Hi! Thanks for providing dnsmon. I think it's a useful service. Back on 18.07.2003 our own monitoring showed some trouble reaching dns.denic.de. Could be us, could be them. dsnmon gave the answer: it's not only us having the problem, so it's them. ops@denic.de confimed that the IOS upgrade on their DECIX routers caused the trouble. Mind adding the nameservers for .ORG to the monitoring? I'd be interested in the effects of the recent change in the root zone. Having only two nameservers for a tld and both of them in a single AS makes me kind of nervous. Regards, Joerg PS: http://www.pir.org/news/press_releases/pr_articles/2003-09-08-01 "[...] announced the implementation of a change that enables .ORG names to resolve through web browsers worldwide within 5 minutes [..] This change will enhance the speed of registration/modification-to-resolution of .ORG names to less than 5 minutes, from the previous average of 12-24 hours. [...]" makes me wonder if they'll also change the ttl of all NS record in the org-zone to 5 minutes somewhere in the near future. Ouch! -- Gaertner Datensysteme 38114 Braunschweig Joerg Schumacher Hamburger Str. 273a Tel: 0531-2335555 Fax: 0531-2335556
Joerg, thanks for the encouragement. So far we only monitor domains which we have contacts with and whose administrators have indicated that they are interested in the service. Should the .org folks come forward and indicate interest we will be happy to do that. MfG Daniel On 10.09 04:58, Joerg Schumacher wrote:
Hi!
Thanks for providing dnsmon. I think it's a useful service. Back on 18.07.2003 our own monitoring showed some trouble reaching dns.denic.de. Could be us, could be them. dsnmon gave the answer: it's not only us having the problem, so it's them. ops@denic.de confimed that the IOS upgrade on their DECIX routers caused the trouble.
Mind adding the nameservers for .ORG to the monitoring? I'd be interested in the effects of the recent change in the root zone. Having only two nameservers for a tld and both of them in a single AS makes me kind of nervous.
Regards, Joerg
PS: http://www.pir.org/news/press_releases/pr_articles/2003-09-08-01
"[...] announced the implementation of a change that enables .ORG names to resolve through web browsers worldwide within 5 minutes [..] This change will enhance the speed of registration/modification-to-resolution of .ORG names to less than 5 minutes, from the previous average of 12-24 hours. [...]"
makes me wonder if they'll also change the ttl of all NS record in the org-zone to 5 minutes somewhere in the near future. Ouch!
-- Gaertner Datensysteme 38114 Braunschweig Joerg Schumacher Hamburger Str. 273a Tel: 0531-2335555 Fax: 0531-2335556
On 10.09 04:58, Joerg Schumacher wrote:
Hi!
Thanks for providing dnsmon. I think it's a useful service. Back on 18.07.2003 our own monitoring showed some trouble reaching dns.denic.de. Could be us, could be them. dsnmon gave the answer: it's not only us having the problem, so it's them. ops@denic.de confimed that the IOS upgrade on their DECIX routers caused the trouble.
Mind adding the nameservers for .ORG to the monitoring? I'd be interested in the effects of the recent change in the root zone. Having only two nameservers for a tld and both of them in a single AS makes me kind of nervous.
Regards, Joerg
PS: http://www.pir.org/news/press_releases/pr_articles/2003-09-08-01
"[...] announced the implementation of a change that enables .ORG names to resolve through web browsers worldwide within 5 minutes [..] This change will enhance the speed of registration/modification-to-resolution of .ORG names to less than 5 minutes, from the previous average of 12-24 hours. [...]"
makes me wonder if they'll also change the ttl of all NS record in the org-zone to 5 minutes somewhere in the near future. Ouch!
-- Gaertner Datensysteme 38114 Braunschweig Joerg Schumacher Hamburger Str. 273a Tel: 0531-2335555 Fax: 0531-2335556
[sorry about the useless re-post to dns-wg, finger trouble ....] On 10.09 04:58, Joerg Schumacher wrote:
... Mind adding the nameservers for .ORG to the monitoring? I'd be interested in the effects of the recent change in the root zone. Having only two nameservers for a tld and both of them in a single AS makes me kind of nervous. ...
