Re: IPv4 ANYCAST setup

[bmanning () vacation karoshi com]

On Tue, Mar 30, 2010 at 05:43:25PM +0900, Randy Bush wrote:
> > > > I have talked to multiple security officers (who are generally not  
> > > > really knowledgeable on networks) who had 53/tcp blocked and none  
> > > > have yet agreed to change it.
> > > patience.  when things really start to break, and the finger of fate  
> > > points at them, clue may arise.
> > 36 days until all root servers have DNSSEC data, at which point large
> > replies become normal.
>
> are end user tools, i.e. a web click a button, available so they can
> test if they are behind a clueless security id10t?

        no - in part because using a browser to debug DNS involves
        a third app (and likly a third/forth) platform.

        the nifty OARC testpoint is nearly worthless for real operations,
        since its not located at/near a DNS authoritative source.  the
        K testpoint is good, I should prolly put back the one off B.
        

> is there good simple end user docco they are somewhat likely to find
> when things break for them?

        not yet.  in part because out of the few simple parts, many, many
        combinations of failure can occur.

        ) MTU strictures:
                v6/v4 tunneling
                v6/v4 MTU
                clamping
                
        ) Fragmenation
                UDP
        ) Port blocking
        ) Resolver Behaviour
                EDNS awareness


> i.e. what can we do to maximize the odds that the victim will quickly
> find the perp, as opposed to calling our our tech support lines?

        thats a tough call.  as tech support staff, we are almost always
        an outside observer on the path btwn the victim and the perp.
        troubleshooting is going to be problematic.

> randy