Re: [ga] The Vixie Root

[Karl Auerbach <karl@CaveBear.com>]

On Tue, 11 Feb 2003, Marc Schneiders wrote:

> There was little interest in November last, when ISC (Paul Vixie),
> announced that they were going to run copies in Asia of the
> f.root-servers.net, which they operate.

I wouldn't say there was little interest.  In my corner of the world there
was (and is) a lot of interest.  I've been chatting about anycast roots
for years (at least since my days in the Advanced Internet Architectures
Group at Cisco.)

As a general matter, I consider anycast replicas of root servers to be "a 
good thing"(tm).

However, anycast doesn't come for free.  Anycast works by creating several
routes to a given IP address.  In reality these routes lead to different
places and a client (or rather the network routing system of the net on
which the client exists) selects which route based on various metrics,
most often a "longest prefix" match.

When an anycast server fails, that failure ought to be coupled with a
withdrawal of the routes to that server, thus causing one of the more
distant anycast replicas to be selected.

There are some problems that can come about - one, of course, occurs when 
the route is not withdrawn in conjunction with a server outage.

Another potential problem is that the fallback to the anycast alternate
looks like a routing change and that can trigger various route-flapping
dampers.  This can, potentially, leave a client in an area in which a
particular anycast server (by this I mean all instances of that server)  
might become unreachable for some period of time.  The likelyhood and
duration of these events are a) low and b) variable.  Because of the DNS 
mechanisms that fall back to other root servers the disappearance of any 
given root server isn't really a problem.

These problems can be resolved by clueful engineering of the servers
and the routing information.  And if there is one thing that the root 
server operators have in abundance it is "clue".

But I have two latent concerns:

1. I have very fuzzy, vary vague concern that if the majority of root
servers become anycast that this might open up more means to take out the
root servers.  This may well be a worry that is more appropriate for
Chicken Little, but I have this unfocused nagging concern anyway.

2. No matter how I look at things, I can't help but come to the conclusion 
that the deployment of root servers, particularly when they use a fairly 
new and innovative (but definitely not unproven) use of Internet routing, 
is something that has an obvious and significant relationship to the 
stabity of the Internet's domain name system.

Yet, when I look at the emphasis that ICANN is putting on matters that it 
has labeled as affecting "stability" of the Internet, I can't help notice 
that ICANN has given vastly greater attention to the business plans and 
business methods of DNS registrars and registries than it has to the 
deployment of new roots.

To me this seems completely out of whack - I have never felt that the
business practices of DNS registries and registrars bore even the
slightest relationship to the stability of DNS (even the more so given
that the single element of those business practices that might pertain to
stability, escrow of registration data, has been largely ignorred by 
ICANN).

So I have this lingering concern - why does ICANN have this monomaniacal
focus on the matters that have no real impact on the technical stability
of DNS and, at the same time, is almost completely blind to matters that
do have direct and significant impact on the technical stability of DNS?

To me the answer has been clear from the outset several years ago - that
ICANN is really a body that, despite claims to the contrary, is almost
entirely dedicated to the promulgation of economic and social policy,
largely for the benefit of large intellectual property owners (who are not
necessarily intellectual property creators) and DNS registry and registrar
businesses, and almost entirely divorced from technology

		--karl--


--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html