On 06/18/2011 02:34 AM, Amos Shapira wrote:
I wasn't suggesting that you should make money from it but if you want
a *reliable* highly available DNS setup then you might be better off
paying someone else to do that for you instead of having this
liability on top of what you are actually get paid for.
I know that setting up a secondary DNS server could be a 5 minute
exercise in the right hands (and I suppose this applies to you), but
when things break you could end up stopping work on more important
stuff (from business perspective) to find and fix a problem someone
else could look at for you for a relatively small sum.
I should just point out something. I don't think you said it, but
someone might understand it from your words:
Anycast does not improve reliability of the DNS system for almost any
normal use case.
Anycast was designed to work around the size limitations of a DNS
request. DNS can use either TCP or UDP. UDP is considerably faster, as
the actual request-response is very short, and the three way handshake
is, therefor, a high price to pay. As such, correct setup of a DNS
system will try to limit TCP transactions to domain transfers and
nothing else.
In order to assure a UDP transaction, the response must be no bigger
than about 512 bytes (actual number might be slightly higher or lower -
do not remember). This means that an "NS" query (which is your DNS?) can
reply a maximum of 13 servers per domain. This is not a problem for,
e.g., lingnu.com, but might be a problem for . (root) or .com. The
solution found was to report only 13 IP addresses, but to have more than
13 servers serve those addresses via anycast. This leverages the global
routing table's ability to find a reasonably shortest path to the
destination IP address, but not insist that all instances actually be
served by the same actual server. This, obviously, only works if the
transaction is composed of one request packet and responded to by one
reply packet. In other words, for DNS, this only works if the
transaction is, indeed, UDP.
If you host your own domains, anycast is, most likely, not the solution
for you. First, it is exceedingly unlikely that you will have more than
13 domain name servers serving your domain, which means that you can
actually provide 5 different IPs. The DNS system has a failover AND load
balancing system built into each and every client that performs query,
and thus actually providing different 5 different IP address works just
as well than providing one IP address that is served by 5 different servers.
In fact, it works better. Using anycast alone (i.e. - advertising just
one IP address) has several modes of failure simply not there for the
standard system. If the network goes down, it might take a few minutes
for the world wide BGP tables to catch up to that fact. During that
time, your domain will be off line. If the actual server is down, but
the network is up, queries still reach it and are never handled, again
resulting in an off line domain. If all 5 servers are advertised the
clients will perform round robin between all five, resulting in equal
distribution of the load. If just one IP address is advertised then,
failure non-withstanding, a specific client will almost always query the
same server, resulting in load distribution that is geographically
split. In most cases, that is a less even split than the round robin the
other option provides.
In other words, Amos, if your company is doing anycast for DNSes, they
are, most likely, wasting a valuable /22 IPv4 address range.
Shachar
--
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com
_______________________________________________
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
