RIPE 60

RIPE Meeting: 60
Working Group: DNS
Status: Final
Revision Number: 1

RIPE 60
Prague
Thursday, 6 May 2010

Session 1

Date:Thursday, 6 May 2010
Time:Session 1 - 11:00 - 12:30
Chair: Jaap Akkerhuis
Minutes: Adrian Bedford
Jabber: Vesna Manojlovic

Jaap welcomed attendees and started the session by dealing with administrative matters.

There were no comments on the RIPE 59 Minutes, so these were declared final - the webpage will be updated.

Action Items were reviewed. Currently, there are no open issues.

IETF Reports - Matthijs Mekking

Dmitry Burkov remarked that the example given by Matthijs for .ru was incorrect example - it was in fact the one for China. He asked if it could be corrected in the published presentation.

Another audience member pointed out that there were already three other proposals for "cloning" DNS zones.

Given that these sort of presentations have been given at the DNS WG sessions for some time, WG co-chair Peter Koch asked the audience if they found the material useful. He noted that they are documents with operator relevant content and asked for a show of hands on how many follow the IETF lists - around 20% indicated they do.

Another attendee noted the draft on TCP was not mentioned and given that it is designed to reduce the load on DNS servers as DNSSEC is deployed, maybe it should be on the radar. There is no IETF work around this at the moment, but if the DNS community feels there is an issue with the load or maintenance around TCP, then maybe it should be included in future.

At the Corner of Registration Operations and DNS Operations - IETF Report ire & regops - Ed Lewis

Jim Reid expressed concern for the escrow exercise. Nothing was said about financial data, was this to be in or out of scope. Ed felt this was probably not in scope but in the absence of a charter he couldn't say for sure. He would be against it, but if enough people wanted it to be in play, it would be.

The RIPE NCC DNSMON Service - Franz Schwarzinger

Franz gave a short presentation and showed screenshots of recent developments to the RIPE NCC DNSMON service.

There was a question about the backend message processing system. Franz explained that DNSMON uses RapidMQ with a Python framework. After a short discussion on the system, Franz offered to discuss the set-up offline.

Sebastian Castro asked if the RIPE NCC has considered providing an interface that would allow users to access raw data. Noting that the backend is a restful API, Franz agreed that, in theory, this sort of data could indeed be provided to subscribers. He also pointed out that raw data is already available from the RIPE NCC website or FTP server.

Jaap pondered that since the tool was increasingly moving to real-time data it could be used to monitor the effectiveness of a DDOS attack against a name server. Franz replied that given the tool was targeted at operators, they'd probably not want to DDOS their own servers!

DNS Operations at RIPE NCC - Anand Buddhdev

Following Anand's presentation, Carsten Schiefner asked why the RIPE NCC was using a separate AS for its DNS infrastructure. Ananad explained that it allowed use of independent routing policies and to allow anycasting.

Jim Reid asked about reverse zone signing for ERX space and asked for more information on project progress with this project.

Anand explained that ongoing discussions are taking place at RIR level and, as such, he has no exact timeframe for conclusion of such discussions. Andrei Robachevsky clarified matters, agreeing that such talks were ongoing as they would involve changes in the basic provisioning systems across several RIRs. The various RIRs involved are all at different stages of this. The work should have no impact on users. Andrei said he hopes to have accurate timelines by mid-year as he had already indicated in a post to the working group mailing list.

There was a question about the software and methodology used to handle load balancing. Anand indicated that the project uses OSPF load balancing, running Quagga to announce routes withdrawn. When asked about whether he had considered Relay-D, Anand indicated it had been investigated, adding that he would welcome discussion on this offline. He stressed that OSPF works well because most DNS traffic is UDP-based.

At request from Jaap, Anand clarified that the lameness checks work only on the reverse tree.

The DNSSEC Testbed in DE - Peter Koch

Jim Reid asked which products are in the test bed. Peter clarified that the products were not in the authoritative side. Jim also asked if, given opt-out is being used at the moment, would this continue? Peter said he couldn't comment.

Ed Lewis commented on activity in signing zones, noting that transfer of large chunks of data could cause a bottleneck. He wanted to encourage incremental signing and re-use of signing. Peter agreed with much of what Ed said, but noted that the experience of sending large chunks of data enabled the system to feel the pain that might happen if a whole zone needs to be transferred at any point in the future. He did confirm that the system will be further refined for production use.

Session 2

Date:Thursday, 6 May 2010
Time:Session 2 - 14:00 - 15:30
Chair: Peter Koch
Minutes: Adrian Bedford
Jabber: Alex Band

The chair welcomed everyone to the second session, went through the agenda and introduced the first speaker.

