[80591] in North American Network Operators' Group
Re: [dnsop] DNS Anycast revisited (fwd)
daemon@ATHENA.MIT.EDU (Joe Abley)
Wed May 4 10:20:26 2005
In-Reply-To: <Pine.LNX.4.44.0505041342200.2288-100000@pop.ict1.everquick.net>
Cc: Tony Finch <dot@dotat.at>, NANGO <nanog@merit.edu>
From: Joe Abley <jabley@isc.org>
Date: Wed, 4 May 2005 10:19:28 -0400
To: Edward B.Dreger <eddy@noc.everquick.net>
Errors-To: owner-nanog@merit.edu
On 4 May 2005, at 09:52, Edward B. Dreger wrote:
>
> TF> Date: Wed, 4 May 2005 10:48:56 +0100
> TF> From: Tony Finch
>
> TF> Why would anyone use an anycast address as a client? Wouldn't it be
> TF> simpler to make all client connections from the machine's unicast
> address?
>
> Maybe, maybe not.
>
> Take an anycast DNS provider that AXFR/IXFRs zones from its customers.
> Notifying them of all anycast addresses and keeping ACLs up-to-date
> isn't feasible.
>
> The obvious answer is to have a couple hosts pull zones from unicasted
> addresses.
Actually, the obvious answer is to use TSIG instead of address-based
ACLs to authenticate zone transfers. But in cases where that's not
possible (because the master servers don't want to implement it, and
insist on address-based ACLs), there are hacks available. See
http://www.isc.org/pubs/tn/isc-tn-2004-1.html#anchor14
for an example.
Joe
