[90381] in North American Network Operators' Group
Re: How to tell if something is anycasted?
daemon@ATHENA.MIT.EDU (Peter Boothe)
Thu May 18 20:16:38 2006
Date: Thu, 18 May 2006 17:16:04 -0700 (PDT)
From: Peter Boothe <peter@cs.uoregon.edu>
To: Dean Anderson <dean@av8.com>
Cc: David Hubbard <dhubbard@dino.hostasaurus.com>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0605181735240.19524-100000@citation2.av8.net>
Errors-To: owner-nanog@merit.edu
On Thu, 18 May 2006, Dean Anderson wrote:
> First, I would strongly recommend _against_ using DNS Anycast, since
> anycast does not work for stateful DNS, which is required for DNSSEC.
> Second, there are many problems involved in DNS Anycast management and
> problem tracking.
I agree with the second - it certainly does make debugging harder. I also
agree that the method I mentioned is not foolproof. But your first
statement is probably false.
We did a broad survey about 1.5 yrs ago and found that the average time
between switches was 14.4 minutes, but the median AS saw root switches
every 3 hours on average (http://www.nanog.org/mtg-0505/boothe.html)
Some ASs had severe extant routing problems, and dragged the mean a long
ways away from the median.
Because stateful DNS queries are really short lived, let's assume a flow
of ~10 seconds duration. 14 minutes is 60 * 14 seconds, and the chance
that our flow to that given root is going to overlap is 10/(60*14), or
about 1.2%. Which isn't great, but isn't too bad. If we look at the
median AS, however, then things look a lot better. Switching every 3
hours reduces that unreliability by a factor of 3*60/14 =~ 12.9, which
means that anycast reduces DNS reliability by just less than 0.1% for a
given root.
Given that the difference in reliability (according to DNSmon) between
anycasted and non-anycasted roots is 1% in anycast's favor
(http://www.nanog.org/mtg-0505/karrenberg.html), then for the majority of
ASs, anycast is a net win in reliability even for stateful DNS, as long as
the flows are short-lived.
Counter-intuitive, I agree. But it seems to be true for the existing DNS
anycast deployment on the internet (or at least was true in late 2004).
-Peter
--
Peter Boothe
PhD Student "Young man, you think you're very
Computer Science smart, but it's turtles all the way
University of Oregon down!"
http://www.cs.uoregon.edu/~peter