Weiteres Nachdenken ergab: While we so far have only monitored TLDs with whome we have some contact, we can certainly also monitor any TLD if there is an expressed interest from the RIPE community. Thechnically this is no problem at all. Configuring it takes all of 5 minutes and even the alpha version of the analysis web site on the development server box can easily take the load. However there is a more principle problem and that is why I copied ncc-services: Currently there is a heated debate about (new) NCC services and their cost. One question asked over and over again there is: Why should NCC members pay for this service? For dnsmon my answer is that they are interested in seeing the data, just like Joerg; they are also interested that the data is collected professionally and neutrally, so that they can point all sorts of people to it. Most importantly they can use it to take action if TLD service, a service vital to their business, should not be adawquate. So very generally this data helps to keep the DNS stable in a number of ways; that benefits the whole community in general and the RIPE NCC membership in particular. However, quite obviously, the TLD administrators concerned also benefit from this data. They can use it direcly to monitor their operations. They can also use it in the same way as the NCC membership: they can point third parties to it and say that independent and professional measurements show that they are doing a good job. So why should they not pay a fair share of the cost? So far the TLDs we monitor have agreed informally to do that, once the service becomes fully operational. I have had a number of questions like Joerg's already for all gTLDs besides .MIL. I see little chance that we can get them all to agree to pay a share of the cost. I also see that the overhead of making agreements with some of the organisations involoved can be prohibitive. If there is interest from the RIPE community it is easy to monitor these domains. However it is very difficult to do it for some for free and ask the others to pay. So doing that may lead to a situation where the RIPE NCC membership ends up paying the whole bill. I would actually like that because it makes the measurements even more independent and I would not have to invest time into making agreements with the TLD admins, billing, etc. pp. But is this acceptable to the RIPE NCC memebrship in the long run? Comments please! Daniel
At 11:17 AM +0200 2003/09/10, Daniel Karrenberg wrote:
So doing that may lead to a situation where the RIPE NCC membership ends up paying the whole bill. I would actually like that because it makes the measurements even more independent and I would not have to invest time into making agreements with the TLD admins, billing, etc. pp.
But is this acceptable to the RIPE NCC memebrship in the long run?
Comments please!
I'm not a paying member of RIPE NCC, so my views don't count. However, I would like to see this sort of monitoring extended by RIPE NCC to all available TLDs, paid for by RIPE NCC. Indeed, I am moving closer to having my own co-lo, and once I do I plan on setting up my own monitoring tools for all TLDs, for my own purposes. I'll probably extend that to sharing lame delegation data with Rob Thomas, etc.... If you are concerned about the cost, you could place a copyright on the collected data so that re-use for RIPE NCC members does not incur an additional charge, and perhaps allow academic re-use by non-RIPE NCC members to likewise be without fee, but for-profit non-RIPE NCC members would be required to contact you first and arrange to pay a fee if they wanted to reuse the data or the results. At that point, it basically comes down to how much enforcement of the copyright you would want to participate in, and how you could make the fee payment scheme at least cover its own administrative costs. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
On 10.09 11:35, Brad Knowles wrote:
... If you are concerned about the cost, you could place a copyright on the collected data so that re-use for RIPE NCC members does not incur an additional charge, and perhaps allow academic re-use by non-RIPE NCC members to likewise be without fee, but for-profit non-RIPE NCC members would be required to contact you first and arrange to pay a fee if they wanted to reuse the data or the results.
The whole point is that a detaled analysis of the data published for all to see. I cannot see how to apply copyright in this environment. Daniel
Daniel Karrenberg said:
If you are concerned about the cost, you could place a copyright on the collected data so that re-use for RIPE NCC members does not incur an additional charge, and perhaps allow academic re-use by non-RIPE NCC members to likewise be without fee, but for-profit non-RIPE NCC members would be required to contact you first and arrange to pay a fee if they wanted to reuse the data or the results.
The whole point is that a detaled analysis of the data published for all to see. I cannot see how to apply copyright in this environment.
Quite easily. Something like this: This data is the copyright of RIPE NCC. A non-exclusive licence is granted to RIPE NCC members for their internal use. A non-exclusive licence is granted for use by any person for non-commercial purposes. In both cases there is no charge for use of the data but it must not be re-published without separate agreement. This does not prevent publication of any other work done making use of this data but not including it. All other rights are reserved. [IANAL, but I understand the principles involved. A Dutch lawyer can no doubt make it formally correct.] -- Clive D.W. Feather | Work: <clive@demon.net> | Tel: +44 20 8495 6138 Internet Expert | Home: <clive@davros.org> | *** NOTE CHANGE *** Demon Internet | WWW: http://www.davros.org | Fax: +44 870 051 9937 Thus plc | | Mobile: +44 7973 377646
At 11:46 AM +0200 2003/09/10, Daniel Karrenberg wrote:
If you are concerned about the cost, you could place a copyright on the collected data so that re-use for RIPE NCC members does not incur an additional charge, and perhaps allow academic re-use by non-RIPE NCC members to likewise be without fee, but for-profit non-RIPE NCC members would be required to contact you first and arrange to pay a fee if they wanted to reuse the data or the results.
