[dns-operations] iVenue and CommunityDNS.
Simon Munton
Simon.Munton at communitydns.net
Thu Mar 24 18:12:53 UTC 2011
"68%" was a conservative estimate (by size) of the number of top level
name we have authoritative information on - see below. The vast majority
of which comes from an agreement directly with the zone operator.
Our unique update mechanism means that we can keep all this data
up-to-date over very low bandwidth connections allowing places, such as
Lagos, to have a local copy of the DNS authoritative data which has
significantly improved the resilience of their local DNS resolution.
We also host their zones at no cost, giving them the resilience of
anycast, which they might otherwise not have access to. Currently, apart
from some strange mis-configurations Roy refers to, nobody looks to us
for authoritative information unless specified to do so in the public
DNS tree - we are currently authoritative in the ROOT zone for 26 TLDs
on IPv4 and 22 on IPv6.
We are also authoritative a few reverse and a few hundred thousand
second level domains.
We run our own proprietary DNS software that has been tested up to 500
million names and has achieved ~380Kq/s on a 2.8Ghz dual-core PC costing
~$300. We typically see an overhead of ~10% for NSEC3 and ~8% for NSEC
(compared to DO=0, same queries, on the same zone).
A demo of our platform running COM, NET, ORG, INFO, BIZ, MOBI, ARPA and
various other TLDs can be found at "test.cdns.net" (v4 & v6)
Currently our platform serves all the TLD data from a single instance -
the reason for doing this is historic. Our registrars are all run in
their own instances.
In a few cases zone information is gathered from an authoritative name
server with XFR open. Clearly Nominet are technically capable enough to
switch this off if they prefer, it is their choice to provide public XFR
on their top level zone on all its name servers. To then subsequently
complain that people access it seems, at best, a little churlish.
The zone was originally obtain for research into DNSSEC, it was an error
that it has not been kept up-to-date, this has been corrected. Thank you
Roy for pointing this out.
From that I can see, the only thing incorrect in the old zone was the
SOA serial number and the RRSIGs. So a verifying resolver would have
discarded the data as unverifiable and an non-verifying resolver would
have worked correctly with the data it was given - assuming that
"somehow" someone has their name server configured to look to us for
authoritative UK data !?!??!?!?
Of course, with a signed zone, it should make little difference from
whom the authoritative data comes, as it is now cryptographically
verifiable, so can be trusted much more than the old level of trust of
"I [think / hope / believe / suspect] it came from Nominet"
To clarify, we have never been contacted by anybody at Nominet to
request that we change in anyway what we have been doing.
I understand Roy spoke to Paul Kane last week in San Francisco, giving
him ample & ideal opportunity to raise this issue if is was of such
grave concern. Of course, this is no doubt one of many conferences at
which both Roy & Paul have both been present.
> They are well-known, their CEO can even reboot the Internet :
>
> http://www.telegraph.co.uk/technology/internet/7914153/Briton-holds-key-to-the-internet.html
Clearly, raising awareness of DNSSEC, and the issues surrounding it, is
important and it is the responsibility of all of us within the DNS space
to do this - especially the key holders.
I'm sure you all know full well Paul is perfectly aware you can't use a
single smart card to "reboot the internet".
More information about the dns-operations
mailing list