An OARC Update - Wayne MacLaurin

OARC's new Executive Director provided an update that was well received and no questions followed.

DNSSEC Support by Home Routers - Thorsten Dietrich

Jim Reid asked if there was any plan to do these surveys on a regular basis. Thorsten replied that the survey may be revisited in a few years time. Jim suggested his department consider offering some kind of DNSSEC tick box to indicate that products were DNSSEC capable.

Thorsten liked the idea, but stressed that German competition law doesn't allow the naming of individual manufacturers. Jim wondered if some other non-federal agency might be able to take this on and be less liable to such restriction.

Olaf Kolkman sensed the 'name and shame' issue had been considered, adding support to having one place where customers might find certification about devices that allow DNSSEC or general protocol awareness such as IPv6. He also appreciated that this might not be a job for a government-backed agency.

Olaf also asked if there was any data on how many DNS-aware resolvers are hidden behind DSL modems. Thorsten said they did not have that information, noting that much of the data on the topic is anecdotal.

Olaf noted that it will take quite some time for devices in homes to disappear. In turn, this would impact on the speed at which DNSSEC can move to Operating Systems. He encouraged keeping up the pressure.

Thorsten agreed with a suggestion from the Ondrej Sury to circulate results to national registries to allow improved configuration within databases.

Peter Koch noted that the market share of devices had not been taken into account. He asked if Thorsten could say anything on manufacturer market share. Thorsten noted that much of this was largely hearsay.

Carsten Schiefner commented that AVM had announced they were now v6 aware with their latest equipment and this might lead to hope they would follow on by becoming DNSSEC aware too.

News from OpenDNSSEC - Matthijs Mekking

In response to a question on the software behind the OpenDNSEC EPP client, Matthijs confirmed the team behind it had to build their own software and this had been geared to the needs of the Swedish registry.

Dmitri Burkov asked about support for GOST in SoftHSM. Mathijs reponded they are waiting on PKCS#11 version 2.30 which has GOST support. He did not know when this would be ready as there is no indication when this will appear.

Stephan Bortzmeyer asked if there was any ETA for version 2.0 of OpenDNSSEC. Matthijs said that version 1.2 was planned for August 2010 and version 2.0 for December 2010. He did, however, note that these deadlines were subject to change.

DNSSEC for Humans - Joao Damas

Jim Reid felt there was still much work to be done on signing tools. He realised that what Joao presented was a first step. One thing he was unhappy with in Bind 9.7 was the gratuitous and forced installation of /etc/bind.keys, even when the server did not support DNSSEC or the when it had no use for DLV. Forcing this file on users would create confusion and create administrative problems: for example by installing an unwanted and often unnecessary configuration file that bypassed local configuration management repositories and change control procedures. Joao accepted this as a valid comment.

Olaf asked if SoftHSM had been tested. Joao thought that such tests had been carried out, but was unsure of the results. Olaf suggested there would be no shortage of people willing to work together on this.

In response to a question on how the automated checking for zone expiry worked, Joao confirmed it was done by the named daemon itself and confirmed there was no plan to separate privileges from BIND. A possible solution would be to run two BINDs.

A Firefox DNSSEC Validator Plug-in - Ondrej Sury

Carsten Schiefner asked if there had been contact with the Mozilla Foundation to have this natively built into Firefox rather than have it as an add-on. Ondrej replied this would only happen after the system library obtains support for eDNS by default.

Signing ARPA's Children - Dave Knight

Peter Koch questioned the request to sign the children of .arpa was to be sanctioned. Dave confirmed that authorisation was requested to modify .arpa through the insertion of datasets for these zones. Peter asked how far this authority might trickle down the tree. Dave felt unable to comment.

When asked if the KSK rollovers will also be used for the root, Dave said this would not be the case.

Last Root Server DURzed - Did the sky fall? - Dave Knight

Jim Reid offered a vote of thanks to all those involved in this global project.

Sebastian Castro echoed the concern voiced on some DNS Operation mailing lists that problems could still come up in the next few days. He asked if the root operation team planned to capture priming queries. Dave confirmed that these have been maintained since January and will continue to be captured.

Jaap Akkerhuis dismissed pessimistic talk about new problems popping up at this late stage in the project, stating that they would have already manifested themselves earlier on.

Anycast IPv4+IPv6 DNS in .CZ - Jaromir Talir

Carsten Schiefner wondered why Chile was well served while the rest of South America was not so. Jaromir replied that these are new results and will be looked into further.

Someone commented that many fibers in South America go north and back again due to the lack of exchange points. It was also noted that there sometimes were poor routing policies in the region.

A.O.B.

Nothing extra.