The whole point is that a detaled analysis of the data published for all to see. I cannot see how to apply copyright in this environment.
You can apply copyright both to the collection of the data, and to the compilation of the data. Telephone companies publish directories with a certain number of known false entries. If another telephone company comes along and wholesale copies the data, they get the false entries along with the good ones. The copyright owner can then look for the known false entries, and if they see them, then they can prove that the other company illegally copied the data. You wouldn't want to publish any known false entries, but you can still claim copyright on the compilation of the data, and the analysis you apply. That is, if you want to. You don't have to. But this would be one potential way to allow people who should have free access to the data to do so, while also requiring that those who can afford it to pay their fare share. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
At 11:17 AM 10-09-03 +0200, Daniel Karrenberg wrote: My view: RIPE NCC should only monitor those ccTLDs that are LIRs or that their LIR is willing to endorse. -Hank
[sorry about the useless re-post to dns-wg, finger trouble ....]
On 10.09 04:58, Joerg Schumacher wrote:
... Mind adding the nameservers for .ORG to the monitoring? I'd be interested in the effects of the recent change in the root zone. Having only two nameservers for a tld and both of them in a single AS makes me kind of nervous. ...
Weiteres Nachdenken ergab:
While we so far have only monitored TLDs with whome we have some contact, we can certainly also monitor any TLD if there is an expressed interest from the RIPE community. Thechnically this is no problem at all. Configuring it takes all of 5 minutes and even the alpha version of the analysis web site on the development server box can easily take the load.
However there is a more principle problem and that is why I copied ncc-services:
Currently there is a heated debate about (new) NCC services and their cost. One question asked over and over again there is: Why should NCC members pay for this service? For dnsmon my answer is that they are interested in seeing the data, just like Joerg; they are also interested that the data is collected professionally and neutrally, so that they can point all sorts of people to it. Most importantly they can use it to take action if TLD service, a service vital to their business, should not be adawquate. So very generally this data helps to keep the DNS stable in a number of ways; that benefits the whole community in general and the RIPE NCC membership in particular.
However, quite obviously, the TLD administrators concerned also benefit from this data. They can use it direcly to monitor their operations. They can also use it in the same way as the NCC membership: they can point third parties to it and say that independent and professional measurements show that they are doing a good job. So why should they not pay a fair share of the cost? So far the TLDs we monitor have agreed informally to do that, once the service becomes fully operational.
I have had a number of questions like Joerg's already for all gTLDs besides .MIL. I see little chance that we can get them all to agree to pay a share of the cost. I also see that the overhead of making agreements with some of the organisations involoved can be prohibitive. If there is interest from the RIPE community it is easy to monitor these domains. However it is very difficult to do it for some for free and ask the others to pay. So doing that may lead to a situation where the RIPE NCC membership ends up paying the whole bill. I would actually like that because it makes the measurements even more independent and I would not have to invest time into making agreements with the TLD admins, billing, etc. pp.
But is this acceptable to the RIPE NCC memebrship in the long run?
Comments please!
Daniel
On 10.09 12:18, Hank Nussbacher wrote:
RIPE NCC should only monitor those ccTLDs that are LIRs or that their LIR is willing to endorse. -Hank
I like the principle. However .... How would this endoresement be determined? Doing it simple-mindedly potentially leads to a *very* long list of domains to monitor, and not only (cc)TLDs. Daniel
Daniel Karrenberg wrote:
On 10.09 12:18, Hank Nussbacher wrote:
RIPE NCC should only monitor those ccTLDs that are LIRs or that their LIR is willing to endorse. -Hank
I like the principle. However ....
How would this endoresement be determined?
