[145293] in North American Network Operators' Group
Re: F.ROOT-SERVERS.NET moved to Beijing?
daemon@ATHENA.MIT.EDU (Joe Abley)
Mon Oct 3 17:11:10 2011
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <DDEB10C3-E9B8-4794-8854-C0D0902D4DD3@tcb.net>
Date: Mon, 3 Oct 2011 17:10:47 -0400
To: Danny McPherson <danny@tcb.net>
X-SA-Exim-Mail-From: jabley@hopcount.ca
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_5F89E7CB-3A81-4023-968E-9390E3D16356
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On 2011-10-03, at 13:39, Danny McPherson wrote:
> On Oct 3, 2011, at 1:09 PM, Christopher Morrow wrote:
>=20
>> Given that in the ISC case the hostname.bind query can tell you at
>> least the region + instance#, it seems plausible that some system of
>> systems could track current/changes in the mappings, no? and either
>> auto-action some 'fix' (SHUT DOWN THE IAD INSTANCE IT's ROGUE!) or at
>> least log and notify a hi-priority operations fixer.
>=20
> That sort of capability at the application layer certainly seems=20
> prudent to me, noting that it does assume you have a measurement=20
> node within the catchment in question and are measuring at a high=20
> enough frequency to detect objective incidents.
In principle there seems like no reason that a DNS client sending =
queries to authority-only servers couldn't decide to include the NSID =
option and log changes in declared server identity between subsequent =
queries (or take some other configured action).
We support 5001 on L-Root (which runs NSD), for what that's worth, as =
well as HOSTNAME.BIND/CH/TXT, VERSION.BIND/CH/TXT, ID.SERVER/CH/TXT and =
VERSION.SERVER/CH/TXT, but those require separate queries. I appreciate =
NSID support is not universal, but perhaps that's ok in the sense of =
"better than nothing".
> I'm a fan of both routing system && consumer-esque monitoring, and=20
> do believe that a discriminator in the routing system associated with=20=
> globally anycasted prefixes makes this simpler - for both detection,=20=
> and possibly even reactive or preventative controls IF necessary. A=20=
> unique origin AS is not the only place you can do this in the routing=20=
> system, as I'm sure some will observe, but it seems an ideal location
> to me.
Whether it's the right-most entry in the AS_PATH or a bigger substring, =
you still need more measurement points than you have if you want to =
catch every leak.
Joe=
--Apple-Mail=_5F89E7CB-3A81-4023-968E-9390E3D16356
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAk6KJOAACgkQNI8MvYZSOiwb3gCeNtYH450G7EfLl6kBxo3O4nzS
Q38An1zxOplPP1vgZXgLhI9NDtlZz+bB
=rQNS
-----END PGP SIGNATURE-----
--Apple-Mail=_5F89E7CB-3A81-4023-968E-9390E3D16356--
