Minutes

DNS operations SIG

Thursday 2 September 2004, Sheraton Fiji Resort, Nadi, Fiji

Meeting commenced: 2:06 pm

Chair: Joe Abley

The Chair introduced the SIG and explained the agenda.

Contents

1. Open action items
2. Status report on primary and secondary DNS load
3. Lame delegation status report
4. Discussion of new DNS generation system
5. APNIC region root server report
6. Addition of IPv6 servers to in-addr.arpa tree
7. DNSSEC deployment
8. Status of IPv6 glue in the root zone

1. Open action items

Presentation [pdf | ppt]

Action items

• dns-16-001: Secretariat to implement proposal 'Lame delegation cleanup revised' (prop-004-v001).
  Update: Open. To be implemented 30 September 2004. George Michaelson will give a full status report in this SIG.

Top

2. Status report on primary and secondary DNS load

Terry Manderson, APNIC

Presentation [pdf | ppt]

The speaker covered a new data collection method used by the Secretariat, which provides improved accuracy and allows more in-depth analysis (per zone, query/response analysis). The speaker noted that the historical method was still running and that while the two methods were not entirely compatible, the new method augments the old.

The speaker noted that there are three primary nameservers in the AP region, and that all servers are authoritative for the same zones and include in-addr.arpa zones and ip6.arpa zones. NS3 in Japan takes the biggest load in region. The speaker discussed differences between referral and nxdomain for different NSes, and noted that the top primary zone has been 61.in-addr.arpa. He noted that staff were unsure as to why there were spikes in primary zone usage. He noted also that APNIC also operates two secondary servers in Australia and Japan, which provide service for 13 ccTLDs, 88 members' in-addr.arpa zones, and zones from other RIRs.

The speaker noted relatively heavy use in secondary zones, evidence that it has been beneficial to the Asia Pacific region for APNIC to act as secondary for the other RIRs' zones. He concluded that primary, secondary and other servers are running extremely well, and that APNIC can easily house secondary services for zones named under .arpa and will be able to handle DNSSEC.

Questions and discussion

• None.

Action items

• None.

Top

3. Lame delegation status report

George Michaelson, APNIC

Presentation [pdf | ppt]

The speaker discussed the sweep of lame delegations from the APNIC Whois Database. He outlined the issues caused by lame delegations for users and on the Internet infrastructure, particularly for unrelated third parties. He noted that APNIC would rather that network administrators fixed this issue themselves, but that this could not be relied on to happen. He outlined the process for testing and removing lame delegations, and noted that Secretariat staff have been working to develop various tools to facilitate this.

The speaker reported on the current status of the project, which is planned for deployment in the fourth quarter of the year. He noted that roughly 12 percent of nameservers were consistently lame (slightly lower than when last reported), but that many were unstable rather than persistently lame. He also noted that APNIC did have a Top 10 list of nameservers which host many lame domains, however, privacy issues have prevented APNIC from publicising this list. The speaker also noted the development of tools within MyAPNIC, which will be available to assist members.

Questions and discussion

• None.

Action items

• None.

Top

4. Discussion of new DNS generation system

Terry Manderson, APNIC

Presentation [pdf | ppt]

The speaker updated the status of APNIC's new DNS generation process. He outlined the current process for DNS generation, in place until 7-8 months ago, when a new process was necessitated by the ERX project. He outlined the issues with the current system, and the features of the new system, which eliminates zones and places Whois, ERX, and NIR data straight in a DNS database. This has reduced the time for DNS generation, 'clean' zone files, flexibility for DNSSEC, and automated the process, among other benefits. The new system is currently 95 percent implemented, and is in final testing stages. It is expected to be fully deployed in November 2004. The speaker concluded by outlining future issues for consideration, including DNSSEC support, in-addr.arpa glue, direct update support, and, in the long term, use of dynamic DNS.

Questions and discussion

• A question was asked about whether it was possible to link a database to the DNS server without having the zone files. The speaker noted that this was a possibility, but that it had not been considered at this stage.

Action items

• None.