Doing it simple-mindedly potentially leads to a *very* long list of domains to monitor, and not only (cc)TLDs.
my 0.02 EUR: So what about monitoring the (cc)TLDs as a Service paid by the Membership, since these are the most relevant for the stability of the net, and sell it for 2+ Level domains? lG uk -- ------------------------------------------------------------------------ Ulrich Kiermayr Zentraler Informatikdienst der Universitaet Wien Network Security Universitaetsstrasse 7, 1010 Wien, Austria ------------------------------------------------------------------------ eMail: ulrich.kiermayr@univie.ac.at Tel: (+43 1) 4277 / 14104 Hotline: security.zid@univie.ac.at Fax: (+43 1) 4277 / 9140 Web: http://www.univie.ac.at/zid/security.html ------------------------------------------------------------------------ GPG Key fingerprint = BF0D 5749 4DC1 ED74 AB67 7180 105F 491D A8D7 64D8
At 11:36 AM 10-09-03 +0200, Daniel Karrenberg wrote:
On 10.09 12:18, Hank Nussbacher wrote:
RIPE NCC should only monitor those ccTLDs that are LIRs or that their LIR is willing to endorse. -Hank
I like the principle. However ....
How would this endoresement be determined?
Each LIR would be entitled to one ccTLD to be monitored. Most won't need it. Assuming there are about 50 countries in the RIPE area, and about 3500 LIRs, I am sure that one can find a LIR to support a ccTLD to be monitored. That means that the other countries in ARIN/APNIC/LACLIC would have to fund their own service. -Hank LIR: il.iucc
Doing it simple-mindedly potentially leads to a *very* long list of domains to monitor, and not only (cc)TLDs.
Daniel
On 10.09 16:48, Hank Nussbacher wrote:
At 11:36 AM 10-09-03 +0200, Daniel Karrenberg wrote:
... How would this endoresement be determined?
Each LIR would be entitled to one ccTLD to be monitored. Most won't need it. Assuming there are about 50 countries in the RIPE area, and about 3500 LIRs, I am sure that one can find a LIR to support a ccTLD to be monitored. That means that the other countries in ARIN/APNIC/LACLIC would have to fund their own service.
Now this *is* simple-minded: The end-game is that we monitor all TLDs because there are less TLDs than RIPE NCC members and there will be some of them intereste in TLDs outside the RIPE region and many of them will be interested in some gTLDs. Next we will get questions about 2nd level domains. Try again. Hint: One might establish a ranking and set a monitoring capacity. Daniel
On 10.09 12:18, Hank Nussbacher wrote:
RIPE NCC should only monitor those ccTLDs that are LIRs or that their LIR is willing to endorse. -Hank
I like the principle. However ....
How would this endoresement be determined?
You offer the service only to members, so if a names server operator wants this service they sign up as a member. You probably should add a new billig category for this. But that should be simple following the last AGM.
Doing it simple-mindedly potentially leads to a *very* long list of domains to monitor, and not only (cc)TLDs.
Doing it this way the list will never be longer than your membership list. -hph
RIPE NCC should only monitor those ccTLDs that are LIRs or that their LIR is willing to endorse.
as a lot of folk, whose primary mission it is, monitor, it is not clear to me why the ncc monitors at all. the philosphy that the ncc should provide all the services that we use devolves into ncc making shoes and shirts for us all too. the net works on de- centralization and distributed cooperation and trust. time and again, centralization has been sub-optimal or failed. randy
"Daniel" == Daniel Karrenberg <daniel.karrenberg@ripe.net> writes:
Daniel> But is this acceptable to the RIPE NCC memebrship in the Daniel> long run? Speaking as a non-member of RIPE NCC, I say no. It's not acceptable. To be honest Daniel, I think your mail indicates the way RIPE NCC seems to have lost sight of its raison d'etre. Why is an RIR -- whose main (only?) job is to hand out IP addresses and AS numbers -- getting into other areas that are clearly outside its core business? ARIN and APNIC are providing that core service to their regions with a fraction of the staff that the NCC has. IMO, there must be complete transparency about non-core activities at the NCC. These things should be seen to be self-funding or else making a profit to reduce the costs of the core services and/or membership fees. If they're not, there will be a suspicion that it's the other way round. ie Income from the NCC's monopoly operations are cross-subsidising these non-core activities. That will eventually come to the attention of the anti-competition people in Brussels. This will be a Very Very Bad Thing since there are voices in governments and the Commission who are looking for a pretext to regulate this uncontrolled "Internet thing". Now I know you'll say that NCC does these other things as "a benefit to the community" and "the membership has approved them". I'm not so sure that either of these things are really true. Has a majority of the *membership* -- not those who turn up for the AGM or take the time to vote -- ever approved the activity plan? Has the activity plan ever said something like "non-core activity X costs Y. If it is dropped, the membership fees can be reduced by Z. Do you want to pay for X?"