- content to the Chair of the working group.
- format to webmaster _at_ ripe _dot_ net.
DNS Working Group
Session 1 - 12 October 2005
Chaired by Peter Koch
Scribe: Adrian Bedford
A & B - Administrative Matters:
The group approved the minutes from RIPE 50 with no changes:
Updates were provided for the various action points outstanding for the group.
48.1: Peter Koch sent a draft to the working group mailing list before RIPE 50. After detailed feedback from Ed Lewis, the proposal is to be redrafted. Peter hopes to have made progress on this by RIPE 52. Status - Ongoing.
48.2: Måns Nilsson is negotiating on funding to revise the wording of his proposal. Although this is currently stalled, he hopes to be able to sort this out within the coming two months and provide a rough draft in time for RIPE 52. Status - Ongoing.
48.4: David Malone agreed to continue to provide updates on his work. There has been no draft circulated as yet. Status - Ongoing.
49.1: Peter is stalled on this. A proposal was sent to the NCC Services Working Group Mailing List. Peter encouraged members of the DNS WG to investigate this. Status - Ongoing.
49.2: A small group is working on this, but has not yet got too far. Jim Reid hopes to incorporate changes suggested by Fernando Garcia to a Draft RIPE Document by the end of October. Status - Ongoing.
50.1: This will be covered by a presentation at this session from Lorenzo Collitti. Status - Ongoing.
50.2: This has been completed. Jim explained the background. It appears to have come down to a misunderstanding and subsequent poor communication from the IANA. A problem with zone generation for the root zone when communicated suggested a change in IANA policy. This was in fact not the case. IANA fixed the issue and promised that greater care will be taken with future communication. All letters sent to IANA and their replies are available within the mail archive of this working group. Status - Done.
C1. IETF DNS Report – DNSEXT and DNSOP
Olaf Kolkman - NLnetLabs:
Olaf gave updates on IETF Working Group documents for both DNEXT and DNSOP.
C2. IETF CRISP WG
Marcos Sanz - DENIC
Marcos provided an update from an IETF meeting that recently took place in Paris, looking at different documents related to the deployment of CRISP. There were no slides.
AREG - The Address Registry profile for IRIS reached Version 12 and Last Call was over at the end of September. Some IESG comments will lead to a further edit and a new version will soon be available. This is close to becoming an RFC.
DCHK - This is a paper dealing with a lightweight version of IRIS running on top of LWZ (A UDP transport for IRIS). Documents are advancing.
XPC - There are no BEEP large-scale deployments, this meets a need for an alternative, simpler transport for IRIS. It is based on TCP with a small binary header.
RREG - Routing Registry profile for IRIS. This is an individual draft and not a working group draft. It provides information about prefixes, Autonomous Systems and contacts. The purpose of the document remains unclear; maybe a mirroring mechanism is what Internet routing registries actually need. Discussion goes on, whether to adopt it into the CRISP working group.
Additionally, the .br TLD registry announced their DCHK and LWZ implementations.
Shane Kerr commented that those interested in the RIPE NCC deployment of IRIS should attend the Database Working Group session on Friday morning.
C3. EPP – The Next Step
Jaap Akkerhuis – on behalf of Scott Hollenbeck - Verisign
Jaap outlined work by Scott to improve the quality of papers and move them to draft status, using the ietf-provreg _at_ cafex _dot_ se mailing list. He emphasized that Scott welcomes all comments, questions and feedback from the group.
Peter Koch announced that Policy Proposal 007 (DNSSEC) had now completed its run through the formal Policy Proposal Process and the chairs of the DNS WG had decided that there had been no formal objections. They declared consensus had been reached.
Peter asked if the group found updates from IETF useful. He requested feedback on this after the session. Peter also let the group know that the co-chairs welcomed any suggestions of things that the group would like to see discussed or presented at future RIPE Meetings.
D: Effect of anycast on K-root: early results
Lorenzo Colitti – RIPE NCC
After the presentation, Ladislav Vobr asked about whether anycast technology had been tested before being put into production on K-root. There was interest in how testing had been done and what convinced those behind the project that it was suitable?
