International Telecommunication Union   ITU
 
 
Site Map Contact us Print Version
 Monday, July 08, 2002

The Internet's root name servers are seen as a possible soft target for distributed denial of service (DDOS) attacks (in fact, they already are as described in this paper). A possible method to deal with this vulnerability that's getting some serious consideration is the use of IPv4 anycasting, as first conceptualized in RFC 1546. A recently released primer on anycast from Cisco can be found here (PDF). The application of anycasting to providing DNS services was explored in a number of Internet drafts which eventually became the informational RFC 3258: Distributing Authoritative Name Servers via Shared Unicast Addresses. RFC 3258 describes how authoritative name servers with the same IP address could be replicated at different locations. The route to these servers would be advertised for each location and the routing protocols would direct traffic to the topologically nearest server. As an example of how anycasting for the root name servers could possible work, there's already a project, named AS112, that uses anycast to distribute the load for bogus requests for private address space (as described in RFC 1918, also see description of problem here). A possible benefit of using anycast for the root name service is that it may solve both some technical security issues as well as some political issues (i.e., better geo-political distribution of the root name servers). On the other hand, it may make it much harder to deploy DNSSEC. It'll be interesting to watch this play out...