Internet2 Network Security SIG

[Steve Wallace <>]

Hi Nick,

I agree. I was trying to separate campus resolver/DNS deployment practices, which would more likely impact services such a authentication from the need to have access to a DNS hierarchy that may require different connectivity from a service. I also wanted to highlight the need to consider the TLDs when thinking about access to root servers.

To further complicate things there a local configuration changes (e.g., enabling Serve Stale) than can mitigate loss of connectivity to the larger DNS hierarchy.

So my thinking is that there are campus design and operational practices that can impact the resiliency of the local DNS/resolver services, as-well-as external connectivity and placement of the DNS hierarchy that can impact resiliency of recursive lookups. A good approach would include considering both.

Steve

 

Get Outlook for iOS

---

From: Nick Lewis <>
Sent: Thursday, December 5, 2019 12:40:32 PM
To: Steve Wallace <>
Cc: <>; <>
Subject: Re: [Security-WG] Based on community input, suggesting an DNS Resilience Initiative

 

Hi Steve,

 

I agree that Canvas, or the campus LMS, is one of the most critical services, but the impact of an outage on DNS to a campus authentication infrastructure would impact most/all campus services including cloud services. So, maybe that could be the example about why DNS is so critical?

 

Thanks,

 

Nick

 

From: <> on behalf of Steve Wallace <>
Reply-To: "" <>
Date: Thursday, December 5, 2019 at 11:14 AM
To: "" <>, "" <>
Subject: [Security-WG] Based on community input, suggesting an DNS Resilience Initiative

 

Greetings NTAC & Security-WG,

 

We’ve heard from a number of community members the desire to leverage the Internet2 infrastructure to improve the robustness of DNS. I’d like to suggest that the NTAC and/or Security-WG consider convening motivated stakeholders to advance this idea. As a placeholder, I’ve created a high-level description. The google docs link will allow anyone with the link to comment. I’m happy to carry water, to help organize, coordinate, etc.

 

Grateful for responses to the following:

 

Is this on-target? If not, how should it be changed?

How can I2 staff best move this forward?

 

Thanks,

 

Steve

 

 

https://docs.google.com/document/d/1sV1JVDwRilAfmizq-wi52JsoMLX-vyw2mFA5GF4aoIE/edit?usp=sharing

 

DNS Resilience Initiative

 

Purpose

This initiative's goal is to improve the Internet2' community's DNS resiliency.

 

Background

DNS is a crucial component of basic Internet connectivity. Due to its distributed nature, when the Internet is fully functioning, DNS service is typically rugged and resilient. However, during a partial Internet failure, DNS may fail in unexpected ways. Frequently the connectivity requirements of DNS differ from those of an application or service.

 

For example, a campus's ability to use Canvas (a popular learning management system hosted in the AWS cloud), requires network connectivity to AWS *and*  the DNS servers for root, dot.com, and instructure.com.

 

Approach

DNS resiliency depends-on campus deployment practices and connectivity to the hierarchy of external DNS servers. Through this initiative, we'll collect and share campus deployment practices, as well as identify opportunities to improve the connectivity to the DNS hierarchy made possible by leveraging the Internet2, regional, and campus networks.