Internet2 Network Security SIG

[Steve Wallace <>]

Greetings NTAC & Security-WG,

 

We’ve heard from a number of community members the desire to leverage the Internet2 infrastructure to improve the robustness of DNS. I’d like to suggest that the NTAC and/or Security-WG consider convening motivated stakeholders to advance this idea. As a placeholder, I’ve created a high-level description. The google docs link will allow anyone with the link to comment. I’m happy to carry water, to help organize, coordinate, etc.

 

Grateful for responses to the following:

 

Is this on-target? If not, how should it be changed?

How can I2 staff best move this forward?

 

Thanks,

 

Steve

 

 

https://docs.google.com/document/d/1sV1JVDwRilAfmizq-wi52JsoMLX-vyw2mFA5GF4aoIE/edit?usp=sharing

 

DNS Resilience Initiative

 

Purpose

This initiative's goal is to improve the Internet2' community's DNS resiliency.

 

Background

DNS is a crucial component of basic Internet connectivity. Due to its distributed nature, when the Internet is fully functioning, DNS service is typically rugged and resilient. However, during a partial Internet failure, DNS may fail in unexpected ways. Frequently the connectivity requirements of DNS differ from those of an application or service.

 

For example, a campus's ability to use Canvas (a popular learning management system hosted in the AWS cloud), requires network connectivity to AWS *and*  the DNS servers for root, dot.com, and instructure.com.

 

Approach

DNS resiliency depends-on campus deployment practices and connectivity to the hierarchy of external DNS servers. Through this initiative, we'll collect and share campus deployment practices, as well as identify opportunities to improve the connectivity to the DNS hierarchy made possible by leveraging the Internet2, regional, and campus networks.