Minutes

SIG: DNS operations

Thursday 8 September 2005, Melia Hotel, Hanoi, Vietnam

Meeting commenced: 4:00 pm

George Michaelson, APNIC (on behalf of Joe Abley, ISC)

The Chair introduced the session and explained the agenda. He passed on apologies from Joe Abley (Chair) and Joao Damas (Co-chair), neither of whom were able to attend this meeting.

Review of previous open action items
Deprecation of ip6.int reverse DNS service in APNIC
Lame DNS policy status update
Scaling the DNS - discussions

Review of previous open action items

Sanjaya, APNIC

None.

Top

Deprecation of ip6.int reverse DNS service in APNIC

Sanjaya, APNIC

Presentation [ppt | pdf]

This presentation contained a proposal to deprecate ip6.int [prop-030-v001]. The presenter explained the background to this proposal, which originates from RFC 3152 and RFC 4159. From September 2005, the RIRs no longer have to provide ip6.int reverse DNS services.

APNIC stopped accepting new updates in this domain about one year ago, but there remains a small number of queries to the service. There are currently 31 records in ip6.int which do not have corresponding ip6.arpa records.

LACNIC is preparing to stop this service. It is expected that ARIN, RIPE and AfriNIC will present a similar proposal in the future. APNIC proposes to stop this service entirely, in an orderly fashion, preferably at the same time as the other RIRs.

The presenter outlined the proposed procedure for removing the ip6.int service entirely. It is hoped to complete in time to report to APNIC 21, pending coordination with the other RIRs.

The presenter explained that ending ip6.int services will simplify IPv6 reverse mapping domains. The only disadvantage is that some legacy IPv6 applications may no longer get valid DNS results.

The presenter reported that most response to the proposal so far has been positive, although there have been several questions about the procedure for contacting users.

Questions and discussion

It was noted that there are currently about three queries per minute on the domain, but to date there is no detailed analysis of queries to the records with no ip6.arpa record.
It was suggested that this proposal amounts to a survey of the distribution around the world of bad software, multiplied by the distribution of poor whois records.
It was suggested that probably more of the queries appear to be delegation priming queries from recipients of domains from APNIC.
The Secretariat committed to providing detailed measurements of the effects of the proposal.
There was a comment from a JPNIC representative in support of this proposal and offering to help with the associated communications.
The Chair called for a show of hands and observed that consensus had been received to proceed with the proposal.
There was a discussion as to whether there were any resolvers in production that continue to use ip6.int. It was noted that all major vendors appear to have updated their systems to ip6.int, although some people may be using older software.

Action items

dns-20-001: Pending approval at each remaining stage of the policy proposal process, Secretariat to implement proposal [prop-030-v001].
dns-20-002: Secretariat to gather statistics revealing the breakdown of ip6.int lookups and report back to the DNS SIG at APNIC 21.

Top

Lame DNS policy status update

George Michaelson, APNIC

Presentation [ppt | pdf]

The presentation detailed a proposal originally discussed at APNIC 16, to identify and remove lame DNS records. Implementation of the proposal began at the end of 2004. The process of notification alone led to very good outcomes in resolving lame DNS records. The process of undelegating domains commenced in 2005, although the application was modified to create a better process for dealing with networks with more than five lame records.

The policy has not yet been implemented for IPv6, as there is still so much testing going on in IPv6 networks. This is not considered to be a significant problem.

The presenter provided detailed statistics of the effect of the procedure, noting that it appears to have had very good success in improving the quality of domain registrations. Nevertheless, there remains a persistent body of lame domain (approximately 5,000) that cannot be cleared up. This may be due to domains being unstable and, therefore, not lame long enough to be caught by this system. This may raise the need to help operators assistance to deliver more stable DNS.

The presenter also gave an overview of the resolution process, which revealed that many people had forgotten their passwords, had incorrect contacts, or had problems in proper configuration.

In summary, this project has reduced lameness from 18 percent to 8 percent.

Questions and discussion

It was noted that some nameservers appear to be lame for hundreds of domains.
There was a discussion of allocations for which delegations have never been made. It was explained that these are not technically lame, although there does appear to have been a rise in the number of NS domains since this process has been in place. There was a suggestion to gather statistics on this issue.

Action items

dns-20-003: Secretariat to gather statistics about the extent of undelegated domains and report back to the DNS SIG at APNIC 21.

Top

Scaling the DNS - discussions

Mathias Koerber, Nominum

Presentation [ppt | pdf]

The presentation detailed work relating to developments that are placing increased demands on the DNS. Some of these developments are malicious; others are problems of accidental misconfiguration; and others are legitimate developments such as extra links in web pages, RSS feeds, and new checking services in email applications.

