nanog mailing list archives

Re: [dnsop] DNS Anycast revisited (fwd)

From: Joe Abley <jabley () isc org>
Date: Wed, 4 May 2005 10:19:28 -0400



On 4 May 2005, at 09:52, Edward B. Dreger wrote:


TF> Date: Wed, 4 May 2005 10:48:56 +0100
TF> From: Tony Finch

TF> Why would anyone use an anycast address as a client? Wouldn't it be

TF> simpler to make all client connections from the machine's unicastaddress?


Maybe, maybe not.

Take an anycast DNS provider that AXFR/IXFRs zones from its customers.
Notifying them of all anycast addresses and keeping ACLs up-to-date
isn't feasible.

The obvious answer is to have a couple hosts pull zones from unicasted
addresses.

Actually, the obvious answer is to use TSIG instead of address-basedACLs to authenticate zone transfers. But in cases where that's notpossible (because the master servers don't want to implement it, andinsist on address-based ACLs), there are hacks available. See


  http://www.isc.org/pubs/tn/isc-tn-2004-1.html#anchor14

for an example.


Joe

Current thread:

Re: [dnsop] DNS Anycast revisited, (continued)
- - - Re: [dnsop] DNS Anycast revisited Paul Vixie (May 04)
- Re: [dnsop] DNS Anycast revisited (fwd) Patrick W. Gilmore (May 03)
  - Re: [dnsop] DNS Anycast revisited (fwd) Edward B. Dreger (May 03)
    - Re: [dnsop] DNS Anycast revisited (fwd) Patrick W. Gilmore (May 03)
    - Re: [dnsop] DNS Anycast revisited (fwd) Edward B. Dreger (May 03)
    - Re: [dnsop] DNS Anycast revisited (fwd) Patrick W. Gilmore (May 03)
    - Re: [dnsop] DNS Anycast revisited (fwd) Edward B. Dreger (May 03)
    - Re: [dnsop] DNS Anycast revisited (fwd) Patrick W. Gilmore (May 03)
    - Re: [dnsop] DNS Anycast revisited (fwd) Tony Finch (May 04)
    - Re: [dnsop] DNS Anycast revisited (fwd) Edward B. Dreger (May 04)
    - Re: [dnsop] DNS Anycast revisited (fwd) Joe Abley (May 04)