Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [dnsop] DNS Anycast revisited (fwd)

  • From: Joe Abley
  • Date: Wed May 04 10:21:32 2005 

On 4 May 2005, at 09:52, Edward B. Dreger wrote:

TF> Date: Wed, 4 May 2005 10:48:56 +0100
TF> From: Tony Finch

TF> Why would anyone use an anycast address as a client? Wouldn't it be
TF> simpler to make all client connections from the machine's unicast address?

Maybe, maybe not.

Take an anycast DNS provider that AXFR/IXFRs zones from its customers.
Notifying them of all anycast addresses and keeping ACLs up-to-date
isn't feasible.

The obvious answer is to have a couple hosts pull zones from unicasted
addresses.
Actually, the obvious answer is to use TSIG instead of address-based ACLs to authenticate zone transfers. But in cases where that's not possible (because the master servers don't want to implement it, and insist on address-based ACLs), there are hacks available. See

http://www.isc.org/pubs/tn/isc-tn-2004-1.html#anchor14

for an example.


Joe




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.