? Now I don't doubt that these non-core activities are a benefit to the community. But perhaps only in the short-term. If the NCC does these things "for free", it makes it almost impossible for others to enter the market. It also undervalues the service being provided. In the long run, this is very, very bad. Take DNS hosting for instance. RIPE NCC provides free service to any TLD that asks. That's fine for poor countries with weak infrastructure. Nobody should dispute that helping them is a good and noble thing and that NCC should be doing that. But serving anyone else means those TLDs are conditioned into getting something for nothing. They get into a mindset that they shouldn't have to pay for DNS service or arrange proper contracts, set up SLAs, put servers in decent IXPs, etc. In short, they don't need to take their responsibilities seriously. That has to be a Very Bad Thing in the long run. Then there's the issue about having so much important DNS stuff on ns.ripe.net. That's a Very Bad Thing too, though I know you disagree with me on this. Here's another example of how NCC crossed the line IMO. The NCC was involved in the development of NSD. Fair enough, you might think. The gene pool of DNS software is too small. So having another DNS implementation is good, so this was/is a benefit to the community. However one of the NCC's members -- my former employer, Nominum -- was/is selling its own DNS implementation. So Nominum's money in membership fees was and is used to fund the NCC to develop software that competed with and undercut Nominum's product. This cannot be right. [As it turns out Nominum doesn't consider NSD to be a credible competitor or a revenue threat to its software, but that's another story.] There may well be further examples of this sort of thing in the other non-core activities of RIPE NCC. Why would anyone pay for a place on my DNSSEC training course (if I was selling one) when NCC is offering their course for free? I fear that your plans for DNS monitoring will similarly distort the market. Firstly, potential customers -- TLDs, regulators, etc -- will expect to get this type of service for free instead of paying for it as they really should. Secondly, it will prevent commercial operators, some of whom could well be NCC members, from providing this kind of service. Who can compete with free? That brings up the concerns about monopolies and cross-subsidies again. Thirdly, this service could become a bottomless pit for NCC resources. What are the current and projected costs and how are they covered? Fourthly, it's an example of NCC extending itself well beyond its core function. Finally, incrementally adding these sorts of non-core services doesn't just entrench the NCC monopoly: it embraces and extends it. Another point. The internet and telecommunications industry has been suffering in the last few years. Budgets have been cut and companies have downsized or gone bust. At this time NCC should be seen to be tightening its belt, not adding new non-core activities. This rant probably doesn't belong in dns-wg. Followups should go somewhere else: the NCC services list perhaps?
Jim, [I agree it would be better to have this discussion (again) in ncc-services. I have copied it there and encourage people to reply there only.] I could write a reply rant about the individual points in your rant but the main difference of opinion we have is about the mission of the RIPE NCC. This mission is broader than just being a RIR: "The mission of the RIPE NCC is to perform activities for the benefit of the membership, primarily activities that the members need to organise as a group, although they may be competing with each other in other areas. While an activity may result in services being provided to an individual member, performing the activity as a whole must benefit the RIPE NCC membership as a group. Membership is open to anyone using the RIPE NCC services. The activities and services of the RIPE NCC are defined, performed, discussed and evaluated in an open manner. In all of its activities, the RIPE NCC observes strict neutrality and impartiality in regard to individual members." Monitoring DNS and gathering Internet statistics has always been a part of these activities from the very first activity plan in 1991. See ftp://ftp.ripe.net/ripe/docs/ripe-035.txt Of course the activities themselves come and go and those that stay change shape. However the NCC is, and has always been, more than a place that just registers numbers. Daniel ------ Ah, well I'll rant back just for the heck of it. My main point is above. read on at your own risk. Rant-Warning: Moderate to Severe from Varying Directions On 10.09 12:01, Jim Reid wrote:
To be honest Daniel, I think your mail indicates the way RIPE NCC seems to have lost sight of its raison d'etre. Why is an RIR -- whose main (only?) job is to hand out IP addresses and AS numbers -- getting into other areas that are clearly outside its core business?
See above. The NCC is not getting into them it has been there all the time. It is not the RIPE NCC that is changing but it is *you* proposing a change.
ARIN and APNIC are providing that core service to their regions with a fraction of the staff that the NCC has.
