SIG: DNS operations
Wednesday 26 February 2003, Taipei International Convention Center (TICC), Taipei, Taiwan
Minutes
Meeting commenced: 2:05 pm
Chair: David Lawrence (acting Chair)
The Chair introduced the SIG and explained the agenda.
It was explained that Paul Gampe has resigned as Chair, and David Conrad was unable to attend this meeting. There will be a new call for Chair and co-Chair to be made after this meeting
Contents
- Sweeping lame DNS delegations - a proposal
- Implementation of lame delegation policy in the ARIN region
- Anycast views of the Root
- Steps towards a secure DNS
- Sapphire/Slammer worm: Impact on Internet performance
- Internationalized domain names and reverse DNS
- Reverse DNS traffic during the slammer worm incident
- ip6.int/in 6.arpa
- Sweeping lame DNS delegations - a proposal
- There was a comment that this activity would lead to better quality of service in the region.
- It was suggested that the proposal is necessary but may not be strict enough to enforce operators to clean up their DNS.
- The presenter suggested modifying the proposal to define the nature of lameness and the methods for verifying and contacting the operators. It will then be referred back to the mailing list.
- Action dns-15-001: Secretariat to modify the lame delegation clean-up proposal and refer it back to the mailing list.
- Implementation of lame delegation policy in the ARIN region
- None
- None
- Anycast views of the Root
- None
- None
- Steps towards a secure DNS
- Complete the DNSSEC specifications;
- Design an appropriate DNSSEC infrastructure, including a DNS aware server with enough capacity to handle the increased load, and protocol awareness on all slave servers;
- Develop a local signing procedure, including key policies, algorithms, emergency procedures, and a key maintenance system;
- Become part of a chain of trust;
- Delegate signing authority, which requires a key exchange mechanism and an appropriate registry system;
- Configure client applications.
- None
- None
- Sapphire/Slammer worm: Impact on Internet performance
- None
- None
- Internationalized domain names and reverse DNS
- None
- None
- Reverse DNS traffic during the slammer worm incident
- It was noted that the behaviour of the worm was to propagate itself, so the smaller spike before the main attack would be very interesting to investigate.
- None
- ip6.int/in 6.arpa
- None
- None
- Action dns-15-001: Secretariat to modify the lame delegation clean-up proposal and refer it back to the mailing list.
George Michaelson, APNIC
This presentation proposed that APNIC commence a procedure to clean up lame delegations in this region. It was explained that 10-15 percent of all reverse DNS domains managed under APNIC are lame. The presenter noted that lame DNS increases traffic to DNS root servers and causes other problems to end-users and third parties. He suggested that the solution to this has to be a top-down process.
The APNIC Secretariat has been analysing lame DNS impacts. It is now proposed to create a process for advising operators that their domains are lame. Records that are not fixed within a defined time would be disabled. Under this proposal, there would also be defined process for re-enabling lame delegations.
The presenter asked Ray Plzak of ARIN to give a brief presentation of the process used in the ARIN region.
The presenter proposed that APNIC would apply a standard reporting procedure for informing the community of progress. APNIC would also seek to coordinate with other RIRs. The entire process should be regularly reviewed by the DNS SIG.
The presenter asked the SIG to provide feedback on whether this proposal should be adopted.
Questions and discussion
Action items
Ray Plzak, ARIN
This presentation described the processes used in the ARIN region to deal with lame delegations. There is a test phase (for identifying lame delegations); a contact phase (for attempting to contact operators or the operators of the relevant AS); an evaluation phase; and a removal phase.
ARIN has so far identified over 12,000 networks with lame delegations. They have started to contact an initial set of network POCs and have achieved a significant immediate response.
Questions and discussion
Action items
Paul Vixie, IS
This speaker noted that APNIC has now collaborated with ISC to deploy a mirror of the F-Root in the HKIX, using anycast.
He noted the advantages of the configuration, including the protection from DoS attacks. He noted that ISC has plans to deploy many more mirrors of F-Root over the coming years, which will prevent the ability of attackers to target a single server.
He stressed that the correctness and integrity of the data is essential, requiring root rather than local administration.
Questions and discussion
Action items
Olaf Kolkman, RIPE NCC
This presentation has previously been given at a RIPE meeting. It provides an overview of the DISI (Deployment of Internet Security Infrastructure) Project, which is currently focussed on DNSSEC. The presenter outlined the steps that are required to deploy DNSSEC when it becomes fully available.
The presenter described the basic operation and key structure of DNSSEC.
The steps required to deploy DNSSEC include:
The presenter also explained the status of RIPE NCC's efforts to achieve these steps. He noted that there is a problem in that until there is infrastructure, there will be limited application development.
RIPE NCC provides DNSSEC training in the RIPE region.
The presenter expressed the hope that DNSSEC will be deployed by late 2003 or early 2004.
Questions and discussion
Action items
Olaf Kolkman, RIPE NCC
This presentation described the rapid spread of the Sapphire/Slammer worm. RIPE NCC measured it using TTM, RIS, and route server monitoring. Their analysis showed that the worm had very little impact on the backbone.
The presenter outlined the Test Traffic Measurement (TTM) servers deployed by RIPE NCC and discussed how the measurements were taken. The measurements indicated that most of the problems were localised and were near the edges of the networks.
All of the RIPE NCC's route collectors saw a big increase in the number of announcements and withdrawals of routes.
The route server monitoring indicated that two servers were affected, most likely due to connectivity problems close to those servers.
The presenter concluded that this was definitely not a global meltdown and that it had no significant effect on the backbone or the root server service.
Questions and discussion
Action items
James Seng, IDN Working Group
This presentation was an overview of the recent decisions of the IDN WG.
RFC 3492 has been finalised, describing "Punycode", for transforming Unicode into an LDH string.
RFC 3454 and RFC 3491 have also been finished, relating to normalisation and case mapping.
RFC 3490 describes IDNA upgrades to applications to handle IDN by enforcing nameprep.
The presenter outlined the implications for DNS operators. He provided an example for the delegation of an internationalised domain.
Questions and discussion
Action items
George Michaelson, APNIC
This presentation discussed observations of DNS behaviour during the slammer worm incident, including a doubling of the load on APNIC DNS servers.
The presenter explained that the total load for Korea exceeded the mainstream US load quite clearly.
The presenter speculated on where the load was located, but noted that more investigation was required.
Questions and discussion
Action items
George Michaelson, APNIC
This presentation gave an overview of the current status of IPv6 reverse delegations. The statistics show a slow but steady increase in ip6.apra traffic, while ip6.int is steadily reducing.
Questions and discussion
Action items
Meeting closed: 3:45 pm
Minuted by: Gerard Ross
Open action items