Daniel Karrenberg, who was involved in the development, explained that the main goal was resilience. The motivation was to increase the protection against Distributed Denial of Service (DDoS) attacks. Prior to deployment, the setup underwent testing. A discussion followed about the merits of anycast and DNS over TCP, with questions asked about whether UDP would be a more appropriate protocol to investigate persistent switching and packet fragmentation. As chair of this session, Peter Koch stated that he felt that it had been discussed at length in the past and added this should be taken up out of this session, as time was limited. The previous discussion is available in the mailing list archive. It was suggested that the RIPE NCC might consider a presentation on how anycasting is working out at RIPE 52.
Jim Reid picked up on the scientific paper that Lorenzo mentioned. He asked if this might be published as a RIPE Document. Lorenzo did not see any reason why it could not be.
E: DNS Guru Contest
Carsten Strotmann -- Men & Mice
Carsten encouraged everyone to log on, take the DNS Guru test, and provide feedback. Olaf Kolkman asked about prizes for those taking part.
Session 2 - 13 October 2005
Chaired by Jim Reid
Scribe: Adrian Bedford
Carsten Strotmann announced that there was a prize for those who took part in the DNS Guru Test. He explained that there are polo shirts available to the ten people who score highest.
F: DNS Restructuring Update at the RIPE NCC
Brett Carr – RIPE NCC
Mohsen Souissi of AFNIC commented that while deploying DNSSEC, one of his servers had encountered problems. It caused some fragmentation for IPv6 when using Fedora with a Symmetrical Multi-Processor front end. AFNIC had found a workaround by switching to mono-processor that worked fine. He is still awaiting feedback on a final solution from Fedora core developers.
G: Deprecation of ip6.int
Andrei Robachevsky – RIPE NCC
Peter Koch asked, how the date would be set and when the RIPE NCC would publicly announce it. Andrei replied that the RIRs had met to discuss this. The probable date they had settled on would be 1 June 2006. The date was set to be sufficiently far enough in the future to allow any discussion to follow the Policy Development Process (PDP). There will be no formal announcement until this date is certain.
Andrei asked the group how the RIPE NCC should proceed with this. He suggested three possible courses of action:
1. Just go ahead and present this as an operational issue
2. Enter the PDP system with the suggestion
3. Wait and see
Lars-Johan Liman suggested that the RIPE NCC favour the first option, this received support from those in the room and is now an action on the RIPE NCC.
H: Key Rollover Paper and Tools
Johan Ihren – Autonomica
Johan stressed that the presentation he was giving was based on his own private work with Bill Manning and was not representative of the views of Autonomica.
The presentation was followed by a live demonstration of the tool.
Mohsen Souissi asked how a network operator could be sure that data was correctly configured. He wondered if Johan planned to add additional features to the software to carry out further authentication checks. Johan explained that this would come down to the policy set by each registry. Each would still need to decide on appropriate policies or safeguards before accepting any changes, regardless of how they were submitted.
I: RIPE NCC Secondary Service Policy
Lars-Johan Liman – Autonomica
Lars-Johan raised the issue of the future of the RIPE NCC Secondary DNS Service. Axel Pawlik asked why this was being discussed within the DNS Working Group and not within NCC Services. The reply was that an agreement was made at RIPE 50 to first float the idea in this group and discuss it before taking any concrete suggestions to the other group.
Axel agreed that the proposal made by Lars-Johan made good sense. The RIPE NCC has a basic principle that it would never compete in any area where its members are offering services. Lars-Johan commented that keeping track of this must be difficult as the business plans and strategies of its members are constantly changing. Axel reiterated that he felt in this case, the situation was quite clear.
Rob Blokzijl had three remarks to make. He felt that Lars-Johan had stated that the RIPE NCC should focus purely on IP Address administration and little else. He disagreed with this, adding that this was not why the RIPE NCC was created. It was set up as a permanent secretariat to RIPE with a mandate to do coordination activities for the Internet. He added that he fully agreed that the RIPE NCC should not offer a service that a member was also offering. He then wished to clarify the history behind the offering of this service. It was most likely an activity started when there were different circumstances and was valid at a time when there was no DNS industry. He personally felt that if the membership agrees that the RIPE NCC should revisit this activity, he would offer support. He warned that he felt a gradual phase out was preferable to a sudden stop. Some African ccTLDs might find it hard to move to a fully commercial service. They may need to continue using the RIPE NCC service for some time to come. In principal, Rob feels that the NCC should go through all of the ‘non paying customers’ for the service and see how they could rationalise the list.
