Internet2 Network Security SIG

[David Farmer <>]

I don't disagree, but I was looking for low hanging TLD fruit so to speak. Which as I know of, is COM and Net with a J-root instance, the the CC TLDs hosted by PCH, everything else will be much more complicated, but I'm not implying they are not important.  

I wonder if we could get Educause and Verisign to host EDU on some J-root instances within the R&E network.

Thanks

On Fri, Nov 3, 2017 at 11:45 AM, Steven Wallace <> wrote:

IMO, we’ll need .us (zoom), .edu, .org. net, .us, too.

On Nov 3, 2017, at 12:34 PM, David Farmer <> wrote:

On Fri, Nov 3, 2017 at 11:19 AM, Steven Wallace <> wrote:

I second this. We’ve been approved to host a RIPE root. Very straightforward. Our cost, small server, space, power…they manage it.

Should we host some of the TLDs too?

Verisign's RIRS includes a local TLDs for .COM and .NET

Packet Clearing House hosts several CC TLDs, see;

https://www.pch.net/services/dns_anycast  

They will provide nodes at Internet Exchanges, we are looking at one for MICE.

For much of this it is probably best to talk to people at NANOG, and the Peering Personals.

For example Verisign had a table at the last Peering Personals.

On Nov 3, 2017, at 12:14 PM, David Farmer <> wrote:

As for root issues;  Getting a local anycast root provided by one of the root providers is not that hard and probably a service each of us can provide to our regional communities.  Especially if you are local peering or have a local internet exchange in your region. I'm looking at hosting one or two, along with the F-root already hosted by Cloudflare in Minneapolis.

http://www.verisigninc.com/rirs

https://www.dns.icann.org/lroot/host/

https://www.isc.org/f-root/hosting-an-f-root-node/

https://www.ripe.net/analyse/dns/k-root/hosting-a-k-root-node

For the map of root server see and their anycast nodes see;

http://root-servers.org/

Ensuring there is at least 1 anycast node in your state or major metro area is probably a reasonable goal, and larger metro areas probably more that one,  

Also, since the root zone is now DNSSec signed you can download a signed copy of the root zone and set up your own private root server for internal use and know you have authoritative information.   

On Fri, Nov 3, 2017 at 9:54 AM, Steven Wallace <> wrote:

My scenario is loss of Internet connectivity. That would include loss of TR-CPS.

I think we need to be careful WRT to routes to roots. Roots are anycast, and since most of us local-pref TR-CPS/I2, this could lead to suboptimal DNS requests, both in terms of path used, and concentrating queries to fewer serves. This may already be happening. It would be good for someone to check the I2/CPS routing tables for the root anycast prefixes.

steve

On Nov 3, 2017, at 10:48 AM, Akbar Kara <> wrote:

Steve,

Could we not ask TRCPS to carry routes to root server infrastructure? Or is the assumption that campus has lost TRCPS too!

Alternatively, it would be interesting to run quagga on AWS vm (that has a path to commodity) and have quagga vm NAT packets originating from your campus DNS that are destined to external DNS.  Maybe something will break... One could do this test for the cost of a latte 😀

/ak

 +1 214-392-2717 | LEARN NOC: +1 866-647-8728  |  

On Nov 3, 2017, at 8:56 AM, Steven Wallace <> wrote:

In some of my uses cases, it ensure the resolver continues to have access to the authoritative name server.

For example, caching the TLD entry that points to canvas’s name server (which happens to be hosted in AWS), ensures my resolver is able to refresh its cache for canvas’s domain.

steve

On Nov 2, 2017, at 9:44 PM, Bill Owens <> wrote:

It sounds as though this would solve many problems in your isolated campus scenario, but I wonder about the side effects on providers who load balance by returning different DNS results. It’s not uncommon to see 60-second TTLs in records from cloud providers, sometimes even shorter. I think it is unlikely that the server behind whatever A record BIND decided to stick with would simply go away, but it is possible that server would be overwhelmed by the continuous load from your campus. It might be worth a discussion with your critical cloud providers, if they’re willing to discuss that ‘secret sauce’.

Bill.

On Nov 2, 2017, at 11:00 AM, Steven Wallace <> wrote:

It’s going to get better. BIND 9.12 (currently in beta, GA due out end of year?) supports “serve stale” (see: https://tools.ietf.org/html/draft-tale-dnsop-serve-stale-02). Serving Stale Data to Improve DNS Resiliency - does what you’d expect. If the resolver can’t update a cached entry, it responsed with the its current cached entry. BTW, this would have mitigated the October Dyn outage, which left many in the community without access to Box, PayPal, etc., despite the fact that we had working network paths to these service providers.

-- 

===============================================
David Farmer               
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota   
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
=============================================== 

-- 

===============================================
David Farmer               
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota   
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
=============================================== 

--

===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================