June 2014 - dns-wg - mailman.ripe.net

Announcing changes to DNSMON
by Vesna Manojlovic 09 Sep '14

09 Sep '14

Dear colleagues, The DNS Monitoring Service (DNSMON) has been providing a comprehensive, objective and up-to-date overview of the quality of various global and regional DNS operators' services since 2003. As announced last year by Kaveh Ranjbar in the RIPE Labs article, "Future of RIPE NCC Technical Services", we are in the process of integrating DNSMON within RIPE Atlas, using RIPE Atlas anchors as vantage points. The beta version of the new DNSMON will be available next week, when we will invite you all to try the new service and provide your feedback. In the meantime, we wanted to let you know about some of the changes in the new DNSMON service: New interactive graphs that will allow you to zoom in on interesting details, such as servers, vantage points, and time intervals. Support of TCP queries. Data delay for non-DNSMON users will not be replicated because the measurements performed by RIPE Atlas anchors for the new DNSMON are public measurements. Therefore, the results will also be publicly available. Server-side generated RRD graphs will not be migrated, as the client-side visualisations provide a comparable replacement. However, the existing service will keep working in parallel and decommissioning plans will be discussed with the community. In the meantime, the graphs and data from the old system will still be available. We will publish a RIPE Labs article with more details when the new service becomes available next week. We’re confident the new DNSMON will continue to meet your needs and hope you'll be pleased with the new features. Please stay tuned for more information. Kind regards, Vesna Manojlovic Senior Community Builder Measurements Community Building RIPE NCC

8 14

DNSMON visualisation delay
by Robert Kisteleki 08 Jul '14

08 Jul '14

Dear DNS Working Group, At RIPE68 we were asked to "send an email to the mailing-list about advantages and disadvantages of delayed and non-delayed versions of DNSMON [visualisation], specifically related to the management of the software and the ongoing maintenance of the legacy systems that you want to retire". As many of you know, the old DNSMON service had an artificial delay of a couple of hours for visualising the incoming data, for everyone except a specific "DNSMON customers" group. With the changes to the service model as of 2013 there is no good definition of "DNSMON customers" any more. Also, the current DNSMON implementation does not apply any artificial delays, which in practice means all data points show up in the graphs within 10-15 minutes. As Daniel projected a few days ago, we see some realistic options regarding this visualisation delay: === 1. No changes to what the service offers now; ie. graphs will show results with minimum delay Development effort: none Pro: simplest solution Con: this is perceived by some to be "helping potential attackers" by making it easy to observe the effects of an attack on the DNS infrastructure === 2. Introduction of an artificial delay to *all* users, regardless of NCC member/non-member, or login status (known an anonymous users) Development effort: minimal (est. couple of developer days) Pro: not helping potential bad guys monitoring the zones/servers in real time Con: not helping the good guys monitoring the zones/servers in real time either === 3. Introduction of an artificial delay to users in general, except for RIPE NCC members. Authentication is done by RIPE NCC Access (Single Sign-On), authorization is controlled by the existing LIR portal mechanism. Development effort: minimal (est. couple of developer days) Pro: RIPE NCC members have early access to visualisations, others don't Note: the current number of SSO account belonging to RIPE NCC members is ~24000 Note: we may or may not help the attacker, depending on whether (s)he is a member of the RIPE NCC or not === 4. Introduction of an artificial delay to users in general, except for a specially designated DNSMON customers (zone operators) group. Authentication is done by RIPE NCC Access (Single Sign-On), authorization is controlled by a vetting process managed by the RIPE NCC. Development effort: moderate (est. more than a couple of developer days) Con: administration overhead is non-trivial -- we'll have to establish and keep tracking who is in the privileged group and who isn't; with people joining/leaving organisations this could be tricky and diverge from reality. Pro: members of the special group have early access to visualisations, others don't Note: people in this special group can come from organisations which may or may not be RIPE NCC members. Note: we may or may not help the attacker, depending on whether (s)he is a member of this group or not Please give us guidance about your your preferred solution by replying to this mail to the list. Regards, Robert Kisteleki RIPE NCC