Fraction yes, but not a very small one and not orders of magnitude. Also it appears to me after a quick glance at the ARIN and APNIC web sites that the RIPE NCC fees are very comparable to the fees of the other RIRs, actually slightly lower in many categories.
IMO, there must be complete transparency about non-core activities at the NCC.
I agree completely.
These things should be seen to be self-funding or else making a profit to reduce the costs of the core services and/or membership fees. If they're not, there will be a suspicion that it's the other way round. ie Income from the NCC's monopoly operations are cross-subsidising these non-core activities.
For maximum independence the membership fees should cover all activities.
Now I know you'll say that NCC does these other things as "a benefit to the community" and "the membership has approved them". I'm not so sure that either of these things are really true. Has a majority of the *membership* -- not those who turn up for the AGM or take the time to vote -- ever approved the activity plan?
I beg to disagree. Opener than RIPE NCC and RIPE is hardly possible. If people choose not to participate there is little one can do. One of my major frustrations, past and present.
Has the activity plan ever said something like "non-core activity X costs Y. If it is dropped. the membership fees can be reduced by Z. Do you want to pay for X?"?
This is very hard to do since activities are so interdependent. The budget gives a general idea of the relative sizes though.
Take DNS hosting for instance. RIPE NCC provides free service to any TLD that asks. That's fine for poor countries with weak infrastructure. Nobody should dispute that helping them is a good and noble thing and that NCC should be doing that. But serving anyone else means those TLDs are conditioned into getting something for nothing. They get into a mindset that they shouldn't have to pay for DNS service or arrange proper contracts, set up SLAs, put servers in decent IXPs, etc. In short, they don't need to take their responsibilities seriously. That has to be a Very Bad Thing in the long run. Then there's the issue about having so much important DNS stuff on ns.ripe.net. That's a Very Bad Thing too, though I know you disagree with me on this.
I see your point and I actually agree, but you have to put it into historic perspective too. There were no commercial offerings when we started this and none were expected any time soon. This activity has helped DNS stability enormously over a long period. And what about our rescue of ns.eu.net? As a matter of fact most bigger TLDs are no longer using either. So the market works. We are not marketing or improving it. But does that mean we have to shut this down now? When?
Here's another example of how NCC crossed the line IMO. The NCC was involved in the development of NSD. Fair enough, you might think. The gene pool of DNS software is too small. So having another DNS implementation is good, so this was/is a benefit to the community. However one of the NCC's members -- my former employer, Nominum -- was/is selling its own DNS implementation. So Nominum's money in membership fees was and is used to fund the NCC to develop software that competed with and undercut Nominum's product. This cannot be right. [As it turns out Nominum doesn't consider NSD to be a credible competitor or a revenue threat to its software, but that's another story.]
We needed this to responsibly operate k.root-servers.net in the light of extremely serious concerns about server software diversity combined with the requirement for open source. We have helped with the design because that is the best way to get one's requirements met. We have helped with the testing because we had to test thoroughly anyway before using it on K. So the additional effort was not that big and the Internet is now a safer place. And we have done all this *extremely* openly. You could say that I came close to bragging about it ;-).
There may well be further examples of this sort of thing in the other non-core activities of RIPE NCC. Why would anyone pay for a place on my DNSSEC training course (if I was selling one) when NCC is offering their course for free?
Who is selling DNSSEC courses? The whole point of DISI is to kick-start deployment of something that makes the Internet infrastructure more secure in the absence of clear economic drivers. We have done this before, remember CIDR?
I fear that your plans for DNS monitoring will similarly distort the market. Firstly, potential customers -- TLDs, regulators, etc -- will expect to get this type of service for free instead of paying for it as they really should. Secondly, it will prevent commercial operators, some of whom could well be NCC members, from providing this kind of service. Who can compete with free?
Yes, but is there a market? And can this be done independently and neutrally for a fee? Again we needed this for k.root-servers.net operations.
That brings up the concerns about monopolies and cross-subsidies again. Thirdly, this service could become a bottomless pit for NCC resources. What are the current and projected costs and how are they covered?
My estimate of the incremental cost of developing it so far are about 1-2 weeks of a network engineer, and 5 weeks of a chief scientist. However it is based on the network of test boxes and on the RIPE NCC web presence. How do you account for that? Difficult. We also needed something like this for operating k.root-servers.net responsibly. One could argue that the incremental cost to that is even less. But again: This helps DNS stability and Internet self-regulation. If there is another viable business model to do this at the required quality and neutrality I am all for it. I just do not see that.
of NCC extending itself well beyond its core function. Finally, incrementally adding these sorts of non-core services doesn't just entrench the NCC monopoly: it embraces and extends it.
