuqqhzRVLMfbDLA/edit?usp=sharing

TR-CPS has pretty good, diverse access to many of the root-servers.  There are improvements that can be made that I need to pursue.

R&E has access to routes to fewer root servers and in many cases those are poor routes.  I've flagged routes that lead to servers outside the U.S. in red on the spreadsheet above.

Since the R&E community often times local-prefs the routes learned from Internet2 and R&E peers higher than other routes, these foreign routes to root servers would be preferred.  If at the same time, DNS resolvers prefer low latency roots, then the U.S. R&E community is basically going to ignore the I, J, K, L, and M root servers because of the high latency routes being provided by Internet2.  My thought on this is providing no route would be better than providing a poor route in these cases.

Jeff

--
Jeff Bartig
Interconnection Architect
Internet2  AS11164 / AS11537
+1-608-616-9908