Resolver optimization of auth selection - Truth or Myth?

Darcy Kevin (FCA) kevin.darcy at fcagroup.com
Mon Feb 8 19:06:20 UTC 2016 

I suspect they changed the algorithm, in light of recent research findings about attackability. See http://www.cs.technion.ac.il/~gnakibly/papers/WOOT13.pdf

                                                                                                                                                                - Kevin


From: bind-users-bounces at lists.isc.org [mailto:bind-users-bounces at lists.isc.org] On Behalf Of MURTARI, JOHN
Sent: Monday, February 08, 2016 1:36 PM
To: bind-users at lists.isc.org
Subject: Resolver optimization of auth selection - Truth or Myth?

Folks,
                Just trying to settle a question on BIND based resolver operation.  When given multiple authoritative servers for a zone, does it optimize selection based on auth server response times?  For example:

-------
                I'm located in Sydney, Australia and my ISP has a couple of BIND based resolvers also located there.  I'm trying to get to www.example.com<http://www.example.com> and it happens to have three authoritative servers, ns{1,2,3}.example.com with a single unicast IP and located as follows:

                ns1.example.com - Signapore,   ns2.example.com - Los Angeles,   ns3.example.com - New York

                We'll assume DNS round trip time (RTT) are proportional to distance from Sydney; also,  the fine folks at example.com have set a 10 minute TTL on all their resource records and have never heard of anycast IPs.   They are also very reliable, so we're not considering the effects of a non-responsive server.

                So.....do the BIND resolvers in Sydney begin to notice their quickest source of responses is ns1 and when cache data expires, do they go there first?  Or, are did the people at example.com waste money trying to locate one of their authoritative servers in Singapore to better serve their Australian visitors?
-----

                I did do a little searching on this and found what seemed to be a decent paper, no date, but covered up to BIND 9.8: http://irl.cs.ucla.edu/data/files/papers/res_ns_selection.pdf

                If you take a look at sections 4.1 & 4.2 - they seem to say  BIND 9.8 gets it a little backwards and starts to prefer higher latency servers?

                Any clarification on this is welcome.
                Thanks!

John



----------------
John Murtari - jm5903 at att.com<mailto:jm5903 at att.com>
Ciberspring
office: 315-944-0998
cell: 315-430-2702

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160208/7d9cdfe9/attachment.html>

More information about the bind-users mailing list