4 3

Call for joining RSSAC Caucus
by Tripti Sinha 24 Jun '14

24 Jun '14

Dear colleagues, This is a friendly reminder to apply for RSSAC Caucus membership. The cut-off date for first round of membership is end of June, so please kindly submit your statement of interest before 1st of July<x-apple-data-detectors://0> to rssac-membership(a)icann.org<mailto:rssac-membership@icann.org>. On Monday 23rd of June RSSAC had its public session at ICANN 50 and it was announced that the first face to face caucus meeting will be held during IETF 90 in Toronto. Kind regards, Tripti Sinha on behalf of RSSAC Caucus membership committee

1 0

Call for joining RSSAC Caucus
by Tripti Sinha 18 Jun '14

18 Jun '14

Greetings, If you are interested in participating at ICANN's Root Server System Advisory Committee (https://www.icann.org/resources/pages/charter-2013-07-14-en) as a Caucus member, please kindly read the relevant information and Caucus document published at https://www.icann.org/resources/pages/rssac-caucus-2014-05-06-en and submit your statement of interest to rssac-membership(a)icann.org<mailto:rssac-membership@icann.org>. The RSSAC executive is working on publishing the final version of "Procedures documents" and at the moment is establishing the Caucus with a few work items ready to be discussed by the Caucus. If you would like to volunteer please kindly indicate those intentions known by sending an email to rssac-membership(a)icann.org<mailto:rssac-membership@icann.org>. Kind Regards, Kaveh Ranjbar, RSSAC Membership Committee Chair Tripti Sinha, RSSAC Membership Committee Member Paul Vixie, RSSAC Membership Committee Member

1 0

DNSMON changes
by Jim Reid 06 Jun '14

06 Jun '14

Although the WG's response to the NCC's proposal has been disappointing, there have been three statements of support (one with qualifications) and none against. It had been stated that silence implied consent. Since no objections have been raised, the WG has reached a decision that has lightweight consensus. Though not a formal consensus as would be understood in the context of the PDP. Which is OK as this issue is not in PDP territory anyway. Therefore the NCC should proceed as planned and published at: https://labs.ripe.net/Members/romeo_zwart/copy_of_proposed-time-lines-for-p… The points made by Peter and Daniel are worth further discussion and I encourage you all to do that. On one hand, there could be some benefit in providing "backwards compatibility" for visualising old data. OTOH, this may put an unreasonable burden on the NCC by creating an open-ended commitment to support legacy cruft and result in users who can't/won't migrate to the current platform. It would be good for WG members to express their opinions about this. My personal view is somewhere inbetween: provide some way of visualising the old data if that can be done with minimal effort/resources from the NCC on a best efforts, unsupported basis. If that facility later dies, it dies and that's the end of the matter. YMMV.

3 2

indulgence satiated
by manning bill 05 Jun '14

05 Jun '14

Thanks All for taking the time to prod 2001:500:84::b Looks like it is reachable from many places… enough that we will proceed to augment the “B” root server with perhaps the last in a long line of IPv6 addresses that it has had over the last 15 years. Splay will increase over time. /bill /bill Neca eos omnes. Deus suos agnoscet.

4 7

WG comment on DNSMON changes
by Jim Reid 03 Jun '14

03 Jun '14

Colleagues, you might recall that last month the NCC announced a time-line for some changes to the DNSMON service. This was discussed when the WG met in Warsaw last week. In outline, the old service is based on TTM boxes which are due to be retired at the end of June. These are already beyond their anticipated life-span. The new version of DNSMON uses the Atlas probes and is already operational. It is possible some users of DNSMON may need to change their internal tools and processes when transitioning to the new platform if these depend on the data gathering done by the soon-to-die TTM boxes. If this affects you, please speak up now! I would be grateful if you could express your approval or rejection of the NCC's approach and proposed time-line. Details are at https://labs.ripe.net/Members/romeo_zwart/copy_of_proposed-time-lines-for-p…. There was little to no response by the WG to the earlier announcement. This makes both your WG Co-chairs and the NCC staff uncomfortable. After the WG co-chairs and NCC's DNSMON team discussed this last week, we agreed to set the end of this month as the final date for comments. Although we can work on the operating principle that silence implies consent, it would be better for all concerned if there were positive messages of support (or even ones of objection) on the list. Please respond. I'd appreciate it if you can comment on the list to indicate that you approve (or disapprove) of the current proposal and/or time-line. thanks in advance

7 6