davidb dives in   Archives

dns anycasting

On a mailing list that I’m on, a funny argument about the wisdom of anycast DNS service has erupted. Now, I’m certainly no expert on anycast, but I can see a small kernel of truth buried in the FUD of the doubters.

Anycasting can lead to a false sense of resiliancy.

For example, 2 anycast clouds with 6 instances each is less resilient than 12 separate unicast instances. This is because, from the point of view of the DNS client, there are only two nameservers to contact, and if both go down, the client is hosed. Two failures in the unicast case don’t lead to any noticeable problem. This isn’t the same as saying that anycasting doesn’t, in general, improve the situation. But it isn’t a substitute for advertising more than, say, two nameservers.

Anycasting can be done poorly.

Imagine having two different anycast addresses, but that each cloud essentially has both addresses in the same rack at every instance. Or even just at some instances. In this case, the amount of redundancy is less than the operator might suppose, and a single power failure (e.g.) could render the zone inaccessible. Of course, people who set up high-profile anycast DNS service generally know what they are doing and provide sufficiently independent anycast clouds.

It is possible that the use of anycasting can have negative consequences for some people, somewhere.

Ok, so this is the argument put forth by a famous internet troll. (If the phrases “scientific fraud!” and “for spoofing” are familiar, you know who I’m talking about. If not, don’t worry about it.) Basically the theory goes like this:

  1. Sometimes DNS must be done over TCP.
  2. TCP is stateful.
  3. It is possible to have to different anycast instances the same “distance” away.
  4. It is possible to have a routing devices that divides packets between these two instances.
  5. All of the packets really need to go to the same instance, otherwise the TCP handshake (or whatever) doesn’t complete and the DNS query fails.

And thus, for some people, somewhere, in magic spots on the internet, might find a given anycast address unusable for TCP. The famous internet troll takes this argument to mean that anycast is completely unusable for DNS. Now, keep in mind that, even if you are in such a magic spot, the chances of all of the anycast addresses for a domain suffering from the same problem are extremely small. And keep in mind that the vast majority of DNS queries are over UDP, which doesn’t have this (potential) problem. I, of course, have no idea if there are actually any such magic spots on the internet.

…But a kernel of truth doesn’t equal truth.

These are just things that could be wrong with an anycast DNS deployment, not that they are. I sympathize with the operators who must defend themselves in the face of clueless folks who make the leap from their being a potential problem to an actual one without actually investigating anything. Nevertheless, I think that it would be better to inform the clueless that the operators are aware of the pitfalls, and thus, have not fallen into them.

Written on Jul 15, 2006.

comments powered by Disqus