(DNS WG at #ripe64)
Surfnet signed their main domain in 2010, and immediately ran into trouble. The largest ISP in NL, because their customers could not resolve the .NL zone. The ISP had an ancient firewall, nobody dared toouch it, and it was blocking UDP fragments. Since the zone is signed, the responses often exceed the MTU. They can see ICMP fragment timed out packets, and thus detect people who don’t get fragments. Around 60% of hosts have EDNS0 enabled. About 90% of hosts advertise a 4K buffer zone, and only very few have chaned their setting to actual measured values. The vast majority sets DO=1.
Mitigation: lower EDNS0 buffer size to 1232, or detect problem hosts dynamically and just change EDNS buffer size for hosts with known issues. Heuristic approach, 5 rules,
Any of these may be an indication of a problem.
They prepared a tool which will be released as OS, which can modify EDNS buffer on incoming requests.
Currently about 2% of customers are unable to cope with DNSSEC signed zones.
82 out of 303 TLDs sign
Open source authoritative-only DNS nameserver. Version 1.0 is a testing release, they expect 1.1 to be production ready. They plan to write the documentation soon.
Their benchmarks look very impressive, but they compiled them themselves.
They show much better results from running under FreeVSD than under Debian, regardless of DNS server software.
They have updated documentation and improved issue tracking
Current recommended version is 1.3, it is a multithreaded signer. Upgrade from previous versions is easy. They expect 1.3 to be stable for a long time.
1.4 will be released mid-summer, will spport AXFR/IXFR, will increase memory footprint. They will drop the integrated auditor . The source is still available, but support only for paying customers. (The recommend dnssexy for verification instead).
2.0 planne for Q4 2012, refactoring the enforcer, support for rollover, support for combined signing key, support for unsigned zones, incremental transition between NSEC & NSEC3.
Beyond that, database IO. dynamic updates, improved CLI, common API for system integration.
They provide on-site training in various places, and if you come to Stockholm it is free. Complete study material is available for free.
Small probes in various networks that make measurements and report home. The data are available from RIPE atlas website after you log in. They are accepting applications for more kinds of measurements. Will soon support filters to probes, like probes in my AS, probes in my country, etc.
Atlas will soon be able to do everything done by DNSMON, and they forsee a future when it replaces DNSMON.
ICANN on how they provision and deploy L root. A long time ago they were limited to one server per RR entry, but with anycast that limitation is gone. It allows servers to come closer to users. That also makes it easier to take malfunctioning servers offline, and it keeps attacks closer to the source, which protects the rest of the cloud from the attack. L root has been anycast since 2007, originaly three nodes, ten servers in a location with a rooter. So they switched to a large number of small, cheap nodes.
Usually root servers are at IXP locations, but L root is now going into eyeball networks directly. It is a single box solution, they can roll out as virtual machines operated by PCH (usually 4 virtual machines to match the capacity of one physical server). Currently 90 servers, and 150 VMs in almost 100 locations.
They moved from Centos to Ubuntu, use Debian package management. Fully automated install, automated administration with Puppet. Can treat the whole cloud as one system with one set of controls.
Puppet is open source IT automation software
Ensures all systems have correct packages and configuration.
Single config file per node.
They use DRAC cards for remote setup.
For monitoring: intermapper, puppet is well integrated with nagios, they will migrate nagios for alerts. They use Observium for monitoring, currently that is manually configured.
They monitor traffic with DSC, every server collects stats locally (because DSC can not support hundreds of servers).