[as112-ops] Extensible AS112 Service

Aleksi Suhonen as112-ops at trex.fi
Mon Jun 6 03:53:50 UTC 2011


Hello,

On 05/13/11 16:02, William F. Maton wrote:
> Since there seems to be as of late an appetite to consider all things
> AS112, I wanted to float this draft here with fellow operators before
> popping this at the IETF submission queue. Most of it is lifted directly
> from draft-michaelson-as112-ipv6 given that it serves as a nice
> template. It still needs polishing, so forgive the grammar and style,
> but I wanted to have some as112-ops peer review first. Comments
> appreciated. I'm thinking about RFC 2606, but perhaps I'm pushing my luck.

Looks good, and RFC2606 is OK as well in my opinion.

The mismatch with the fact that more and more zones are considered for 
AS112 and the fact that AS112 operators might not actually be active and 
create new authoritative zones on their nodes as they are delegated is 
causing some uneasiness among the natives. The feared end result is lame 
delegations for invalid zones, which of course should be irrelevant just 
as long as the load is off the crucial infrastructure. However, I do 
sympathise with the people who'd like to do things right.

I'd like to propose that we fix the issue in one fell stroke so that 
changes to AS112 nodes' configuration should never be needed again:
Change the way that the delegations for AS112 zones are made to DNAMEs.
(See http://tools.ietf.org/html/rfc2672 )

Instead of the current NS records:

168.192.in-addr.arpa.  IN NS      blackhole-1.iana.org.
168.192.in-addr.arpa.  IN NS      blackhole-2.iana.org.
10.in-addr.arpa.       IN NS      blackhole-1.iana.org.
10.in-addr.arpa.       IN NS      blackhole-2.iana.org.
... and so on ...

We'd have the following DNAME records:

168.192.in-addr.arpa.  IN DNAME   168.192.in-addr.arpa.empty.as112.net.
10.in-addr.arpa.       IN DNAME   10.in-addr.arpa.empty.as112.net.
... and so on ...

And AS112 nodes would only need to configure one zone "empty.as112.net."
If that particular zone name is objectionable then we can use something 
else, such as "empty.iana.org", or we can hijack one of the target zones 
for AS112, such as "example.net" if we adopt RFC2606 as well.

This way we can keep adding new zones to AS112 without much hassle and 
the AS112 nodes can still gather stats for the new zones. For example a 
query for 10.1.2.3 reverse mapping would show up as:

3.2.1.10.in-addr.arpa.empty.as112.net.   IN PTR ?

If I've understood correctly, this would make efforts to add DNSSEC to 
AS112 a whole lot simpler too, because there would only be one DNSSEC 
delegation path. The DNAMEs would only exist - and be signed at - the 
upper level zone. As opposed to: Each zone delegated with normal NS 
records would have its own DNSSEC sign path.

If there is concern that support for DNAMEs might not be universal, I 
suppose we can have the NS delegations there as well, as backup but 
pointing to same (lame) servers. At least RFC2672 doesn't forbid that.

How does this sound?

-- 
	+358 4567 02048 / http://www.trex.fi/
	Aleksi Suhonen / TREX  Tampere Region Exchange Oy


More information about the as112-ops mailing list