------------------------
From: "Aaron J. Peterson" <aajpeter @
best .
com>
Subject: Harping on dynamic DNS, was RE: Two ISP's to one DMZ
Date: Wed, 9 Jul 1997 01:09:22 -0700 (PDT)
To: mikech @
avana .
net
Cc: Firewalls @
GreatCircle .
COM
> I'm going to ignore the hit-and-miss technique, as it woud most certainly
> _not_ be a couple seconds or less. Every time a client hits a dead
> address trying to start a TCP cxn it would through the whole process of
> exponentially backing off and timeouts, etc.; this can be quite a long
> time. Then, in most cases, a manual re-request in most applications would
Sorry, but you are wrong, if the site is "destination unreachable" it only
takes a second. Besides you pull down all of the DNS entries at once, not as
separate queries (when you use multiple A records).
> be required to get the client to query it's local DNS server again, to get
> the "live" address, maybe. And that's just the client's view of things.
I am glad you said "maybe" ;-) Run a sniffer and check the DNS packets and you
will see this is not the case.
>
> Actually, not to belabor the point, I was really harping on the fact that
> doing dynamic DNS just by itself is not scalable, and is bad for the 'Net.
Did you say the same thing when people started using the WWW ;-)? I hear this
from the old netheads (no offense) every time someone uses the Internet in a
new way. They say, "The sky is falling, the Internet will fail by July
4th!!!!". I am afraid that you are going to be disappointed. See the following
RFCs:
RFC 2065
Domain Name System Security Extensions by D. Eastlake, 3rd
and C. Kaufman Digital signatures for data integrity and
authentication in the DNS. Jan-1997
RFC 2136
Dynamic Updates in the Domain Name System (DNS UPDATE) by P.
Vixie(editor), S. Thomson, Y. Rekhter and J. Bound Atomic
record-level addition and deletion of DNS information: WINS
done properly. Apr-1997
RFC 2137
Secure Domain Name System Dynamic Update by D. Eastlake 3rd
Security for dynamic updates. Apr-1997
There just aren't enough IPs to go around. There had to be a new solution and
IPv6, while it is a great idea, just isn't as feasible as Dynamic-DNS. BTW, I
*love* IPv6, no flames please.
>
> I'm still posting this to the firewalls list because I believe it's
> relevant to people who are designing solutions around redundancy using NAT
> & address blocks from multiple providers, along with dynamic DNS. It's my
> opinion that one should not do so, and in general should not use dynamic
> DNS, yet. I will attempt to support this opinion.
I agree, though your logic is a bit fractured ;-)
>
> A "polite" ttl on a DNS record is about 1 week. This is to minimize
> traffic and load caused by having to go fetch new data from the source all
> the time. Experience has shown that DNS traffic overhead where ttl's were
> set low was quite significant.
>
> It's not that the servers won't obey your administrative timers (they
> will), or that 20 minutes is bad response time compared to BGP route
> stabilization times(it isn't), it's the fact that, if lots of people
> started using dynamic DNS, it would become a _serious_ problem of scale,
> just like it was with HOSTS.TXT.
>
Well, this is a change. In your previous post you stated:
------------------------
From: "Aaron J. Peterson" <aajpeter @
best .
com>
Subject: RE: Two ISP's to one DMZ
Date: Tue, 8 Jul 1997 00:53:17 -0700 (PDT)
>>> So, dynamic NAT + dynamic DNS, IMNSHO, is a poor solution due to the
>>> connectivity loss during the time required to allow all the caches of all
>>> the not-quite-bleeding-edge DNS servers to expire.
So now it isn't cache latency, it is bandwidth that you say is the problem.
> DNS works because: 1. it's distributed and redundant, and 2. it caches for
> significant periods of time, where "significant" is on the order of a
> week. You will find this statement in all of the better DNS sources:
> the RFCs, O'reilly, etc.
>
I agree that pushing the caching down to the local DNS server is good, but the
resources used by Dynamic DNS aren't significant (see why below).
> Imagine the traffic increase at yahoo.com if dynamic DNS was widely
> adopted and their caching nameservers had to effectively re-fetch
> addresses for all active clients every 10-20 minutes, instead of once a
> week. Here, I'll do some math. Yahoo currently gets better than 30
> million hits per day, 35% of which are unique. I'll graciously assume 100
> bytes each per DNS query & response, ignore referral traffic, and assume
> that NS entries have arbitrarily long expire times. Note that adding these
> factors whould only highten the difference. Also, Yahoo is connected via
> a T3, which is ~=45Mbps.
>
<Snipped the math that showed that Dynamic DNS 7x24x365 pushes bandwidth
through the roof!>
>
> This amounts to *30%* of Yahoo's available bandwidth just for DNS traffic.
> UGH! 30% of a T3!
>
> I am pretty sure my math is correct. If so, that proves my point that
> being dynamic and decreasing the ttl accordingly breaks the scalability of
> DNS. Look this over. Confirm it. Listen to our wise ARPA fathers, and
> feel guilty that you're causing the fall of the 'Net. ;^)
>
Your math is correct but there are two flaws in the support behind it.
1. You are assuming that everyone is a Yahoo. Do you think a client the size
of Yahoo is going to use Dynamic DNS (if you are listening Yahoo, give us a
call, I can do a great deal on Dynamic DNS enabled Firewalls, are you there???
Anyone?)? We are talking about sites without a fixed IP, that's why you use
dynamic DNS. I think Yahoo can afford a fixed IP.
2 Let's assume that you meant that they use it for redundancy in case of link
failure (my original argument). Do the math again, but this time show Yahoo as
being down for 19 hours out of six months (a reasonable figure, just ask AOL
;-) and users having to query DNS again *only* during the 19 hours. I think
you will see the bandwidth increase is negligible.
> This ignores the push-DNS stuff, but that has not been widely implemented
> yet and the technology is imperfect, to my knowledge. Properly designed
> push techniques would mitigate the scale impact, but to an uncertain
> degree. Distributed algorithms are such a bother.
>
Dynamic DNS scales much better. You also did not defend BGP. What do you do if
it is not available from your ISP? Can you force them to offer it?
The following question is still confusing me!
*****How do you route IPs from one ISP's CIDR through another ISP???********
I really don't know? Anyone out there that can shine some light on this
subject?
> --
> Aaron J. Peterson
> Amatuer Mathematician & Pedantic Ass
>
---------------End of Original Message-----------------
I agree it is not a perfect solution, but BGP is not universally available. If
you want a solution that works, and is available today, use Dynamic DNS. It
doesn't preclude you from using BGP when it becomes available.
Mike
Argumentative Greek and Internet Crash Dummy
--
08:50:05
07/09/97
_______________________________________________________________________
Michael W. Chalkley Tel: +1.770.823.7846
ZapNet! Inc. Fax: +1.770.475.7640
Suite 400-120 E-mail: mikech @
well .
com
10945 State Bridge Road mikech @
avana .
net
Alpharetta, GA 30202 (wireless) mikech @
radiomail .
net
References:
|
|
