> or any other criteria, then the name for this is: "broken."
I suppose you don't do split-horizon DNS, then?
Of course I do. With a NAT or firewall box between the different sets of
users so that no DNS data can leak between the deviant worldviews.
There obviously is a need for an 'official' method to do global load
balancing using DNS.
Ouch! No, there isn't. Not "obvious" to me, that is.
Let's face it, people are doing it now on a not so large scale but that
is rapidly changing because of the introduction of both hardware and
software solutions that (mis)use DNS to overcome it's current limitation.
DNS has no current limitation that is relaxed by making it less coherent.
People abuse DNS due to limitations in other parts of the TCP/IP stack, but
DNS coherency introduces no problems of this kind on its own behalf.
I'm not very interested in the discussion why this behaviour would be
broken. It's for more interesting to talk about improving DNS so that
there will be room for things like load balancing or dynamic DNS. In
such a way that people will not start screaming when they see TTLs of
30 seconds or non-linear behaviour of load balancers.
If your goal is to arrange for global content mirroring, and binding of
content clients to whichever content server will give them the best
measured performance for any given transaction, then using DNS qualifies
for a "you're digging in the wrong place" award. (You won't find what
you're looking for but you will make a hell of a mess everyplace else.)
Note that if you'd like to debate fine points of DNS, there's a mailing
list (namedroppers@ops.ietf.org) for it, and that such traffic would be
off-topic for this (nanog@) list.
There's an Akamai across the hall from my office, and the way it was
explained to *me* was that the DNS always returns the same IP address
for a given Akamai'zed page (so the URLs in the HTML are consistent),
but routing games are used to direct the packets to the appropriate
server. In other words, it's one IP that points to disparate machines.
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
They lied to you (I don't remember who a96.g.akamai is; it's some
well-known Akamai customer, maybe CNN):
vivienm@quartz:~$ nslookup a96.g.akamai.net
Server: quartz.bos.dyndns.org
Address: 66.37.218.198
Non-authoritative answer:
Name: a96.g.akamai.net
Addresses: 216.32.119.10, 216.32.119.74
vivienm@quartz:~$ nslookup a96.g.akamai.net amethyst.ith.dyndns.org
Server: amethyst.ith.dyndns.org
Address: 216.7.11.130
Non-authoritative answer:
Name: a96.g.akamai.net
Addresses: 207.127.111.70, 207.127.111.73
vivienm@nickel:~$ nslookup a96.g.akamai.net
Server: zinc.fmt.dyndns.org
Address: 64.71.191.27
Non-authoritative answer:
Name: a96.g.akamai.net
Addresses: 64.21.49.15, 64.21.49.36
vivienm@lapis:~$ nslookup a96.g.akamai.net
Server: 212.100.224.10
Address: 212.100.224.10#53
Name: a96.g.akamai.net
Address: 64.124.157.126
Name: a96.g.akamai.net
Address: 64.124.157.91
[from my home box]
vivienm@deep:~$ nslookup a96.g.akamai.net
Server: proxy1.slnt1.on.wave.home.com
Address: 24.112.33.4
Name: a96.g.akamai.net
Addresses: 65.163.234.8, 65.163.234.24
[from one of your DNS servers]
vivienm@quartz:~$ nslookup a96.g.akamai.net milo.cns.vt.edu
Server: milo.cns.vt.edu
Address: 198.82.247.98
Name: a96.g.akamai.net
Addresses: 198.82.164.48, 198.82.164.40
I'm sure I could keep going if you really wanted, but I think that's
enough to prove the point...
Vivien
It's too bad that namedroppers can't be referred to as a free and open forum
to discuss such issues (see http://cr.yp.to/djbdns/namedroppers.html)
--Adam
> But the main question is, if this is "broken.", please elaborate what
> exactly "breaks."I take it that unless I can point to some specific situation in which some
specific application or user community is negatively impacted by this,
you'll go on assuming that this deviant behaviour is merely an exercise in
creativity.
The way to go about this is to see if breaking existing practice will break
current implementations and plausible future implementations.
If that's not the case, though, consider that a correct implementation of
DNS would be within its rights to take note of the "same serial number but
incoherent answers" condition and declare the zone unreachable. I'm not
Would be pretty silly, and overstepping the robustness principle.
DNS is about fact, not value -- it's about mechanism, not policy.