Daniel Karrenberg wished to explain why the RIPE NCC took over ns.eu.net. Whilst he fully agreed with the reasoning behind the proposal, he wanted to clarify some points made in the presentation. The RIPE NCC did not take on ns.eu.net as an ‘act of charity’. At the time when the system was in financial trouble, there was panic, both operationally and politically. There was much talk about greater regulatory powers being given to governments and the RIPE NCC acted to protect the stability of the Internet. Everyone agreed that it was a good thing for the RIPE NCC to do at the time. If ns.eu.net had collapsed, we would see a very different registration and regulatory environment to the one we have now. He felt that the three options offered at the end of Lars-Johan’s proposal needed modification. The options to do nothing or impose a fee and launch this as a RIPE NCC service, were both impractical and not worth pursuing. He favoured the idea of the RIPE NCC withdrawing from its ccTLD Secondary DNS Service, though agreed with earlier speakers that initially this could not be done entirely. He stated that we live in a world where stability and security of the DNS remains a political issue. He suggested we needed a fourth proposal. The community needed to ask the RIPE NCC to look at the obvious beneficiaries who are well able to procure the service commercially and politely ask them to leave. He did not feel that it would be wise to set any actual rules about who can stay and who should leave at this stage. He felt to do this would hamper the work of emerging ccTLDs, who may wish to stay with the RIPE NCC for a while. Daniel was recently in Africa and made the point that the service offering currently still delivered good PR and political benefits.
Lars-Johan accepted the points made, but warned against starting to expect any commercial service to be out of the reach financially of emerging ccTLDs. A pricing structure would have to take account of different customer needs. He felt it should not always be seen as a bad thing to force everyone into the same business model. It could work out.
Daniel Karrenberg felt that “could” was not good enough here. DNS is seen by the world as the holy grail of communication and the RIPE NCC must avoid making any unpredictable moves. He advised that any changes would need careful consideration.
Carsten Schiefner commented that if the RIPE NCC stopped serving secondary servers for ccTLDs, the ccTLDs would most likely then organise something amongst themselves. It would not follow that they would all want to start paying for a service and the problem as such would not go away. Jaap Akkerhuis wished to comment on why ns.eu.net ended up at the RIPE NCC. He recalled that at the time, it was down to a toss of the coin whether the service ended up with the RIPE NCC or SIDN. He added that he agreed with what was being suggested. He also observed that the larger ccTLD registries do indeed tend to arrange things amongst themselves. Jaap pointed out that, although he cannot speak for SIDN anymore, it always had been SIDN policy to help a limited number of ccTLD nameservers (up to around 20). As far as he knows, they still have room to do so. Antoin Verschuren of SIDN confirmed this to be the case.
Joao Damas stated that he did not feel that the market would simply go away by the RIPE NCC making changes. He thought it would be wrong to get rid of a competent player in the field. As a DNS user, his primary concern remained stability. He feared that if the service was no longer offered free of charge, some operators might be tempted to look for the cheapest possible solution, which may not always be an optimal one.
Lars-Johan understood Joao’s concerns. He felt that the only way towards a stable system in the end would be if economical drivers converged with the needs of the community. It was, he said, important that money be funnelled in the right way.
Rob Blokzijl agreed with Lars-Johan. To reach stability, he felt a sudden switch off was not the answer. He agreed with many of the other points made by speakers. He did not think that the RIPE NCC taking any action would resolve what is essentially a business problem for Lars-Johan overnight. He cautioned against any sudden moves in the current climate. Politicians could see this as rocking the boat; there remains a level of ignorance about how the Internet works. It could lead some to point fingers at the RIPE NCC for ‘selling off’ a community service.
Lars-Johan again agreed. His intent was not to stop this tomorrow. He wanted to ask if this was something that should now be considered. He agreed that simply stopping this cold was not the answer; he welcomed discussion for what was likely to be a ‘long term’ solution.
Jim Reid rounded up the discussion. He pointed out that stability of the DNS system was vital, but added that we needed to be aware of the political dimensions pointed out by Daniel. On the other hand, this could be seen as the RIPE NCC potentially competing with its member’s interests. He put it to the room and nobody felt it a bad idea to work further on this. Daniel Karrenberg felt that the next step would be for Lars-Johan to put together a proposal to take into the NCC Services Working Group.
J: DNSSEC in Sweden
Jakob Schlyter – SUNIC
There were no questions.