See above. DNS monitoring is an NCC activity since 1991.
Another point. The internet and telecommunications industry has been suffering in the last few years. Budgets have been cut and companies have downsized or gone bust. At this time NCC should be seen to be tightening its belt, not adding new non-core activities.
The RIPE NCC is another kettle of fish than a commercial company. You need stability and neutrality and that has its price! What if you lean it until it falls over at the most inconveient time? Talking about fairness: The RIPE NCC does not have stock options either. Yes I have a relatively secure job, but that's because I think the RIPE NCC is important for the Internet in Europe and I chose for it *in good times* when there were *a lot* more interesting offers in terms of remuneration. Daniel
Daniel Karrenberg <daniel.karrenberg@ripe.net> writes: Hi Daniel,
There may well be further examples of this sort of thing in the other non-core activities of RIPE NCC. Why would anyone pay for a place on my DNSSEC training course (if I was selling one) when NCC is offering their course for free?
Who is selling DNSSEC courses? The whole point of DISI is to kick-start
We do. I.e. not Autonomica, but Lars-Johan Liman, Patrik Fältström and myself privately teach DNS courses on all levels since years back, including a two day course on DNSSEC. And, yes, we have had students actually cancel their seats at a scheduled course because RIPE NCC staff came to Stockholm and taught DNSSEC for free. While I can personally live with that (at least as long as you don't turn up in Stockholm too often ;-) I do think it is a clear example of the difficulties with your position of being effectively a monopoly that wants to do the right thing for the Internet. Johan PS. With the Autonomica hat on: we also do DNS monitoring, quite similar to dnsmon, and for exactly the same reasons, i.e. to monitor our various DNS services, i.root-servers.net being one of them. To offset our costs for this we are offering this service on some sort of cost recovery basis to interested parties like TLDs. Obviously even a cheap service will never be able to compete with a free one, especially since the hassle of the billing process will make both parties walk away. And, yes, we are RIPE members, so just as in the Nominum case this is our membership fees working against us. In the end this is all about education. Everyone needs to understand that there is a cost associated with providing a service. If the service is offered "for free" that is just a metaphor for "someone else is paying for it".
On 10 sep 2003, at 08.15, Johan Ihren wrote:
I.e. not Autonomica, but Lars-Johan Liman, Patrik Fältström and myself privately teach DNS courses on all levels since years back, including a two day course on DNSSEC.
And, yes, we have had students actually cancel their seats at a scheduled course because RIPE NCC staff came to Stockholm and taught DNSSEC for free.
While I can personally live with that (at least as long as you don't turn up in Stockholm too often ;-) I do think it is a clear example of the difficulties with your position of being effectively a monopoly that wants to do the right thing for the Internet.
FWIW, as Johan explicitly say he _personally_ can live with it, let me also say I find this being ok, even though it feels a bit weird when RIPE NCC is competing on the market with a price we can not beat. So, don't come too often ;-) That said, totally in the world, I think there is not enough people teaching DNS. Or rather, there are enormous number of people which _should_ take a training course. paf
And, yes, we have had students actually cancel their seats at a scheduled course because RIPE NCC staff came to Stockholm and taught DNSSEC for free.
This is, in mu personal oppinion very unforunate. While I agree bootstraping new fundamental internet infrastrucure services is a good thing (tm), I think it is very unfortunate that the result of RIPE NCC providing such training for free is that comercial enterprises do not develop this area into a sound business. It is clearer to me that the matter of charging for training should be reconcidered. -hph
Daniel,
Another point. The internet and telecommunications industry has been suffering in the last few years. Budgets have been cut and companies have downsized or gone bust. At this time NCC should be seen to be tightening its belt, not adding new non-core activities.
The RIPE NCC is another kettle of fish than a commercial company. You need stability and neutrality and that has its price! What if you lean it until it falls over at the most inconveient time?