These increased demands create a variety of problems for cached name servers. The presenter also noted that there is now far more information in the DNS, due to new technologies such as IPv6, DNSSEC, and ENUM.

The implications are higher memory requirements for name servers, slower performance, slower restarts, and other problems. There is increased use of dynamic DNS, faster domain registrations, self help DNS interfaces, and portability of ENUM.

The presenter noted that there is now a demand for faster results. The presenter suggested some potential solutions and the relative costs of these solutions. He then provided some comparisons of ANS and BIND.

The presenter sought input from the community on what other problems are likely to arise for DNS operations. He also asked whether they may be potential problems that would be specific to the Asia Pacific region.

Questions and discussion

It was noted that whois updates are taking place only once or twice per day, which can cause some security problems. It was suggested that there is a need for faster updates to whois to match the speed of DNS updates. There was also a comment about the use of backend databases for zone transfers. It was suggested that normal databases may not be able to handle the query load.
It was noted that APNIC is currently in the process of developing a registry system that may lead to the generation of dynamic updates from registry into DNS. This remains a work in progress.
It was suggested that problems at the root have been solved now, thanks to the recent deployments of root server mirrors throughout the region. It was noted that there is now some discussion in the DNS Ops WG at IETF about service on significant domains. The query path still has many concerns. It was noted that technologies such as ENUM raise the bar on the provisioning side, but the real problems seem to be in the caching side.
There was a question relating to exponential increase in demand on DNS services and the need to stabilise the situation before deciding on the general direction that DNS should be heading. However, it was argued that it is not sufficient to only tackle current problems, but to also try to identify where other crunch areas may lie.

Action items

None.

Open action items

dns-20-001: Pending approval at each remaining stage of the policy proposal process, Secretariat to implement proposal [prop-030-v001].
dns-20-002: Secretariat to gather statistics revealing the breakdown of ip6.int lookups and report back to the DNS SIG at APNIC 21.
dns-20-003: Secretariat to gather statistics about the extent of undelegated domains and report back to the DNS SIG at APNIC 21.