K: Update to RIPE 203 – Recommendations for SOA Values
Peter Koch – DENIC
Olaf Kolkman asked whether Peter thought it might be an idea to put fixed values or ranges with reasons as to why anyone might choose to sit on the higher or lower end. Peter Koch felt fixed values would avoid problems with poorly aligned intervals.
Gerhard Winkler felt that the group should discuss MNAME in more detail. He thought it would be useful for people to see which secondary or slave loaded from which master. Maybe different MNAME fields for different masters would make sense.
Peter felt this discussion would fit better on the IETF namedroppers mailing list:
The protocol does specifically state that there should be one unique Master Name server. The document is aimed at a very particular set of zones, it does not try to give a general condition or case for the MNAME field. It is constrained to smaller, stable zones. If Gerhard had proof that these zones tended to be loaded from different databases or sources, Peter would welcome any new text. He added that it was important to take into account if this would be relevant to the target audience of the document.
Talking about ripe-203, Gerhard commented that a disclaimer might help in case anyone was using the document as an authoritative source of information. Peter Koch replied that he doubted anyone should use ripe-203 as a policy document, since the subject matter had a specific focus but was not ‘set in stone’. It should not be regarded as general technical advice. He wanted to see more discussion on the wording of the document through the mailing list and see the issue of MNAME taken to the namedroppers list. Mohsen Souissi said that having read the discussion on the mailing list, felt the document should state whether having an MNAME within a zone with an RFC1918 name was good or bad practice. He noticed that recent discussion through the DNS Working Group mailing list discouraged it. Peter Koch asked Mohsen to provide some specific text. There was nobody who disagreed with the need to update the document.
L: ENUM DNS Predelegation Checks
Peter Koch – DENIC
Peter explained that have been a very small number of lame or stale delegations. This appears to be largely due to human error.
Along with Carsten Schiefner (co-chair of the ENUM Working Group), Peter proposed that the predelegation checks currently applied to reverse mappings by the RIPE NCC before entering a delegation into the respective IN-ADDR.ARPA zone, be applied automatically to e164.arpa delegations.
The proposal was universally accepted and Carsten will now draft some text and submit it to the RIPE PDP system.
Andrei Robachevsky stated he felt that inconsistencies might have come about when further changes were applied to delegations. The child zone may not be aware that it needs to change something within the parent zone. It would also be worth looking at processes in place to avoid problems in the future. Carsten replied that it might be preferable if the RIPE NCC could perform ongoing checks. This should cover both the parent zone and child zones, either by using their own or third party tools such as Zonecheck. Andrei agreed that there were several ways to do this and that there were ways in which the quality of checks could be improved. Carsten emphasized that e164.arpa downwards delegation is important and there should be some mechanism in place to provide an early heads up if there could be an issue with a zone. Andrei agreed. Niall O’Reilly wished to add his support for the suggestions made by Andrei about periodic checking.
Jim Reid asked if it was a good idea to also look into signing the e164.arpa delegations.
Carsten Strotmann told the group that over the past three weeks, he had received several customer enquiries about the Open Root Server Network System (ORNS). He wondered if anyone had opinions about whether customers should use it or not. The issue seems to have arisen from an article in CircleID by Paul Vixie where he states he favours ORNS over the IANA root network:
Joao Damas of ISC stated that Paul was speaking in his own private capacity. His request to run one of ORSN servers has nothing to do with either ISC or the operation of the F-root server.
Lars-Johan Liman, speaking as a maintainer of I-root, pointed out that there is an RFC (2826) maintained by the IAB on this subject. The RFC clearly states the need for a single root. It should leave nobody in doubt that it is a good thing. The single root is currently maintained by the IANA and he feels this works well.
Daniel Karrenberg supported the comments made by Lars-Johan. He suggested that if a customer asks for this service, it would be wise to ask why. Do they want a root server that almost everyone uses or one that is used by just a few?
Peter Koch pointed to another CircleID piece by Milton Mueller:
The article tries to make the case for ORSN being simply an alternative root. ORSN claims that it is identical to the current root, up until the point where it decides to stop being identical. This is, he feels, a precise definition of an alternative root. Claiming it is a copy of the ICANN route is just incorrect. It could also have strange consequences for DNSSEC.
Daniel Karrenberg concluded the discussion by stating that a choice has to be made about whom you trust to provide information and quality of service.