netsec-sig - Re: [Security-WG] [NTAC] Critical DNS Infrastructure
Subject: Internet2 Network Security SIG
List archive
- From: David Farmer <>
- To: John Kristoff <>
- Cc: NTAC <>, "" <>, "" <>
- Subject: Re: [Security-WG] [NTAC] Critical DNS Infrastructure
- Date: Mon, 3 Feb 2020 12:57:30 -0600
On Mon, Feb 3, 2020 at 9:00 AM John Kristoff <> wrote:
On Tue, 28 Jan 2020 22:21:06 +0000
David Farmer <> wrote:
> What is our goal for the R&E network regarding DNS Infrastructure?
I don't really understand why this is becoming such a big deal or even
a question worth asking. Where is this coming from? Why DNS?
Kind of why I asked the question.
My view
of this may be different, but I don't easily separate the Internet2 R&E
network from other connections we have. It is just another path, a
nice one, to a subset of reachable IP addresses.
In general, don't disagree with this view. However there is one difference, the R&E table is frequently local preferenced higher than other commodity Internet paths. In most cases, this works well. But in the case of anycast prefixes, this may not always work so good, especially if the anycast instance is in Europe, Asian Pac, or Africa. There are usually anycast instances in North America, available over commodity Internet paths, even if they aren't in the R&E table.
> Suggested Todo list;
* Come up with well defined research questions and try to answer them.
Not to be completely down on this work, but these seem like potentially
interesting research questions here. Seems like the research has been
largely anecdotal and conjecture so far however.
I've mostly been thinking about this from an operational perspective, not a research one.
I started with the hypothesis that maybe we don't want any anycast prefixes in the R&E table. Others pushed back on that saying that the existence of these services in the R&E Table has saved their bacon so to speak.
Based on the analysis I've done, now I'm much less worried at least about Root DNS Anycast, there seem to be sufficient North American instances, and a couple of non-North American instances shouldn't be a performance issue and they could provide additional resiliency.
Then based on discussions I expanded from Root DNS to TLDs as well.
Honestly, I'm not sure what our goal should be, especially for the R&E table, but at a minimum, I think I2PX should peer with as much DNS Infrastructure as possible.
But if our goal is, as some have articulated, for a campus to be survivable with only the R&E table, then we probably need Reverse DNS, and a few other TLDs, that are not currently available in the R&E table. I'm not convinced this is necessary, but I didn't feel I could summarily dismiss the idea either. So, I decided to look at what it would take.
I'd be interested in more comments, thanks.
John
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
- Re: [Security-WG] [NTAC] Critical DNS Infrastructure, John Kristoff, 02/03/2020
- Re: [Security-WG] [NTAC] Critical DNS Infrastructure, David Farmer, 02/03/2020
- Message not available
- Re: [Security-WG] [NTAC] Critical DNS Infrastructure, John Kristoff, 02/03/2020
- Re: [Security-WG] [NTAC] Critical DNS Infrastructure, David Farmer, 02/03/2020
- Re: [Security-WG] [NTAC] Critical DNS Infrastructure, John Kristoff, 02/03/2020
Archive powered by MHonArc 2.6.19.