No matter how you slice it, intentionally incoherent DNS zones are "broken."
So by your logic, by making sure that the serial numbers never match, we
would 'unbreak' the situation? Seems like a step in the wrong direction.
Regards,
bert
Date: Sat, 6 Oct 2001 19:17:39 +0200
From: bert hubert <ahu@ds9a.nl>
[ snip ]
It gets even better - recursing nameservers have the habit of
locking in to nameservers that respond quickest. So you even
get some loadbalancing awareness.
Odd. I've investigated this effect (well aware of it in theory)
with stateside-only machines, and DNS frequently returns a
horrible choice. Maybe caching prevents enough authoritative
answers from being returned to cancel out the noise, but I've
seen the opposite of what you report.
We operate nameservers in the US and in Europe, and we
definitely see this effect.
Maybe it works well over different continents, but simple "use
different IPs from different NS" has not given desirable results
in my experience.
Then we have the failover and TTL issues...
Eddy
It's too bad that namedroppers can't be referred to as a free and open forum
to discuss such issues (see http://cr.yp.to/djbdns/namedroppers.html)
Oh god, not that again. Listen, if you want a forum where anybody can say
anything to anybody about anything at any time, then start one, go read
alt.flame. In neither case will you find me there. In the real life of
nominal grownups, some things are limited in some places at some times.
The way to go about this is to see if breaking existing practice will break
current implementations and plausible future implementations.
Allow me to apologize, once again, to Microsoft. In the NT 3.5.1 resource kit
they shipped a DNS server which had to do its zone transfers one record per
message since "existing practice" and "current implementations" meant BIND4
which knew no other way. Fortunately we didn't write a BCP describing BIND4's
deviant behaviour, but rather, fixed it in BIND8 and beyond.
> If that's not the case, though, consider that a correct implementation of
> DNS would be within its rights to take note of the "same serial number but
> incoherent answers" condition and declare the zone unreachable. I'm notWould be pretty silly, and overstepping the robustness principle.
Whether behaviour is robust enough to be called a BCP or not is fodder for a
detailed analysis amongst people who *want* to study and debate such things.
That mailing list, for DNS, is called namedroppers@ops.ietf.org. (Not NANOG.)
So by your logic, by making sure that the serial numbers never match, we
would 'unbreak' the situation? Seems like a step in the wrong direction.
There is, simply is and we're not going to argue about it, an identity mapping
between a zone's contents and a zone's serial number. If you don't like that
then you should find a way to change it. Which direction is "wrong" is better
discussed on namedroppers@ops.ietf.org than here.
I take it that unless I can point to some specific situation in which some
specific application or user community is negatively impacted by this,
you'll go on assuming that this deviant behaviour is merely an exercise in
creativity.The way to go about this is to see if breaking existing practice will break
current implementations and plausible future implementations.
we call it 'architecture' when we can see it won't work from flaws
in the design. we call it a stupid mess when we test a broken
design because we lack architectural judgement.
randy
Ahh, and you're the one deciding if conversation is allowed to happen and
what specifically is said on the list Paul keeps mentioning to discuss DNS
evolution?
No thanks.
Oh god, not that again. Listen, if you want a forum where anybody can
say
anything to anybody about anything at any time, then start one, go
read
alt.flame. In neither case will you find me there. In the real life
of
nominal grownups, some things are limited in some places at some
times.
*shrug*
Most mailing lists I am on seem to get by fine without overt
moderation - including this one. Most moderated lists I am on seem to
get by with thread killing - an argument is allowed to run for a few
posts, then the moderator posts that he is officially killing the
thread, and further posts on that will be rejected (and should be taken
to email). Prefiltering to suit *any* one individuals opinion of what is
or isn't on topic seems highly suspect for any list, and unacceptable on
a list supposedly to define policy. Note I have never read the list in
question, so am arguing on general principles here, not this specific
instance..... perhaps a parallel list setup (with $listname and
$listname-filtered) could be set up with posts making it to the second
list only with moderator approval?
Most mailing lists I am on seem to get by fine without overt
moderation - including this one.
you have your facts wrong. the operators of this mailing list are perfectly
capable of sending private mail to people like me who keep posting off-topic
drivel like the message i am now typing.
Most moderated lists I am on seem to get by with thread killing - an
argument is allowed to run for a few posts, then the moderator posts that
he is officially killing the thread, and further posts on that will be
rejected (and should be taken to email).
sure. namedroppers@ops.ietf.org works that way, as an example of one such.
