Critical IT-services in focus at the DNS reference group

Increased robustness for critical municipal IT-services to prepare them for a major crisis, an update on the root KSK rollover and insight into the DNS architecture of Facebook were some of the topics at DNS reference group meeting in May.

The spring meeting of the DNS reference group took place on 23:rd of May at IIS. The talks were mainly centered around security, reliability and robustness on the internet. Marco Davids from SIDN presented a solution for a local anycast service that they have been offering to the local ISPs for a few years. With this service, SIDN places an anycast node in the ISP’s network containing a copy of the TLD zones they manage (.nl and .amsterdam) as well as a copy of the root zone. This lets the IPS’s customers resolve queries for these domains, even if the root zone or SIDN’s primary infrastructure should become unreachable for some reason.

Smaller ISPs who are unwilling or unable to make the initial investment required for a local anycast node have the option of using a shared version of the solution. In this case, a single anycast node is placed at an IXP (Internet Exchange Point). ISPs with a presence at the IXP can then peer with this node and route traffic to it should they need or want to.

On the same note, Netnod, by request from PTS (The Swedish Post and Telecom Authority), are looking to design a solution that takes things a step further. The project goes by the name Särimner and is looking to increase the robustness of critical municipal IT-services in Sweden. Presently, many of these functions, for example krisinformation.se (a governmental crisis information site), lack adequate redundancy. Särimner aims to make these critical resources available to everyone in Sweden, even if parts of the country for some reason get isolated.

To achieve this, the plan is to expand and improve interconnection between different local ISPs, as well as to establish a variant of local anycast nodes, that apart from the root and .se zone, also contains copies of critical web pages and other internet resources. These nodes are meant to function as a limited, autonomous Internet in the event of a crisis. The project is still in the proof of concept phase.

On the resolver side of things, Jakob Dhont from Switch shared some information about a resolver service they offer, mainly to the universities of Switzerland. The service solution utilises, among other things, RPZ (Response Policy Zones) in order to protect the users from malware and phishing, as well as preventing various botnets from reaching their command-and-control servers. They are cooperating with few select third party RPZ list providerse, as well generating their own.

Vladimír Čunát from .CZ talked a bit about Knot Resolver. Knot is probably best known as an authoritative name server, but the resolver have been around for a couple of years now and continues to be developed. The focus was mainly on how Knot Resolver handles RPZ, but there were also a few tidbits on future improvements and new functions.

Facebook had some interesting information to share regarding their DNS architecture. Rok Papež presented the less conventional solution they have implemented in order to minimise response time for their users. They are basically using scattered instances of tinyDNS who distribute zone data between themselves using torrent. In order to avoid having to scale each instance to handle peak traffic loads, traffic is routed from busy nodes to ones with available capacity, even if it’s not the closest node. This serves to distribute the traffic more evenly over time and flatten load peaks.

Jakob Schlyter from Kirei gave a status update on the root KSK rollover. The rollover, as you probably know, was postponed shortly before the planned date in October 2017. The decision to postpone the rollover was based on measurements on the distribution of the new KSK. Data from these measurements indicated that reaching the goal of availability, set to 99.95% of Internet users worldwide after rollover, was uncertain.

Since then, however, further ongoing measurements keep showing better results and the positive trend is continuing. A new date for the rollover has yet to be announced, but according to the latest information from ICANN, it is scheduled for some time in October this year.

Jerry Lundström from DNS-OARC presented one of their latest projects: dnsjit. This is a modular tool that brings together functionality from other tools, such as dnscap and drool, providing a simple and efficient way of capturing, parsing and gathering statistics on DNS traffic, as well as replaying previously captured DNS traffic.

All in all, it was an interesting and rewarding event. A big thank you to all the presenters and participants. Please join us at the next reference group meeting, that will be held in conjunction with the Nordic Domain Days on 19–20 November at the Stockholm Waterfront Congress Centre.

Tags: , , Photo: Morpeth Flood by johndal (CC BY)

About the blogger

Jonas Andersson