Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] [NTAC] Critical DNS Infrastructure

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] [NTAC] Critical DNS Infrastructure


Chronological Thread 
  • From: John Kristoff <>
  • To: David Farmer <>
  • Cc: NTAC <>, "" <>, "" <>
  • Subject: Re: [Security-WG] [NTAC] Critical DNS Infrastructure
  • Date: Mon, 3 Feb 2020 13:42:11 -0600

On Mon, 3 Feb 2020 18:57:30 +0000
David Farmer <> wrote:

> > What is our goal for the R&E network regarding DNS Infrastructure?
>
> I don't really understand why this is becoming such a big deal or even
> a question worth asking. Where is this coming from? Why DNS?
>
> Kind of why I asked the question.

My answer is I don't have a goal for the R&E connections when it comes
to DNS infrastructure. It is currently a non-goal and non-issue. A
big *shrug* if you will. Maybe there should be a goal and I could be
convinced that there ought to be one, but I've not seen a convincing
argument as of yet I should care about this.

> However there is one difference, the R&E table is frequently local
> preferenced higher than other commodity Internet paths. In most
> cases, this works well. But in the case of anycast prefixes, this may
> not always work so good, especially if the anycast instance is in
> Europe, Asian Pac, or Africa. There are usually anycast instances in
> North America, available over commodity Internet paths, even if they
> aren't in the R&E table.

This is potentially an interesting area of research to evaluate whether
this in fact interfering with the selection algorithm strategies for a
server that prefers responses with lower round trip times.

Intuitively, the effect may be minimal as long as a response from a
nearer server instance is available via another path. I'm going to
consider actually seeing if this might worth spending some research
time on, so thanks for raising it.

> Honestly, I'm not sure what our goal should be, especially for the
> R&E table, but at a minimum, I think I2PX should peer with as much
> DNS Infrastructure as possible.

That itself is a reasonable goal.

> But if our goal is, as some have articulated, for a campus to be
> survivable with only the R&E table,

Not a goal for me, by definition R&E connections are exactly that.
Our R&E connectivity augments commodity, often far and above
originally envisioned years ago, which is fine, but I won't be
relying on R&E to survive any time soon.

Good discussion Dave. If you're at DNS-OARC / NANOG next week, let's
continue in person with others who will be around and have insight into
these things.

John



Archive powered by MHonArc 2.6.19.

Top of Page