Prefiltering to suit *any* one individuals opinion of what is or isn't on
topic seems highly suspect for any list, and unacceptable on a list
supposedly to define policy.
so in order for a policy-defining forum to be considered representative, it
must be open to all posts on all topics from all parties at all times? that
does not match not my intuition on the matter.
Note I have never read the list in question, so am arguing on general
principles here, not this specific instance..... perhaps a parallel list
setup (with $listname and $listname-filtered) could be set up with posts
making it to the second list only with moderator approval?
i'm sure that if one were set up it would be used by many people. (not me.)
> Most mailing lists I am on seem to get by fine without overt
> moderation - including this one.
you have your facts wrong. the operators of this mailing list are
perfectly
capable of sending private mail to people like me who keep posting
off-topic
drivel like the message i am now typing.
yup - I have had one or two of those (admittedly justified too 
but
there is a difference between a handslap by private email and censorship
by selectively rejecting posts; there is also a much bigger difference
between a handslap over something already posted (even in public) and
precensorship by making sure the rest of the list never see the posts in
question in the first place.
> Most moderated lists I am on seem to get by with thread killing - an
> argument is allowed to run for a few posts, then the moderator posts
that
> he is officially killing the thread, and further posts on that will
be
> rejected (and should be taken to email).
sure. namedroppers@ops.ietf.org works that way, as an example of one
such.
I am not in a position to argue this one either way - I don't sub to
that list, having little to contribute.
If you say that namedroppers is not in the class of lists I am
attacking, then I am happy to take your word for it
> Prefiltering to suit *any* one individuals opinion of what is or
isn't on
> topic seems highly suspect for any list, and unacceptable on a list
> supposedly to define policy.
so in order for a policy-defining forum to be considered
representative, it
must be open to all posts on all topics from all parties at all times?
no, but it must be open to anything even *remotely* on topic, or how can
you make a balanced judgement? If individual people are offensive to
individual readers, they have killfilters...
Meta-discussion (to a certain extent) must also be on topic -
particularly discussion of the list charter.
> Note I have never read the list in question, so am arguing on
general
> principles here, not this specific instance..... perhaps a parallel
list
> setup (with $listname and $listname-filtered) could be set up with
posts
> making it to the second list only with moderator approval?
i'm sure that if one were set up it would be used by many people.
(not me.)
I don't see why not - if it were reversed (and $listname and
$listname-unfiltered) would that be more acceptable to you? it would
even be transparent (you need change nothing, and everything will look
just as it was)
Akamai hostnames do not map to specific customers; that information is
part of the metadata that follows the hostname. Obviously, the customer ID
and the source server must match or else no cachey cachey. The number
in the hostname figures into Akamai's load balancing algorithm, IIRC.
What actually happens is a type of "mapping" that tries to nail down the
network location of the source IP that's on the DNS query, and returns the
IP of the cache server that's hopefully closest to that source IP.
Most of the time this works well, although it's not extremely precise;
the most obvious caveat is that the source IP recorded is that of the
DNS resolver, not the HTTP client. If your workstation on UUNet in Washington
is configured to query a name server that's on, say, Level3's network in
Seattle, Akamai's servers will use the latter location for this
evaluation, with the obvious sub-optimal result. But the majority of the
time, it delivers the IP of a machine that's closer to the end user than the
customer's server. And the customer gets the benefit of reduced outbound
traffic and server load in any case.
It's particularly effective at my office, as my workstation is 4ms away
from the Akamai server in our local data center. But my home DSL service,
for which the other end of the PVC lives at the same site, is served by an
Akamai server in Philadelphia. Go figure.
-Chris
> Most mailing lists I am on seem to get by fine without overt
> moderation - including this one.you have your facts wrong. the operators of this mailing list are perfectly
capable of sending private mail to people like me who keep posting off-topic
drivel like the message i am now typing.> Most moderated lists I am on seem to get by with thread killing - an
> argument is allowed to run for a few posts, then the moderator posts that
> he is officially killing the thread, and further posts on that will be
> rejected (and should be taken to email).sure. namedroppers@ops.ietf.org works that way, as an example of one such.
You've conveniently failed to address the issue where the list moderator of
namedroppers took it upon himself to edit the content of posts before
forwarding them to the list.
