Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative


Chronological Thread 
  • From: John Kristoff <>
  • To: Steve Wallace <>
  • Cc: "" <>, "" <>
  • Subject: Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative
  • Date: Thu, 5 Dec 2019 20:13:38 -0600

On Thu, 5 Dec 2019 16:12:46 +0000
Steve Wallace <> wrote:

> We’ve heard from a number of community members the desire to leverage
> the Internet2 infrastructure to improve the robustness of DNS. I’d
> like to suggest that the NTAC and/or Security-WG consider convening
> motivated stakeholders to advance this idea. As a placeholder, I’ve
> created a high-level description. The google docs link will allow
> anyone with the link to comment. I’m happy to carry water, to help
> organize, coordinate, etc.

I may have been someone who made such a suggestion, but I don't really
recognize what is in this document so I'm not so sure. To be frank,
the little text in the document is too vague for me to really know what
this is trying to accomplish.

What I would like Internet2 to help with in the DNS space is not
connectivity to root or TLDs, but with operating or hosting member name
spaces. Purchasing power advantage to vendors who might consider
resilience a key feature, such as Cloudflare, Akamai, Dyn, Neustar, etc
might be useful. I'm not sure I personally would buy into it, but lots
of institutions should consider it. I've looked at enough .edu zones
over the years to say that with some confidence, most recently:

<https://blog.apnic.net/2018/08/29/dns-inconsistency/>

Alternatively, an Internet2 owned and operated authoritative,
secondary, or resolver service might also be a worthwhile member
benefit to take advantage of. If Internet2 could run some anycast
instances for us to secondary on as part of our membership fee or for
a nominal fee, that would be really, really nice.

I don't have any data to back this up at the moment, but low hop/latency
access to roots and TLDs is generally not something I worry about these
days. Most of the important authoritative servers seem to be
sufficiently available and reachable within a reasonable amount of
time. Getting local copies of more popular zones beneath those however
could be very beneficial.

If I thought I could get some funding to build it, I might try to
design a service whereby which at least one of associated A/AAAA RRs for
popular NS RRs could be anycast within organization networks so that
really low latency and high availability to the zones we care about are
widely distributed and available. I might be available if anyone wants
to gamble and pony up. :-)

John



Archive powered by MHonArc 2.6.19.

Top of Page