There is a big danger in what you say above. Stability yes - but not at any price. The stability is there for the core service of the NCC, to act as a RIR. The rest is benefits that we get on the side. What most people have been asking for is transparency and accountability on why, and to what costs certain projects are done. Saying that this has always been part of the NCCs tasks is not an answer to those questions. Best regards, - kurtis -
"Joerg" == Joerg Schumacher <schuma@gaertner.de> writes:
Joerg> Having only two nameservers for a tld and Joerg> both of them in a single AS makes me kind of nervous. Indeed. However, don't assume that the number of NS records for a zone is the same as the number (and physical locations) of its name servers. There's a fair amount of anycasting going on. What is curious is ICANN allowing a TLD to put all its name servers in a single AS. They made the new gTLDs use at least 2. So I would have expected ICANN to apply the same requirement for .org when it was moved from Verisign/NSI.
Jim Reid said:
allowing a TLD to put all its name servers in a single AS. They made the new gTLDs use at least 2. So I would have expected ICANN to apply
As in "info"? No surprise, both RRSets are identical: info 172800 IN NS tld1.ultradns.net info 172800 IN NS tld2.ultradns.net ORG 172800 IN NS tld1.ultradns.net ORG 172800 IN NS tld2.ultradns.net -Peter
"Peter" == Peter Koch <pk@TechFak.Uni-Bielefeld.DE> writes:
>> allowing a TLD to put all its name servers in a single AS. They >> made the new gTLDs use at least 2. So I would have expected >> ICANN to apply Peter> As in "info"? No surprise, both RRSets are identical: Peter> info 172800 IN NS tld1.ultradns.net Peter> info 172800 IN NS tld2.ultradns.net Oooh! When .info was started, it used Nominum's GNS hosting service (RIP). ICANN made Nominum use 2 AS's for the /24s it had for that anycast DNS service. It's strange they didn't insist on 2 AS's when the zone moved to UltraDNS. Not only that the addresses for tld[12].ultradns.net are in one /20!
Joerg> Having only two nameservers for a tld and Joerg> both of them in a single AS makes me kind of nervous. Indeed. However, don't assume that the number of NS records for a zone is the same as the number (and physical locations) of its name servers. There's a fair amount of anycasting going on. What is curious is ICANN allowing a TLD to put all its name servers in a single AS. They made the new gTLDs use at least 2. So I would have expected ICANN to apply the same requirement for .org when it was moved from Verisign/NSI. Note, org isn't the only gtld announced by a single AS. You wouldn't be suprised to hear that that info as well. The other one has another problem: The tld[12] nameserver don't give authorative answers about nameservers for info. jaap dig @tld1.ultradns.net info ns ; <<>> DiG 9.2.2 <<>> @tld1.ultradns.net info ns ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38910 ;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2 ;; QUESTION SECTION: ;info. IN NS ;; ANSWER SECTION: info. 86400 IN NS tld2.ultradns.net. info. 86400 IN NS tld1.ultradns.net. ;; ADDITIONAL SECTION: tld2.ultradns.net. 86400 IN A 204.74.113.1 tld1.ultradns.net. 86400 IN A 204.74.112.1
Having only two nameservers for a tld and both of them in a single AS makes me kind of nervous.
Just because there are two IP addresses only doesn't necessarily mean there are also only two servers/server instances.
makes me wonder if they'll also change the ttl of all NS record in the org-zone to 5 minutes somewhere in the near future. Ouch!
Well, at least they have to learn the effects of RFC 2308 and their current settings in the ORG SOA RR. -Peter
> makes me wonder if they'll also change the ttl of all NS record > in the org-zone to 5 minutes somewhere in the near future. Ouch! Well, at least they have to learn the effects of RFC 2308 and their current settings in the ORG SOA RR. A lot of people need to do that. We (.nl) ourselve also were guilty. Something to put on the agenda for the next meeting? jaap
Jaap Akkerhuis said:
Well, at least they have to learn the effects of RFC 2308 and their curre
[...]
A lot of people need to do that. We (.nl) ourselve also were guilty. Something to put on the agenda for the next meeting?
yes, definitely. And, although that explicitly does not address TLD zones it's time to update RIPE 203 now. SOA timers are an item for the "DNS quality" work on the "predelegation test basket" as well. -Peter
participants (14)
-
Brad Knowles -
Clive D.W. Feather -
Daniel Karrenberg -
Hank Nussbacher -
Hans Petter Holen -
Jaap Akkerhuis -
Jim Reid -
Joerg Schumacher -
Johan Ihren -
Kurt Erik Lindqvist -
Patrik Fältström -
Peter Koch -
Randy Bush -
Ulrich Kiermayr