> Prefiltering to suit *any* one individuals opinion of what is or isn't on
> topic seems highly suspect for any list, and unacceptable on a list
> supposedly to define policy.so in order for a policy-defining forum to be considered representative, it
must be open to all posts on all topics from all parties at all times? that
does not match not my intuition on the matter.
This is a straw man. The messages that were sent clearly fell within the
list's charter, yet they were rejected and/or edited by the moderator for what
appear to be entirely personal reasons.
--Adam
You've conveniently failed to address the issue where the list moderator
of namedroppers took it upon himself to edit the content of posts before
forwarding them to the list.
I'm ignoring that claim, yes. I'm not sure how "convenient" it is for me.
... The messages that were sent clearly fell within the list's charter,
yet they were rejected and/or edited by the moderator for what appear to
be entirely personal reasons.
Randy can be hard to take sometimes (unlike, say, me) but I completely trust
his judgement as to what is, and is not, topical for the namedroppers@ list.
Remember, if you wanted to start a nam3dr0pp3rs@ list someplace else and post
introductions to it on ietf@ and namedroppers@, noone could stop you. So if
you or anyone else is thinking of claiming to be experiencing censorship, I
hope you've got evidence of prior restraint to back that claim up. Your iron,
your lists, your rules. Go for it. Best of luck, and all that.
> You've conveniently failed to address the issue where the list moderator
> of namedroppers took it upon himself to edit the content of posts before
> forwarding them to the list.I'm ignoring that claim, yes. I'm not sure how "convenient" it is for me.
In your first post to NANOG on this issue, you stated that the namedroppers
list was "to debate the fine points of DNS". From what I've read at
http://cr.yp.to/djbdns/namedroppers.html, this does not appear to be the
case.
> ... The messages that were sent clearly fell within the list's charter,
> yet they were rejected and/or edited by the moderator for what appear to
> be entirely personal reasons.Randy can be hard to take sometimes (unlike, say, me) but I completely trust
his judgement as to what is, and is not, topical for the namedroppers@ list.
I suppose it's easy to feel that way when you're not the one being censored.
Remember, if you wanted to start a nam3dr0pp3rs@ list someplace else and post
introductions to it on ietf@ and namedroppers@, noone could stop you.
That's incorrect. The moderator could stop me. Also, it wouldn't matter if
I made my own list, because any list I created would not be the official list
of the DNSEXT working group.
So if
you or anyone else is thinking of claiming to be experiencing censorship, I
hope you've got evidence of prior restraint to back that claim up. Your iron,
your lists, your rules. Go for it. Best of luck, and all that.
I was merely pointing out that the namedroppers list is not exactly the open
forum that you purported it to be. I posted a link to a web page (above) in
support of this claim. You have not yet refuted anything that is published
on that page.
--Adam
On a more practical note, because of the moderation namedroppers is not as
effective as it could be. Mr Bush is as active a moderator as you could wish
one, often working at all hours but so far the moderation has not had any
additional value - it halts discussion. If people find contributions of
certain subscribers less than useful, they are free to use procmail.
Regards,
bert
(the only reason for posting this message here is that it pertains to the
entire dns community, not just the select few who are subscribed to
namedroppers).
I suppose it's easy to feel that way when you're not the one being censored.
As before, you presume much. Randy has rejected articles from me before on
the grounds that they were off-topic. Upon reflection, I had to agree w/ him.
(And I'm still waiting for Sue to tell me to stop contributing to this thread,
on the same basis, and I will agree with her, too.)
> Remember, if you wanted to start a nam3dr0pp3rs@ list someplace else and
> post introductions to it on ietf@ and namedroppers@, noone could stop you.That's incorrect. The moderator could stop me.
On the grounds that the creation of an alternative mailing list was off-topic?
That would be quite a spectacle. Please do it, I'd like to see the results.
Also, it wouldn't matter if I made my own list, because any list I
created would not be the official list of the DNSEXT working group.
So your beef is with IETF process (sanctioning restricted forums) rather than
with the restrictedness of the forum? You think the IETF has some kind of
monopoly on discussions of DNS's fine points and that because of this we ought
to continue debating those fine points on other lists, like this one?
I was merely pointing out that the namedroppers list is not exactly the open
forum that you purported it to be. I posted a link to a web page (above) in
support of this claim. You have not yet refuted anything that is published
on that page.
You've got THAT right, at least.