SNS@ISC and Global Anycast

SNS@ISC uses Anycast DNS, but exactly what does that mean? In this document we will explore the technology of anycast, and its use by SNS@ISC.

Anycast DNS — Background

Since about the mid 1990's, it has become increasingly popular to give Domain Name Services higher availability and performance by using a technique called "anycast". Anycast DNS means a cluster of nameservers that all behave the same way, all carry the same content, and that are all capable of answering the same queries, yet this cluster appears from a DNS client's point of view to be a single nameserver.

There are several kinds of Anycast DNS, depending on the size and scope of the cluster. Generally speaking anycast DNS comes in three sizes: local, networked, and internetworked. These are defined as follows:

Local Anycast

If a DNS cluster is behind a load balancer, so that queries directed at a single address will be "fanned out" to members of the cluster either at random, or based on server response times, or in some deterministic way such as round robin or flow hashing, we call this "local anycast". Local anycast can be combined with any form of anycast, including itself. (For example, 144 nameservers could be split into 12 load balanced clusters, with each cluster behind a single top level load balancer.)

Networked Anycast (sometimes called IGP Anycast)

If an enterprise, university, or ISP has a large enough network that it has multiple points of presence (POPs) then it is possible for a DNS cluster to have members in several POPs, all answering to the same address, and to use the network routing system (called an Internal Gateway Protocol or IGP) to advertise the multiplicitous reachability of this single address from each POP. We call this "networked anycast" and any query that's sent to the cluster's IP address will be answered in the first POP encountered by that query.

Internetworked Anycast (sometimes called EGP or Global Anycast)

If a DNS server operator places servers in many regions around the world, and receives IP connectivity from multiple providers as well as possibly peering via an EGP (External Gateway Protocol) at  an "internet exchange point" (IXP) in each region, then the resulting cluster will be directly reachable by or at least "very close to" customers of other networks in all such regions.

In all three forms of anycast, the failure of any single server can at worst reduce performance for some clients, but usually failures are unnoticeable.

SNS@ISC use of Anycast DNS

SNS@ISC uses every known kind of Anycast DNS, and depending on the service level, it can use more than one kind of anycast at the same time. The services, and the kind of anycast employed by that service, are as follows:

SNS@ISC Public Benefit Anycast (SNS@ISC-PBA)

For our non-profit public benefit customers, who are eligible to use our global non-profit network (the same one used by F-Root), we use Internetworked (global) anycast. Here, a single address block is "advertised" to other networks in many regions worldwide, in the same way as is done for F-Root, and queries sent to nameservers in that address block will usually be answered by a server in the same region as each client. We call this "SNS@ISC-PB anycast". Local anycast might also be used to increase performance within an SNS@ISC-PBA regional node.

Note that SNS@ISC-PBA behaves as a single nameserver and cannot be used as a zone's only nameserver due to the protocol recommendation calling for every zone to have at least two nameservers.

SNS@ISC Public Benefit Regional (SNS@ISC-PBR)

For non-profit public benefit customers who do not want global anycast since they already have a regionalized set of non-anycasted servers, every regional member of our global anycast cluster can also be used independently. We call this "SNS@ISC-PB regional". Local anycast or networked anycast might still be used within some regions, for high availability.

SNS@ISC-PBR appears to be several distinct nameservers and so can be used as a zone's only nameservers (referring to the DNS protocol recommendation that every zone should have at least two nameservers.)

SNS@ISC Commercial (SNS@ISC-COM)

For our commercial customers, who are not eligible for service on our non-profit global network, ISC has developed a commercial name service using commercial network providers. We call it "SNS@ISC Commercial" and every participating network provider assigns ISC an anycast address which we use to install a DNS cluster with members in multiple POPs around the world. Our network providers all have aggressively open "peering policies" so our SNS@ISC-COM nodes are highly available in every region where our network providers do business.

SNS@ISC-COM can be used as a zone's only name service, since each SNS@ISC network provider appears as a single distinct name server, referring once again to the DNS protocol recommendation that every zone have at least two nameservers.

Note that SNS@ISC-PB customers, being non-profit public benefit networks, pay no fee for best efforts service, but they can pay a fee for a service guaranty if they require such a contract. SNS@ISC-COM customers, being commercial entities, must always pay a fee and always have a contract.

Every SNS@ISC customer is attached to an SNS@ISC cluster (SNS@ISC-PBA, SNS@ISC-PBR, SNS@ISC-COM) and can select, for their zones, which of that SNS@ISC cluster's public servers they want to have carrying those zones. Typically a customer will select all available public servers within their cluster. It is the customer's responsibility to work with their registrar to change each zone's nameserver list to "point at" the SNS@ISC appropriate public servers, and to place these nameserver names in each zone at the "apex NS".

Putting it in Perspective

SNS@ISC is dedicated to the proposition that domain holders ought to operate their own primary name server, and that they ought to control their own DNS content by making changes to the data carried by that primary server. At ISC we know that many domain holders do not have the network capacity to answer queries for their DNS zones, and so, many primary name servers will not be "advertised". We call this "stealth primary domain name service" and if that's what a customer wants to do, ISC can still help publish the zone data.

At ISC we know that many domains have a commercial or private purpose, and that many other domains are noncommercial, non-profit, public benefit. We know that some non-profits need and can afford service guaranties but that many cannot. No matter what a customer's financial nature of capability, SNS@ISC can help publish the zone data.

We know that some domain holders are looking for a single globally anycast nameserver to add to the set of servers they already use, whereas others want regional nonanycast service, still others will want multiple global anycast servers, and that of those, some will use SNS@ISC exclusively, and some will use our service alongside their own privately operated servers or perhaps alongside other outsourced DNS services. SNS@ISC can do any or all of this.

CCTLD Premium Services

All CCTLD zones are eligible for SNS@ISC-PB if the CCTLD operator so chooses, since ISC considers all CCTLDs to have public benefit even if their operators are commercial entities.

For CCTLD zones we can a dedicate an IP address within our EGP anycast address block in order that the TLD zone's servers have names and address unique to that zone while still benefitting from ISC's global network.

CCTLD operators who have their own IP address block that they use for global anycast can use that address space from within SNS@ISC by special arrangement.