deploying DNS in large ISP

[Barry Margolin]

In article <9i26a9$mjh at pub3.rc.vix.com>,  <Marc.Thach at radianz.com> wrote:
>I've floated the idea of using anycast for DNS within our organisation.  I
>haven't pushed too hard because I'm wary about possible pitfalls that I
>will encounter, so I'd be interested to know what sort of problems you
>encountered.  I presume recursion, axfr  etc is done via another port, so
>that seems OK.  What about TCP? I'm nervous that DNSSEC will make it more

We're using Solaris, and it always uses the real address as the source when
sending out recursive queries, so that's not a problem.  If it were, we
could easily configure the query-source option to force it to use the real
address.

>common.  Clearly TCP session to an anycast address is liable to problems
>when routes change.  Is this something that you've factored in somehow?

AFAIK, we haven't had much trouble with this.  We're only doing this for
caching-only servers, so zone transfers are not an issue.  Backbone
topology doesn't change frequently, so it's unlikely that the route to a
customer's server would change in the middle of a TCP connection.  I
suppose it would be possible for two servers to be at the same OSPF
distance from a customer, but I think our backbone routers do flow-based
route caching, so all the packets in a single TCP connection should go to
the same server.  Even if this isn't the case, using TCP for non-AXFR DNS
queries is pretty rare, so the probability of this happening from a
customer with equidistant servers is minute, and I haven't heard of it
actually causing a problem.

The biggest problem with this architecture is in troubleshooting problem
reports from customers.  They'll just tell us "4.2.2.1 is returning the
wrong answer", and then we have to figure out *which* server 4.2.2.1
translates to for them.  It's not terribly difficult; we just have to do a
traceroute from their POP router to 4.2.2.1.  But it's an extra step.  I
also imagine that customers with multiple offices would find it confusing
that they get the right answer in office A, but a different answer in
office B, even though both are querying 4.2.2.1.

But if you think this is a problem, imagine putting multiple servers were
behind load balancing hardware.  Then the same client could get different
answers from one minute to the next.

-- 
Barry Margolin, barmar at genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.