Skip to Content.
Sympa Menu

netsec-sig - [Security-WG] Critical DNS Infrastructure

Subject: Internet2 Network Security SIG

List archive

[Security-WG] Critical DNS Infrastructure


Chronological Thread 
  • From: David Farmer <>
  • To: NTAC <>, ,
  • Subject: [Security-WG] Critical DNS Infrastructure
  • Date: Tue, 28 Jan 2020 16:21:06 -0600

What is our goal for the R&E network regarding DNS Infrastructure? Do we want it to be a complete lifeboat? Should the R&E network able to run partitioned from the rest of the Internet? Or, more precisely is the goal for a campus to remain functional if it only has access to the R&E network? I've heard comments to this effect. So, is that our goal? Including, potentially even not having access to I2PX.

Assuming that as our goal, we have several of the components necessary to achieve this goal. We have a nice selection of Root servers instances, and a good number of TLDs exist in the R&E table already, especially CCTLDs. However, several critical TLDs do not or instances n the R&E table are not located within North America.

Particularly we don't have .arpa, .gov, .org, or .us TLDs in the R&E table, and the instance of .ca in the R&E table is in Europe. While US Higher Education primarily uses the .edu TLD, many associated websites are in .org, and our K12 and government partners are frequently in .gov or .us TLDs and .arpa is frequently necessary for reverse lookups.

Indiana recently made .com, .net, and .edu TLD instances available. A good number of important CC TLDs are available as MREN announces Netnod's Chicago anycast servers (IPv4 only) into the R&E table, others are sprinkled around a few other R&E networks, and a couple are hosted on cloud providers that are currently in the R&E table.

Root Server Summary
- There are 6 North American Root servers instances (B, E, H, I, J, L) currently in the R&E table. 
- There are 2 non-North American Root servers instances (K, M) currently in the R&E table. 
- There are 5 Root servers instances (A, C, D, F, G) not currently in the R&E table, the C and G instances are also not available in I2PX either.

TLD Summary
- Including .com, .edu .net, .ch, .de, .fr, .eu, .hk, .it, .no, and .nz there are 79 unique TLDs available via North Amerian instances in the R&E table.
- There are 212 unique TLDs available globally in the R&E table, with 120 being CCTLDs.
- Target TLDs missing or needing North American instances in the R&E table; .gov, .org, .ca, .uk. .us,    

Suggested Todo list;
- Create BGP Communities to tag Critical DNS Infrastructure, for both R&E and I2PX.
- Work with Neustar to get a .us and .uk instance in the R&E table.
- Work with MREN and Netnod to upgrade Chicago anycast node to include IPv6.
- Ask SURFnet to provide IPv4 covering prefix for K-Root, as they do for the IPv6 covering prefix.
- Work with Packet Clearing House(PCH) to get an instance of their TLDs in the R&E table, maybe leaking them from I2PX.
- Peer ARIN with Internet2 R&E and I2PX, maybe leak from I2PX into R&E.
- Ask SURFnet or NORDUnet to Transit RIPE to Internet2 R&E or I2PX.
- Ask AARNet to transit APNIC to Internet2 R&E or I2PX.
- Peer I2PX with as many DNS Infrastructure Providers as possible in North America.

Attached is a Google sheet, first tab is Root Server details, the second tab is ARPA Reverse DNS details, third tab details for the original 7 TLDs, fouth tab provides details several for other important TLDs, fifth tab list all TLDs in the R&E table by region, sixth tab lists TLDs available from may providers, the seventh tab is a peering matrix for may of the providers listed in the sixth tab.


Questions or comments please
--
===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================


  • [Security-WG] Critical DNS Infrastructure, David Farmer, 01/28/2020

Archive powered by MHonArc 2.6.19.

Top of Page