Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: relays.osirusoft.com

  • From: Paul Vixie
  • Date: Wed Aug 27 11:50:21 2003

> Someone has suggested 'anycasting' what do people (particually you
> Paul) think of using anycasting for a DNSbl? (- AS112 anyone?)

unowned anycast, such as that used in as112, is only possible when the
replies have no value (and thus need not be synchronized or centrally
authorized.)

conversely, unowned anycast only adds value if the replies really ought
to be sent anonymously.  in the case of sorbs, you can enumerate
authorized servers and thus get better management and control than you
would with unowned anycast.

now, that doesn't mean anycast per se is a bad idea for sorbs.  it's
just that you'd want to own or at least "manage and control" each
instance.  this is what we do for f-root and it's what ultradns and
nominum and i think akamai have been doing for some years now.

> I think it may work well... however I am a novice in terms of BGP...
> As far as I can tell it involves getting a portable address block
> (somone suggested anything less than a /24 would get filtered) and
> announcing it in various locations around the Net with local servers
> behind each of those announcements.... is this fundamentally correct?

yes.  see http://www.isc.org/tn/ for some background materials on all this.

> Assuming I am right in my current understanding, I am about to start
> looking at the proceedure to get an ASN and then I'll be looking for
> some portable IP space if the consensus and thoughts are this will
> work.  I am thinking along the lines of talking with the other large
> DNSbls (particually Easynet (wirehub) and DSBL) about setting up a set
> of combined DNSbl servers all anycast'd.  This after all will bring an
> DDoS machines to the attention of the local networks they are
> attacking .... ;-)

putting multiple dnsbl's on the same /24 sounds like a lot of eggs for
only one basket.  among the root server operators, we like to chant that
"diversity is good".




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.