Minutes | DNS operations


Minutes Programme SIGs Database DNS operations IX IPv6 technical NIR Policy Routing Routing workshop Tutorials IPv6 workshop Opening plenary APOPS & BoFs APNIC Member Meeting Social events Remote participation Live transcripts Video streaming Jabber chat NC election HM consultation Sponsorship Fellowship Accommodation APNIC meetings Past meetings APNIC 19 APNIC 18 APNIC 17 APNIC 16 APNIC 15 More... APNIC 20 home APNIC home	APNIC 20 home » Program » SIGs » DNS operations » Minutes Minutes SIG: DNS operations Thursday 8 September 2005, Melia Hotel, Hanoi, Vietnam Meeting commenced: 4:00 pm George Michaelson, APNIC (on behalf of Joe Abley, ISC) The Chair introduced the session and explained the agenda. He passed on apologies from Joe Abley (Chair) and Joao Damas (Co-chair), neither of whom were able to attend this meeting. Contents Review of previous open action items Deprecation of ip6.int reverse DNS service in APNIC Lame DNS policy status update Scaling the DNS - discussions Review of previous open action items Sanjaya, APNIC None. Top Deprecation of ip6.int reverse DNS service in APNIC Sanjaya, APNIC Presentation [ppt \| pdf] This presentation contained a proposal to deprecate ip6.int [prop-030-v001]. The presenter explained the background to this proposal, which originates from RFC 3152 and RFC 4159. From September 2005, the RIRs no longer have to provide ip6.int reverse DNS services. APNIC stopped accepting new updates in this domain about one year ago, but there remains a small number of queries to the service. There are currently 31 records in ip6.int which do not have corresponding ip6.arpa records. LACNIC is preparing to stop this service. It is expected that ARIN, RIPE and AfriNIC will present a similar proposal in the future. APNIC proposes to stop this service entirely, in an orderly fashion, preferably at the same time as the other RIRs. The presenter outlined the proposed procedure for removing the ip6.int service entirely. It is hoped to complete in time to report to APNIC 21, pending coordination with the other RIRs. The presenter explained that ending ip6.int services will simplify IPv6 reverse mapping domains. The only disadvantage is that some legacy IPv6 applications may no longer get valid DNS results. The presenter reported that most response to the proposal so far has been positive, although there have been several questions about the procedure for contacting users. Questions and discussion It was noted that there are currently about three queries per minute on the domain, but to date there is no detailed analysis of queries to the records with no ip6.arpa record. It was suggested that this proposal amounts to a survey of the distribution around the world of bad software, multiplied by the distribution of poor whois records. It was suggested that probably more of the queries appear to be delegation priming queries from recipients of domains from APNIC. The Secretariat committed to providing detailed measurements of the effects of the proposal. There was a comment from a JPNIC representative in support of this proposal and offering to help with the associated communications. The Chair called for a show of hands and observed that consensus had been received to proceed with the proposal. There was a discussion as to whether there were any resolvers in production that continue to use ip6.int. It was noted that all major vendors appear to have updated their systems to ip6.int, although some people may be using older software. Action items dns-20-001: Pending approval at each remaining stage of the policy proposal process, Secretariat to implement proposal [prop-030-v001]. dns-20-002: Secretariat to gather statistics revealing the breakdown of ip6.int lookups and report back to the DNS SIG at APNIC 21. Top Lame DNS policy status update George Michaelson, APNIC Presentation [ppt \| pdf] The presentation detailed a proposal originally discussed at APNIC 16, to identify and remove lame DNS records. Implementation of the proposal began at the end of 2004. The process of notification alone led to very good outcomes in resolving lame DNS records. The process of undelegating domains commenced in 2005, although the application was modified to create a better process for dealing with networks with more than five lame records. The policy has not yet been implemented for IPv6, as there is still so much testing going on in IPv6 networks. This is not considered to be a significant problem. The presenter provided detailed statistics of the effect of the procedure, noting that it appears to have had very good success in improving the quality of domain registrations. Nevertheless, there remains a persistent body of lame domain (approximately 5,000) that cannot be cleared up. This may be due to domains being unstable and, therefore, not lame long enough to be caught by this system. This may raise the need to help operators assistance to deliver more stable DNS. The presenter also gave an overview of the resolution process, which revealed that many people had forgotten their passwords, had incorrect contacts, or had problems in proper configuration. In summary, this project has reduced lameness from 18 percent to 8 percent. Questions and discussion It was noted that some nameservers appear to be lame for hundreds of domains. There was a discussion of allocations for which delegations have never been made. It was explained that these are not technically lame, although there does appear to have been a rise in the number of NS domains since this process has been in place. There was a suggestion to gather statistics on this issue. Action items dns-20-003: Secretariat to gather statistics about the extent of undelegated domains and report back to the DNS SIG at APNIC 21. Top Scaling the DNS - discussions Mathias Koerber, Nominum Presentation [ppt \| pdf] The presentation detailed work relating to developments that are placing increased demands on the DNS. Some of these developments are malicious; others are problems of accidental misconfiguration; and others are legitimate developments such as extra links in web pages, RSS feeds, and new checking services in email applications. These increased demands create a variety of problems for cached name servers. The presenter also noted that there is now far more information in the DNS, due to new technologies such as IPv6, DNSSEC, and ENUM. The implications are higher memory requirements for name servers, slower performance, slower restarts, and other problems. There is increased use of dynamic DNS, faster domain registrations, self help DNS interfaces, and portability of ENUM. The presenter noted that there is now a demand for faster results. The presenter suggested some potential solutions and the relative costs of these solutions. He then provided some comparisons of ANS and BIND. The presenter sought input from the community on what other problems are likely to arise for DNS operations. He also asked whether they may be potential problems that would be specific to the Asia Pacific region. Questions and discussion It was noted that whois updates are taking place only once or twice per day, which can cause some security problems. It was suggested that there is a need for faster updates to whois to match the speed of DNS updates. There was also a comment about the use of backend databases for zone transfers. It was suggested that normal databases may not be able to handle the query load. It was noted that APNIC is currently in the process of developing a registry system that may lead to the generation of dynamic updates from registry into DNS. This remains a work in progress. It was suggested that problems at the root have been solved now, thanks to the recent deployments of root server mirrors throughout the region. It was noted that there is now some discussion in the DNS Ops WG at IETF about service on significant domains. The query path still has many concerns. It was noted that technologies such as ENUM raise the bar on the provisioning side, but the real problems seem to be in the caching side. There was a question relating to exponential increase in demand on DNS services and the need to stabilise the situation before deciding on the general direction that DNS should be heading. However, it was argued that it is not sufficient to only tackle current problems, but to also try to identify where other crunch areas may lie. Action items None. Open action items dns-20-001: Pending approval at each remaining stage of the policy proposal process, Secretariat to implement proposal [prop-030-v001]. dns-20-002: Secretariat to gather statistics revealing the breakdown of ip6.int lookups and report back to the DNS SIG at APNIC 21. dns-20-003: Secretariat to gather statistics about the extent of undelegated domains and report back to the DNS SIG at APNIC 21. Minutes \| DNS operations

Minutes

SIG: DNS operations

Thursday 8 September 2005, Melia Hotel, Hanoi, Vietnam

Contents

Review of previous open action items

Deprecation of ip6.int reverse DNS service in APNIC

Lame DNS policy status update

Scaling the DNS - discussions

Open action items