[dns-operations] iVenue and CommunityDNS.

Thu Mar 24 18:12:53 UTC 2011

"68%" was a conservative estimate (by size) of the number of top level 
name we have authoritative information on - see below. The vast majority 
of which comes from an agreement directly with the zone operator.

Our unique update mechanism means that we can keep all this data 
up-to-date over very low bandwidth connections allowing places, such as 
Lagos, to have a local copy of the DNS authoritative data which has 
significantly improved the resilience of their local DNS resolution.

We also host their zones at no cost, giving them the resilience of 
anycast, which they might otherwise not have access to. Currently, apart 
from some strange mis-configurations Roy refers to, nobody looks to us 
for authoritative information unless specified to do so in the public 
DNS tree - we are currently authoritative in the ROOT zone for 26 TLDs 
on IPv4 and 22 on IPv6.

We are also authoritative a few reverse and a few hundred thousand 
second level domains.

We run our own proprietary DNS software that has been tested up to 500 
million names and has achieved ~380Kq/s on a 2.8Ghz dual-core PC costing 
~$300. We typically see an overhead of ~10% for NSEC3 and ~8% for NSEC 
(compared to DO=0, same queries, on the same zone).

A demo of our platform running COM, NET, ORG, INFO, BIZ, MOBI, ARPA and 
various other TLDs can be found at "test.cdns.net" (v4 & v6)

Currently our platform serves all the TLD data from a single instance - 
the reason for doing this is historic. Our registrars are all run in 
their own instances.

In a few cases zone information is gathered from an authoritative name 
server with XFR open. Clearly Nominet are technically capable enough to 
switch this off if they prefer, it is their choice to provide public XFR 
on their top level zone on all its name servers. To then subsequently 
complain that people access it seems, at best, a little churlish.

The zone was originally obtain for research into DNSSEC, it was an error 
that it has not been kept up-to-date, this has been corrected. Thank you 
Roy for pointing this out.

 From that I can see, the only thing incorrect in the old zone was the 
SOA serial number and the RRSIGs. So a verifying resolver would have 
discarded the data as unverifiable and an non-verifying resolver would 
have worked correctly with the data it was given - assuming that 
"somehow" someone has their name server configured to look to us for 
authoritative UK data !?!??!?!?

Of course, with a signed zone, it should make little difference from 
whom the authoritative data comes, as it is now cryptographically 
verifiable, so can be trusted much more than the old level of trust of 
"I [think / hope / believe / suspect] it came from Nominet"

To clarify, we have never been contacted by anybody at Nominet to 
request that we change in anyway what we have been doing.

I understand Roy spoke to Paul Kane last week in San Francisco, giving 
him ample & ideal opportunity to raise this issue if is was of such 
grave concern. Of course, this is no doubt one of many conferences at 
which both Roy & Paul have both been present.

> They are well-known, their CEO can even reboot the Internet :
>
> http://www.telegraph.co.uk/technology/internet/7914153/Briton-holds-key-to-the-internet.html

Clearly, raising awareness of DNSSEC, and the issues surrounding it, is 
important and it is the responsibility of all of us within the DNS space 
to do this - especially the key holders.

I'm sure you all know full well Paul is perfectly aware you can't use a 
single smart card to "reboot the internet".