netsec-sig - [Security-WG] DNS Root Servers via R&E (Was: Re: DNS Serving Stale to the rescue?)
Subject: Internet2 Network Security SIG
List archive
[Security-WG] DNS Root Servers via R&E (Was: Re: DNS Serving Stale to the rescue?)
Chronological Thread
- From: David Farmer <>
- To:
- Cc: Brad Fleming <>, Dave Diller <>, Akbar Kara <>, Bill Owens <>, NTAC <>, Kim Milford <>
- Subject: [Security-WG] DNS Root Servers via R&E (Was: Re: DNS Serving Stale to the rescue?)
- Date: Fri, 10 Nov 2017 09:08:13 -0600
- Ironport-phdr: 9a23:NtIVoRTjw61X6V1xELEx1dRe39psv+yvbD5Q0YIujvd0So/mwa6yYBSN2/xhgRfzUJnB7Loc0qyN4vCmATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSijewZbB/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0ligIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNgHR2ROQ9xRWjRBDI2ybIUBEvQPMvpDoobnu1cDtwGzCRWwCO7tzDJDm3/43bc90+QkCQzI0hYvH8wPsHvJsd77NL0dUfqwzKbW1zXIcvRb2Tnn54jSdxAuv+uMUKltccrUz0kjDR3KgUiNqYH8OT6ey+oDs2+e7+V6VOKvjXYqqxt2ojio2scgk5LJiZwPylDa6yp52p01Kce/SE5hbt6oCIZcuiWeOodsQM4uWWJltDggxrEaoZK3YSwHxZA9yxPdcfCKcIaF7gj/WOuXPDx2h2pldaqiixu8/kWs0O7xW8au3FpXqidIk8PAum4R2xHR8sSLVOdx80O71TuM1w3f8P9ILV00mKbBKZMt3rg9nYcJv0vZBC/5gkD2gbeWdko6/uio7PzqYrD6ppCGLoN0kgPzPr4pmsy+HeQ0KBUOX22d+eimyrLs4FD5TK1Ljv0wjKbZrIjXKdkVq6O2GQNY0Yku5wyiAzqi0dkUh2cLIE5HdR6fiojmIVDOIPT2DfelhFSslS9mx/7cMb37B5XCMGLDnaz8fbZ47U5Q0hQ8ws1C555MELEOPOrzWlPttNzfFhI5KBK7zPr6CNVn14MeRWKODraXMaPdqlKI4uMvI/KQZI8OpjrxMfkl5/jyjXAng18de7em3YcJZHyiAPtpPliZMjLQhYIaHGwXpAsiXan1h3WDVyJefXC/Q/h66z0mW6y8CoKWaomzgbDJ8i6hG5BMLjRIA0qJHG3AaoCCHfoAdXTBcYdajjUYWO35GMca3ha0uVq/kuI/Iw==
Based on my local evaluation of DNS root server routes available to me, I have dropped several such routes learned via our Internet2 R&E peering, but not all of them. In several cases I am utilizing alternate routes learned via Internet2 TR-CPS, that were significantly better than the route available from Internet2 R&E, but that were not preferred because of the higher local preference we give to R&E routes. Other cases I'm utilizing routes learned via direct local peering or Internet transit.
--
For the record, I'm only accepting B, H, and L roots via Internet2 R&E, I'm dropping (by origin ASN) all other DNS root servers learned via our Internet2 R&E peering. Note the B and H roots currently only have two severs each, therefore the Internet2 R&E peering provides as good or better connectivity to those roots as any other path available to me.
Further, we have a separate direct peering with GPN and learn and prefer the KanREN L-root via that path. However in addition, I'm keeping the path learned via Internet2 R&E as a back up path to that node for robustness.
Based on my local evaluation, I have two recommendations;
1. Each regional network and/or campus should evaluate whether or not root sever routes learned via their R&E peering should be preferred over other options they likely have.
2. The NTAC should consider a policy for what root server routes to accept into the Internet2 R&E route table. My recommendation is to not accept DNS root server anycast routes for nodes that are not hosted on the north american continent, particularly from International Partner R&E networks.
I believe all root severs operators have at least one node hosted somewhere on the north american continent. Therefore, there is no advantage provided by accepting off-continent DNS root server routes into the Internet2 R&E route table, because there will always be a better alternate routes available.
Thanks
On Fri, Nov 3, 2017 at 10:42 AM, Steven Wallace <> wrote:
Brad,I’m thinking out loud, so I wouldn't change anything without better advice :-)steveOn Nov 3, 2017, at 11:35 AM, Brad Fleming <> wrote:KanREN hosts and announces availability to an L-Root instance running on dedicated hardware in the Kansas City area. We announce:On Nov 3, 2017, at 10:03 AM, Dave Diller <> wrote:
I think we need to be careful WRT to routes to roots. Roots are anycast, and since most of us local-pref TR-CPS/I2, this could lead to suboptimal DNS requests, both in terms of path used, and concentrating queries to fewer serves. This may already be happening. It would be good for someone to check the I2/CPS routing tables for the root anycast prefixes.
MAX had an I2-facing instantiation of D-root for a while last year. From what I remember, there really was not a lot of traffic to it, as compared to the commodity-facing ones, and they redeployed.
Kinda makes sense, due to lower visibility in an isolated network, versus worldwide.
But it did not seem to suck in a lot of traffic simply due to query concentration / localpref.
-dd2001:500:3::/482001:500:9e::/472001:500:9f::/48to TR-CPS as well as R&E. They requested we announce the prefixes at all peering points; however, it might make sense for us to withdraw the paths from I2 routing tables simply to avoid the situation Steve points out.I don’t wanna drag the thread too far off it’s original purpose so feel free to hit me up unicast with any profanity-laden emails about our backwater, hair-brained schemes. :D--
Brad Fleming
Assistant Director for Technology
Kansas Research and Education Network
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
- [Security-WG] DNS Root Servers via R&E (Was: Re: DNS Serving Stale to the rescue?), David Farmer, 11/10/2017
Archive powered by MHonArc 2.6.19.