Hello, Below you find the minutes draft of our meeting during RIPE 21 at Rome. You comments are welcome. - Leonid Yegoshin, LY22 -------------------------------------------------------------- DNS working group Chair: Leonid Yegoshin Scribe: Leonid Yegoshin We discussed agenda points in reverse order due to chair initiative. Leonid Yegoshin proposed to speak about new topics before old ones. 1. Mail routing & DNS - what about network load balancing ? Leonid Yegoshin gave short introduction about network resourse load balancing. The primary purpose of it are to diminish load on server hosts and decrease network traffic. Also it is very unlike then mail from one internal host to another internal host going to neigbour organisation or just country follow a MX record set of destination point. There are some activities to split load on network resourses: - use round-robin in DNS answers (BIND 4.9.3) - use short TTL of A records with recalculation of hosts load (see RFC 1794) - use separate sets of name servers for internal and world nets with different representation of DNS tree. Leonid Yegoshin described yet another decision for network resourse load balancing and gave short overview of experimental version of RU-BIND with "region" Resourse Records. This approach based on diversity of sourse IP addresses of DNS requests and description CIDR-syntax net regions in DNS zone. Some discussion were at this point about problems and dangers of this approach. One question was about caching RR's in high level name servers. Answer was that there is TTL=0 which don't cached but used an any way. Another question was about multiply RR's and it's combination in regions. There is the difference in security goal and load balancing - it is not a way to hide some RR's due to forwarder use. Dmitri Sidelnikov said that it is very dangerous approach - it can increase chaos in Internet and debug problems. Leonid Yegoshin lets take in attention that DNS UDP packet size limit is too small to transfer "region" RR of some providers and can be increased for it. Moreover XFER of "regions" require to change XFER format. Carl Malamud suggest Leonid Yegoshin to write RFC draft about it. This suggestion was supported by somebody else. Leonid Yegoshin final question "how many providers are interesting in network resourse load balancing" was remained without definite answer but there was opinion that it will be interesting. 2. DNS & network security (incl DNS security itself) The question "why is it need?" was clear. Commercial server providing require the relayable check of client source domain name (as another information in DNS). No objection was against this point expounded by Leonid Yegoshin. Now there are three ways to check it: - reverse domain check. It is very popular but in general case it is very simple to crash by experienced hacker. Moreover it is crashed time-to-time by some BIND bugs. - Source Responsibility Check (in RU-BIND, ftp://ftp.kiae.su/) or VALIDITY option in BIND 4.9.3. It accept RR's the only from responsible name server, not from arbitrary source. It is powerfull feature but unfortunately it is not work (yet?) in 4.9.3 - some comment exists that VALIDITY is not fully debugged. And it can't protect packet spoofing. - cryptographic sign of DNS exchange. There is RFC draft from DNSSEC WG of IETF for it. Some discussion was started from this point about situation in different countries with cryptography and electronic sign. - Russia (Dmitri Sidelnikov, Leonid Yegoshin cont.) forbidden by default, but license can be obtained from goverment body. Unfortunately it is already clear that the only methods from Russian FAPSI would be licensed (FAPSI is Federal Agency for Goverment Communication and Information). There is the difference between encryption and electronic sign in FAPSI policy, but it is unclear yet. Also the reality is the only FAPSI methods would be used as proof in court - all cryptoanalitic experts are FAPSI experts. - NL (Rob Blokjil) - draft to forbidden was rejected now. - France (Francis Dupont) - forbidden. Electronic sign is legal the only after announce the partners name for message exchange. No any proposal or decision for Europe was done yet about DNS electronic sign. It is obvious that there is very difficult political problem. I think that addition mail discussion is need about situation. Also it is important due to IPv6 authentication & encryption options. 3. What is need to keep in RIPE DB about DNS ? There was not very long discussion about agenda point. There is the objection against keeping information in two places - RIPE DB and DNS. Moreover Piet Beertema has the strong objection against the hold any information about DNS in RIPE DB which was repated in his mail to dns-wg after WG meeting. Nobody insist on holding. After short discussion how we can find in DNS tree the phone/fax and other (TXT records was again proposed for that) David Kessens was offered to propose "something" about distributed access to info (in offline, after meeting). Nobody said anything about separation the organisation and interorganisation domains. 4. What about primary/secondary disposition ? Net failure & DNS - where is the level of backup, what connectivity lost is essential for the European nets ? This topics was discussed together due to lack of time. France and some other time-to-time meet strange problems with root name server access. Discussion about influence of short UDP packet size problem and long root DNS list started. Carl Malamud said what root name servers are need to re-establish near *IX and it can help the problem. Leonid Yegoshin suppose to investigate problems with DNS failure to find the reasons (by himself) in offline. Any provider who has unexplained DNS problem is suggested to contact him about study. 5. After WG meeting. Some talks at lunches found yet another problem with current DNS in CIDR environment - reverse domains for Very Small Enterprises. Now in-addr.arpa standart has minimum 256 hosts in a single zone, and it is an uncomfortable maintenance with VSE. If DNS would be changed some way can be found to decide this large limit.