netsec-sig - Re: [Security-WG] Based on community input, suggesting an DNS Resilience Initiative
Subject: Internet2 Network Security SIG
List archive
Re: [Security-WG] Based on community input, suggesting an DNS Resilience Initiative
Chronological Thread
- From: Andrew Gallo <>
- To: ,
- Subject: Re: [Security-WG] Based on community input, suggesting an DNS Resilience Initiative
- Date: Thu, 5 Dec 2019 15:25:11 -0500
I'll share a recent effort I completed mapping out how we get to the root name servers. I only focused on the roots; I realize that in order to resolve a name, you have to traverse more servers, but just as a first look at how we're connected to critical infrastructure, I found this informative.
I mapped out our paths to each of the roots (see two attached graphviz graphs) and also counted the number of 'exit' points (number of physical exit points, and number of 1st hop ASNs- we have a lot of bi-lateral peers reachable via a peering switch).
I'd say, we're pretty well positioned for access to the roots.
I'd be happy to discuss my methodology, and how others might use the script I wrote.
Thanks.
On 12/5/2019 11:12 AM, Steve Wallace wrote:
Greetings NTAC & Security-WG,
We’ve heard from a number of community members the desire to leverage the
Internet2 infrastructure to improve the robustness of DNS. I’d like to
suggest that the NTAC and/or Security-WG consider convening motivated
stakeholders to advance this idea. As a placeholder, I’ve created a
high-level description. The google docs link will allow anyone with the link
to comment. I’m happy to carry water, to help organize, coordinate, etc.
Grateful for responses to the following:
Is this on-target? If not, how should it be changed?
How can I2 staff best move this forward?
Thanks,
Steve
https://docs.google.com/document/d/1sV1JVDwRilAfmizq-wi52JsoMLX-vyw2mFA5GF4aoIE/edit?usp=sharing
DNS Resilience Initiative
Purpose
This initiative's goal is to improve the Internet2' community's DNS
resiliency.
Background
DNS is a crucial component of basic Internet connectivity. Due to its
distributed nature, when the Internet is fully functioning, DNS service is
typically rugged and resilient. However, during a partial Internet failure,
DNS may fail in unexpected ways. Frequently the connectivity requirements of
DNS differ from those of an application or service.
For example, a campus's ability to use Canvas (a popular learning management
system hosted in the AWS cloud), requires network connectivity to AWS *and*
the DNS servers for root, dot.com, and instructure.com.
Approach
DNS resiliency depends-on campus deployment practices and connectivity to the
hierarchy of external DNS servers. Through this initiative, we'll collect and
share campus deployment practices, as well as identify opportunities to
improve the connectivity to the DNS hierarchy made possible by leveraging the
Internet2, regional, and campus networks.
Attachment:
PathTo_2001-500-3--42_27Aug2019-1432.png
Description: PNG image
Attachment:
PathTo_192.58.128.30_27Aug2019-1431.png
Description: PNG image
Attachment:
root-servers_ASN.xlsx
Description: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
- [Security-WG] Based on community input, suggesting an DNS Resilience Initiative, Steve Wallace, 12/05/2019
- Re: [Security-WG] Based on community input, suggesting an DNS Resilience Initiative, Nick Lewis, 12/05/2019
- Re: [Security-WG] Based on community input, suggesting an DNS Resilience Initiative, Steve Wallace, 12/05/2019
- Re: [Security-WG] Based on community input, suggesting an DNS Resilience Initiative, Brad Fleming, 12/05/2019
- Re: [Security-WG] Based on community input, suggesting an DNS Resilience Initiative, Andrew Gallo, 12/05/2019
- Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative, Karl Reuss, 12/06/2019
- Re: [Security-WG] Based on community input, suggesting an DNS Resilience Initiative, Nick Lewis, 12/05/2019
Archive powered by MHonArc 2.6.19.