Top

5. APNIC region root server report

George Michaelson, APNIC

Presentation [pdf | ppt]

The speaker reported on root server activity and management in the AP region. APNIC has acted as a coordination point for the development of root servers in the region, as well as providing sponsorship and assistance, and has now signed MoUs with F and I roots, as well as having a long-standing relationship with RIPE NCC, operator of K; APNIC is not itself a root server operator. APNIC has been involved in the deployment of 10 nodes so far, with more expected this year.

The speaker also discussed the processes via which root server services are delivered. He noted that APNIC encourages participation in BGP peering with critical infrastructure and the development of an improved query method. He also addressed the benefits of having root server nodes in the AP region for local users.

Questions and discussion

• None.

Action items

• None.

Top

6. Addition of IPv6 servers to in-addr.arpa tree

George Michaelson, APNIC

Presentation [pdf | ppt]

This presentation looked at the effects of the addition of IPv6 servers to the in-addr.arpa tree. The speaker discussed the technical and management situation for in-addr.arpa, and noted that there exist risks with the addition of IPv6 servers, but that these were minimal. He noted that the rewards were large for those people committed to, and using only, IPv6, who will now have a valid, fully functional IPv6 path to nameservers. APNIC has already been hosting IPv6 reverse delegations, and does not expect any problems. It was also clarified that APNIC's servers were dual-stack servers.

Questions and discussion

• None.

Action items

• None.

Top

7. DNSSEC deployment

Bill Manning, USC/ISI

The speaker explained that DNSSEC involves incorporating cryptographic signatures in the DNS and protecting the integrity of the query result. He noted that this is a key step in strengthening the Internet infrastructure. This has been under development for more than 10 years, but has proved difficult to implement, and a lot of work remains to be done. The implementation is divided into 'epochs', indicating different stages of implementation, and the speaker noted that we are currently in the first, or 'Empty' epoch.

The speaker noted the pivotal role of ICANN in deploying DNSSEC because of its control of the root zone, and the role of SSAC, and its spin-off, the DNSSEC Deployment Project. The speaker noted the open nature of this project and looked at some of the specific projects which make up the overall deployment.

The speaker examined issues including distributing the root key, 'trust anchors', or secure entry points, and privacy issues, including the protection of data. He noted some of the governments, companies, and organisations involved in deploying this system.

It was noted that APNIC will have a significant role in the distribution of public keys, particularly in relation to NIRs. The speaker noted that if someone obtains another user's private key they can then steal that user's Internet resources, and he highlighted the importance of key management issues to bodies such as APNIC.

Questions and discussion

• None.

Action items

• None.

Top

8. Status of IPv6 glue in the root zone

Bill Manning, USC/ISI

Presentation [pdf]

This presentation looked at the support for IPv6 in the root zone. The speaker noted the distinction between IPv6 data and transport, and emphasised that there is no problem with serving IPv4 or IPv6 resource records over either transport. It has been noted for some time that since IPv6 resource records are larger than corresponding IPv4 records, there are potential problems with the size of responses to queries ' the DNS is limited to 512 octets. A system called EDNS0 was devised to get around this problem, however there remain issues.

The speaker outlined solutions that were being developed by the IETF and other bodies. The speaker examined ARIN's solution, which involved IPV6 transport that does not match their IPv4 transport. It was noted that administrators can't control whether users will coming in via IPv4 or IPv6, and thus have to provide a consistent set of DNS responses regardless of which transport is used to receive requests.

He also noted the Department of Commerce's interest in adding IPv6 support to the root zone, and their concern for stability. The speaker noted that there were now a number of AAAA records in the root zone. He noted the root servers were in a different situation, particularly given that they must deal with 'priming queries' from equipment, some of which is very old.

The speaker concluded that the most important thing for DNS operators is that in turning on IPv6 for a zone, it is necessary to ensure that everything is equal, and the namespace is the same in IPv4 and IPv6.

Questions and discussion

• It was suggested that the purpose for running dual-stack was so that you could have mixed hosts and that the speaker's assumption that there would be consistent, homogenous dual-stack support throughout an organisation was problematic.

Action items

• None.

Top

Meeting closed: 3.38 pm

Minuted by: Chris Buckridge

Top

Open action items

• dns-16-001: Secretariat to implement proposal 'Lame delegation cleanup revised' (prop-004-v001).
  Update: Open. To be implemented 30 September 2004. George Michaelson will give a full status report in this SIG.

Minutes | DNS operations SIG