Additional DNS service capacity for ripe.net zone
Dear all, Over the last year we have seen an increase in the frequency of excessive traffic towards the RIPE NCC DNS infrastructure. Our servers generally absorb peak loads without an impact on our DNS services. However, to be better prepared for extreme traffic floods, we will work with an external party to provide additional DNS service capacity for serving the ripe.net zone. More detail can be found here: https://labs.ripe.net/Members/romeo_zwart/update-on-ripe-ncc-authoritative-dns-services?pk_campaign=labs&pk_kwd=list-dnswg We always welcome your feedback. Please send any comments that you have to: <romeo.zwart@ripe.net> or alternatively post to the list. Kind regards, Romeo Zwart
On 7 Apr 2016, at 13:57, Romeo Zwart <romeo.zwart@ripe.net> wrote:
However, to be better prepared for extreme traffic floods, we will work with an external party to provide additional DNS service capacity for serving the ripe.net zone.
Romeo, this is great news! IMO, “outsourcing” some DNS hosting to complement the NCC’s DNS operations is a Very Good Thing for the reasons you mentioned: more diversity and capacity, extra resilience to withstand DDoS attacks, sharper focus on “core” activities, etc. It should also mean a clearer separation between the NCC’s core DNS (and other key services) and stuff that’s peripheral or irrelevant to the NCC’s mission. That should also reduce the risks from collateral damage. Have you given any thought to adding a third (anycast?) DNS hosting option? ie Highest priority: K root Medium priority: .arpa stuff (and ripe.net?) Lowest priority: best efforts slave service for deserving ccTLDs Each of these might or might not include an outsourced component from a reliable DNS hosting provider. Just sayin’...
Dear Jim, dear colleagues, Apologies for the delayed response. On 16/04/07 17:25 , Jim Reid wrote:
On 7 Apr 2016, at 13:57, Romeo Zwart <romeo.zwart@ripe.net> wrote:
However, to be better prepared for extreme traffic floods, we will work with an external party to provide additional DNS service capacity for serving the ripe.net zone.
Romeo, this is great news!
IMO, “outsourcing” some DNS hosting to complement the NCC’s DNS operations is a Very Good Thing for the reasons you mentioned: more diversity and capacity, extra resilience to withstand DDoS attacks, sharper focus on “core” activities, etc. It should also mean a clearer separation between the NCC’s core DNS (and other key services) and stuff that’s peripheral or irrelevant to the NCC’s mission. That should also reduce the risks from collateral damage.
Have you given any thought to adding a third (anycast?) DNS hosting option? ie
Highest priority: K root Medium priority: .arpa stuff (and ripe.net?) Lowest priority: best efforts slave service for deserving ccTLDs
Each of these might or might not include an outsourced component from a reliable DNS hosting provider. Just sayin’...
The model that we currently apply is close to what you pictured above. However, we consider ripe.net more than 'medium' priority, because any problems in serving that zone can potentially have impact on our other services. K-root is a clear case in terms of priorities and it is at the top of our list. We have recently expanded and revamped it and expect to continue to do so in the coming months, within the limits of planned budgets. Currently we are serving K-root from nearly 40 locations. Working with third parties on K-root currently doesn't extend beyond the “K-root hosted node” model, but we're not excluding other models in the long run. At the moment we are not considering splitting off the secondary service for ccTLDs onto a separate platform. We don't believe that the engineering work and installation cost involved in deploying a third anycast group warrants the limited added value. I hope this addresses your question. Kind regards, Romeo
participants (2)
-
Jim Reid -
Romeo Zwart