DNSSEC signing problems get worse with more NS, if the signatures go bad. Even with the remediation Mark Andrews put in later bind, there is an increase in traffic at the authority points and in the system as a whole.
So "more is better" is not necessarily true. Also, AAAA ns and A NS are morally considered 'different' NS by the system because they do not present as the 'same' NS to the logic of 'where shall I ask next' (I don't understand why: the NS label should be the same. however, we observe that we see NS traffic on the V6 and V4 at the same and also sequentially. Therefore, I beleive this) So, having the SAME NS in as both V6 and V4 (is that V10?) does not help you: it can, in bad DNSSEC, actually hinder you. Oh, 464XLAT since it has to write non-authoritative changes into AAAA/A bindings, breaks DNSSEC. so if you are behind 464XLAT, and DNSSEC signed, more NS is not neccessarily helping you... On Thu, Sep 4, 2014 at 3:01 AM, David Conrad <d...@virtualized.org> wrote: > Hi, > > On Sep 3, 2014, at 8:42 AM, Guangqing Deng <dengguangq...@cnnic.cn> wrote: > > From RFC1034 section 4.1, it seems that the way used for improving the > redundancy and resilience of DNS system is to increase DNS servers. I agree > that for the performance of the DNS system, the redundancy and resilience > are the first goal and low latency is the second goal. Usually, the first > goal mainly depends on the DNS server deployment policy (such as the total > number and geographical distribution of DNS severs) and the second goal > relates to not only the DNS server deployment policy but also the method > used for DNS clients selecting the best DNS server like any cast. > > Careful here. > > Anycast improves redundancy/resiliency for the system as a whole. As > typically deployed, it may not improve redundancy/resiliency for a single > client. For example, if a DNS server instance in an anycast cloud is no > longer responding to DNS queries due to a DoS but the routing announcement > of that instance is not pulled down, the clients topologically nearest that > instance will not see improved redundancy/resiliency — they’ll not see any > responses. > > Anycast may or may not improve latency — it depends on the routing system. > If the “nearest” instance network topologically to a set of clients happens > to be on the other planet, latency will not be improved for those clients. > > Anycast is a very blunt tool. It can help improve redundancy/resiliency > and latency if properly deployed, constantly monitored, and maintained, but > it is very important to understand its limitations and implications. > > Regards, > -drc > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
