netsec-sig - Re: [Security-WG] [NTAC] Critical DNS Infrastructure
Subject: Internet2 Network Security SIG
List archive
- From: David Farmer <>
- To: John Kristoff <>
- Cc: NTAC <>, "" <>, "" <>
- Subject: Re: [Security-WG] [NTAC] Critical DNS Infrastructure
- Date: Mon, 3 Feb 2020 15:26:14 -0600
On Mon, Feb 3, 2020 at 1:42 PM John Kristoff <> wrote:
On Mon, 3 Feb 2020 18:57:30 +0000
David Farmer <> wrote:
> However there is one difference, the R&E table is frequently local
> preferenced higher than other commodity Internet paths. In most
> cases, this works well. But in the case of anycast prefixes, this may
> not always work so good, especially if the anycast instance is in
> Europe, Asian Pac, or Africa. There are usually anycast instances in
> North America, available over commodity Internet paths, even if they
> aren't in the R&E table.
This is potentially an interesting area of research to evaluate whether
this in fact interfering with the selection algorithm strategies for a
server that prefers responses with lower round trip times.
Intuitively, the effect may be minimal as long as a response from a
nearer server instance is available via another path. I'm going to
consider actually seeing if this might worth spending some research
time on, so thanks for raising it.
Well, if there are other instances using other addresses, that are nearer then it may not be an issue. However, if only an anycast address is available, and the request goes to a far remote instance because of preference for R&E routes, there isn't a chance for the nearer server to respond because it won't receive the request.
So for the DNS Root Servers, there are enough different instances and they seem to be well distributed between R&E and non-R&E paths, that I don't think this is a problem. However, for other anycast especially for HTTP/HTTPS this could still be an issue. Personally I think the best option is to mark these anycast services in the R&E table with a BGP Community so a more appropriate local route policy can be easily applied by RONs and campuses, in most cases an equal local preference with the commodity Internet and at least a lower local preference than instances available via local peering.
Good discussion Dave. If you're at DNS-OARC / NANOG next week, let's
continue in person with others who will be around and have insight into
these things.
I won't be at NANOG or DNS-OARC this time, but I believe Jeff Bartig and Adair Thaxton will be at least at NANOG representing Internet2.
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
- Re: [Security-WG] [NTAC] Critical DNS Infrastructure, John Kristoff, 02/03/2020
- Re: [Security-WG] [NTAC] Critical DNS Infrastructure, David Farmer, 02/03/2020
- Message not available
- Re: [Security-WG] [NTAC] Critical DNS Infrastructure, John Kristoff, 02/03/2020
- Re: [Security-WG] [NTAC] Critical DNS Infrastructure, David Farmer, 02/03/2020
- Re: [Security-WG] [NTAC] Critical DNS Infrastructure, John Kristoff, 02/03/2020
Archive powered by MHonArc 2.6.19.