netsec-sig - Re: [Security-WG] [NTAC] Critical DNS Infrastructure
Subject: Internet2 Network Security SIG
List archive
- From: John Kristoff <>
- To: David Farmer <>
- Cc: NTAC <>, "" <>, "" <>
- Subject: Re: [Security-WG] [NTAC] Critical DNS Infrastructure
- Date: Mon, 3 Feb 2020 13:42:11 -0600
On Mon, 3 Feb 2020 18:57:30 +0000
David Farmer <> wrote:
> > What is our goal for the R&E network regarding DNS Infrastructure?
>
> I don't really understand why this is becoming such a big deal or even
> a question worth asking. Where is this coming from? Why DNS?
>
> Kind of why I asked the question.
My answer is I don't have a goal for the R&E connections when it comes
to DNS infrastructure. It is currently a non-goal and non-issue. A
big *shrug* if you will. Maybe there should be a goal and I could be
convinced that there ought to be one, but I've not seen a convincing
argument as of yet I should care about this.
> However there is one difference, the R&E table is frequently local
> preferenced higher than other commodity Internet paths. In most
> cases, this works well. But in the case of anycast prefixes, this may
> not always work so good, especially if the anycast instance is in
> Europe, Asian Pac, or Africa. There are usually anycast instances in
> North America, available over commodity Internet paths, even if they
> aren't in the R&E table.
This is potentially an interesting area of research to evaluate whether
this in fact interfering with the selection algorithm strategies for a
server that prefers responses with lower round trip times.
Intuitively, the effect may be minimal as long as a response from a
nearer server instance is available via another path. I'm going to
consider actually seeing if this might worth spending some research
time on, so thanks for raising it.
> Honestly, I'm not sure what our goal should be, especially for the
> R&E table, but at a minimum, I think I2PX should peer with as much
> DNS Infrastructure as possible.
That itself is a reasonable goal.
> But if our goal is, as some have articulated, for a campus to be
> survivable with only the R&E table,
Not a goal for me, by definition R&E connections are exactly that.
Our R&E connectivity augments commodity, often far and above
originally envisioned years ago, which is fine, but I won't be
relying on R&E to survive any time soon.
Good discussion Dave. If you're at DNS-OARC / NANOG next week, let's
continue in person with others who will be around and have insight into
these things.
John
- Re: [Security-WG] [NTAC] Critical DNS Infrastructure, John Kristoff, 02/03/2020
- Re: [Security-WG] [NTAC] Critical DNS Infrastructure, David Farmer, 02/03/2020
- Message not available
- Re: [Security-WG] [NTAC] Critical DNS Infrastructure, John Kristoff, 02/03/2020
- Re: [Security-WG] [NTAC] Critical DNS Infrastructure, David Farmer, 02/03/2020
- Re: [Security-WG] [NTAC] Critical DNS Infrastructure, John Kristoff, 02/03/2020
Archive powered by MHonArc 2.6.19.