May 2014 - dns-wg - mailman.ripe.net

Announcing changes to DNSMON
by Vesna Manojlovic 09 Sep '14

09 Sep '14

Dear colleagues, The DNS Monitoring Service (DNSMON) has been providing a comprehensive, objective and up-to-date overview of the quality of various global and regional DNS operators' services since 2003. As announced last year by Kaveh Ranjbar in the RIPE Labs article, "Future of RIPE NCC Technical Services", we are in the process of integrating DNSMON within RIPE Atlas, using RIPE Atlas anchors as vantage points. The beta version of the new DNSMON will be available next week, when we will invite you all to try the new service and provide your feedback. In the meantime, we wanted to let you know about some of the changes in the new DNSMON service: New interactive graphs that will allow you to zoom in on interesting details, such as servers, vantage points, and time intervals. Support of TCP queries. Data delay for non-DNSMON users will not be replicated because the measurements performed by RIPE Atlas anchors for the new DNSMON are public measurements. Therefore, the results will also be publicly available. Server-side generated RRD graphs will not be migrated, as the client-side visualisations provide a comparable replacement. However, the existing service will keep working in parallel and decommissioning plans will be discussed with the community. In the meantime, the graphs and data from the old system will still be available. We will publish a RIPE Labs article with more details when the new service becomes available next week. We’re confident the new DNSMON will continue to meet your needs and hope you'll be pleased with the new features. Please stay tuned for more information. Kind regards, Vesna Manojlovic Senior Community Builder Measurements Community Building RIPE NCC

8 14

indulgence satiated
by manning bill 05 Jun '14

05 Jun '14

Thanks All for taking the time to prod 2001:500:84::b Looks like it is reachable from many places… enough that we will proceed to augment the “B” root server with perhaps the last in a long line of IPv6 addresses that it has had over the last 15 years. Splay will increase over time. /bill /bill Neca eos omnes. Deus suos agnoscet.

4 7

WG comment on DNSMON changes
by Jim Reid 03 Jun '14

03 Jun '14

Colleagues, you might recall that last month the NCC announced a time-line for some changes to the DNSMON service. This was discussed when the WG met in Warsaw last week. In outline, the old service is based on TTM boxes which are due to be retired at the end of June. These are already beyond their anticipated life-span. The new version of DNSMON uses the Atlas probes and is already operational. It is possible some users of DNSMON may need to change their internal tools and processes when transitioning to the new platform if these depend on the data gathering done by the soon-to-die TTM boxes. If this affects you, please speak up now! I would be grateful if you could express your approval or rejection of the NCC's approach and proposed time-line. Details are at https://labs.ripe.net/Members/romeo_zwart/copy_of_proposed-time-lines-for-p…. There was little to no response by the WG to the earlier announcement. This makes both your WG Co-chairs and the NCC staff uncomfortable. After the WG co-chairs and NCC's DNSMON team discussed this last week, we agreed to set the end of this month as the final date for comments. Although we can work on the operating principle that silence implies consent, it would be better for all concerned if there were positive messages of support (or even ones of objection) on the list. Please respond. I'd appreciate it if you can comment on the list to indicate that you approve (or disapprove) of the current proposal and/or time-line. thanks in advance

7 6

crave your indulgence
by manning bill 28 May '14

28 May '14

If you wouldn’t mind a quick tracerooute - Can you confirm reachability to the following: 2001:500:84::b Thanks in advance. /bill Neca eos omnes. Deus suos agnoscet.

5 5

Provisional agenda for RIPE 68
by Jim Reid 07 May '14

07 May '14

Colleagues, my apologies for the delay in getting the agenda prepared and distributed for next week. At long last, here it is. Please note one or two items have not get been confirmed, so there may be some changes between now and next Wednesday. Although I don't expect there will be any, it would be unwise to make life-changing decisions on the assumption that the V1.4 agenda remains unchanged. Hope to see most of you in Warsaw next week. # # $Id: agenda,v 1.4 2014/05/07 11:00:29 jim Exp $ # PROVISIONAL AGENDA: RUNNING ORDER, TIMES & EVEN CONTENT MAY CHANGE [0] Usual Administrivia 5 mins Agenda bashing Minutes of previous meeting Review of Action Items [1] NCC Report 15 mins Stuckee, RIPE NCC [2] DDoS Forensics 25 mins Curon Davies, JISC RSC Wales As a result of daily attacks against a Further Education College in Wales, a connection was noticed between changing DNS entries and the attacked IP address. Using innovative DNS responses inspired by GeoDNS and logging all requests to the authoritative server, it has been possible to trace the source of DDoS and spoofed flood attacks. [3] Measuring DNSSEC validation deployment 15 mins Nicolas Canceill, NLnet Labs We have executed a research in which the RIPE Atlas measurement network was utilized to quantify the amount/percentage of resolvers that do DNSSEC validation. We were not only able to identify which resolvers do DNSSEC validation, but also which resolvers are security-aware (and to which level). Moreover, during the research some particular cases have been found: the existence of insecure fallbacks in case of missing signatures, and a troublesome issue with secure wildcard records. [4] Measuring DNSSEC from the end user perspective 30 mins Geoff Huston, APNIC The presentation explores the technique of measuring the characteristics of the DNS and its performance by posing a set of DNS questions to end users and observing the queries that occur at the authoritative servers in response. Using online advertising channels the tests can be undertaken at a level of high volume and broad spread across the Internet. The presentation will describe the use of this technique in measuring DNSSEC validation, DNS over TCP, DNS performance and similar. LUNCH [5] Report from Ad-hoc ccTLD group 10 mins Peter Koch, DENIC [6] Registry Infrastructure Transformation 20 mins Michael Daly, Nominet In the past 24 months Nominet the UK Registry have completely transformed the infrastructure that is used to deliver the UK Registry services. The infrastructure has been moved to be much more agile and highly available. This presentation will detail some of the choices we made and methods we used to deploy and manage our infrastructure. [7] Google DNS hijacking in Turkey 30 mins Stephane Bortzmeyer, AFNIC In March 2013, the Turkish government decided to prevent access to Twitter. It used some well-known techniques but also one which have not been documented in the real world before: using routing to hijack DNS resolvers such as Google Public DNS. What exactly happened and what could be done to prevent that? [8] DNSMON Developments 10 mins Stuckee, RIPE NCC [9] DNS Monitoring Common Practices/APIs Panel Session 15 mins To be confirmed [10] AOB 5 mins

2 1

Program in Warsaw?
by Stephane Bortzmeyer 05 May '14

05 May '14

I find nothing on this list, or on <https://ripe68.ripe.net/programme/meeting-plan/> (note the menu has all the WGs but DNS) The group was shut down while I looked elsewhere?

3 3