Two BIND 9 Security Vulnerabilities Announced Today
ISC is releasing updated versions of BIND 9 to address two newly-discovered security vulnerabilities We have released new versions of BIND: 9.Read post
ISC uses an unusual routing configuration for the F-Root name server. While the configuration is relatively easy to understand, it’s hard to deduce by looking at the routing tables. We’ll explain it here!
The network 126.96.36.199/23 is used for F-Root. The reasons for using this block are historical and unimportant, but the fact that it is a /23 is very important. Looking in the global routing table, you’ll find 188.8.131.52/23 routed worldwide; ISC has obtained multiple transit providers for this network to provide excellent access to F-Root.
Looking at 184.108.40.206/23, F-Root appears to be a single global node for the entire world. In fact, it is not a single node. Internal to our network, we anycast the F-Root “global nodes” that handle the traffic destined to this prefix.
ISC went a step further though, exercising an ability created by the fact that the prefix is a /23. In over 50 locations worldwide ISC has enabled “local nodes”. Typically an F-Root instance is at a local Internet exchange, although sometimes at a local PTT or university. These local nodes are designed to serve the local community, providing lower-latency, high-reliability access to local users all around the world.
ISC could announce the /23 at these locations in a typical anycast configuration. ISC opted for a more interesting configuration though, announcing at these locations 220.127.116.11/24 with the BGP Well Known Community NO_EXPORT set. The intention is that those local to these local nodes will receive the more specific /24 and route their traffic to the local node. Why set NO_EXPORT? It would be bad to attract traffic from halfway around the world to a local node! Some of these nodes are in far-flung parts of the world, and even behind slow satellite links. They are there to serve the local community, not the wider Internet (served by the Global Nodes).
One of the most common questions received is from ISP’s peering with a local node. They want to drop the NO_EXPORT and send the prefixes on to their customers. This is absolutely not necessary. The ISP has 18.104.22.168/23 from the global nodes, and is sending that to their customers. Customers will send traffic for F-root into the ISP network automatically. Having the 22.214.171.124/24 route inside the ISP network will then “short-circuit” the traffic to the best local node.
Note that unrelated to F-Root, ISC has used the other half of the /23, 126.96.36.199/24, for a service we call SNS. That /24 is anycasted from a different set of sites for that project.
What about IPv6? The exact same configuration applies, only with different networks. Replace 188.8.131.52/23 with 2001:500:2E::/47, and replace 184.108.40.206/24 with 2001:500:2F::/48 and you have the IPv6 configuration! ISC has been working to get all of the local nodes IPv6 enabled, and has implemented this on over two-thirds of them already.
If you want to peer with an ISC local node, visit our Network Peering page.
What's New from ISC