RIPE NCC DNS Update. Wolfgang Nagele DNS Services Manager

Similar documents
RIPE Network Coordination Centre. K-root and DNSSEC. Wolfgang Nagele RIPE NCC.

Securing Routing: RPKI Overview. Mark Kosters Chief Technology Officer

DNS Security. Wolfgang Nagele DNS Services Manager

RIPE NCC Technical Services. Kaveh Ranjbar, Chief Information Officer

DNS Security. Wolfgang Nagele DNS Group Manager

Internet Corporation for Assigned Names & Numbers - Internet Assigned Numbers Authority Update

Introduction to the RIR System. Dr. Nii N. Quaynor

IPv4 depletion & IPv6 deployment in the RIPE NCC service region. Kjell Leknes - June 2010

Module 10. (Reconnaissance Whois and DNS)

RIPE NCC Academic Day. November 2016 Saudi Arabia

IPv6 Allocation and Policy Update. Global IPv6 Summit in China 2007 April 12, 2007 Guangliang Pan

DNSSEC All You Need To Know To Get Started

Database Update. Paul Palse Database Manager, RIPE NCC

Facilitating Secure Internet Infrastructure

RIPE NCC Introduction. Jochem de Ruig Chief Financial Officer

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

Migrating an OpenDNSSEC signer (February 2016)

Root Zone DNSSEC KSK Rollover

Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO

Madison, Wisconsin 9 September14

Shifting Sands. PLNOG March Andrzej Wolski Training Department

APNIC & Internet Address Policy in the Asia Pacific

Rolling the Root KSK. Geoff Huston. APNIC Labs. September 2017

Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson

RIPE NCC DNS Update. Anand Buddhdev Oct 2016 RIPE 73

RIPE Policy Development & IPv4 / IPv6

Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO

MAGPI: Advanced Services IPv6, Multicast, DNSSEC

IPv6 Allocation Policy and Procedure. Global IPv6 Summit in China 2007 April 13, 2007 Gerard Ross and Guangliang Pan

APNIC allocation and policy update. JPNIC OPM July 17, Tokyo, Japan Guangliang Pan

Reverse DNS Project Update

How to participate in RIR Policy Development Processes. Louie Lee ASO Address Council ICANN 35 Buenos Aires, Argen8na 24 June 2015

Prepared by Regional Internet Registries APNIC, ARIN, LACNIC and RIPE NCC

page 1 Plain Old DNS WACREN, DNS/DNSSEC Regional Workshop Ouagadougou, October 2016

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Regional Internet Registries. Statistics & Activities

Regional Internet Registries. Statistics & Activities

Request for Comments: 3172 BCP: 52 September 2001 Category: Best Current Practice

RIPE NCC Status Update

Measuring the effects of DNSSEC deployment on query load

Some Lacunae in APNIC DNS Measurement. George Michaelson CAIDA WIDE Workshop Marina Del Ray 2006

HD Ratio for IPv4. RIPE 48 May 2004 Amsterdam

12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS

IPv6 Address Allocation and Assignment Policy

Root KSK Roll Delay Update

In the Domain Name System s language, rcode 0 stands for: no error condition.

Root KSK Roll Update Webinar

DNSSEC in Switzerland 2 nd DENIC Testbed Meeting

Engineering Report. Mark Kosters

Current Policy Topics A World Wide View

DNSSECfor the Root ZoneIEPG IETF 77 Anaheim, USA March 2010

News from RIPE and RIPE NCC

DNSSEC for the Root Zone. IEPG IETF 77 Anaheim, USA March 2010

Root KSK Roll Delay Update

IPv6 Addressing Status and Policy Report. Paul Wilson Director General, APNIC

IPv6 Allocation Policy and Procedure. Global IPv6 Summit in China 2007 April 13, 2007 Gerard Ross and Guangliang Pan

Domain Name System (DNS)

RIPE Network Coordination Centre. IPv6 at RIPE NCC. Mark Dranse Erik Romijn

IPv6 Deployment and Distribution in the RIPE NCC Service Region. Marco Schmidt IP Resource Analyst Monday, 23 April 2012

DNS Related Activities at the RIPE NCC

RIPE NCC Status Report at ARIN. leo vegoda. ARIN X, Oct. 30 Nov. 1, 2002, Eugene, OR.

News from RIPE NCC, RIPE, and IPv6. Vesna Manojlovic, RIPE NCC ES.NOG / GORE 3, Madrid 11 May 2009

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

Begin forwarded message:

DNSSEC for the Root Zone. IETF 76 8 November 2009

DNSSEC Why, how, why now? Olaf Kolkman (NLnet Labs)

IXP Support Initiatives & DNS Programmes at AfriNIC. Nishal Goburdhan Snr. Project Manager - Global Infrastructure AFRINIC

IP version 6. The not so new next IP version. dr. C. P. J. Koymans. Informatics Institute University of Amsterdam.

RIPE Network Coordination Centre. IPv6 at RIPE NCC. Erik Romijn. Erik Romijn. Tuesday, June 9, 2009

Rolling the Root. Geoff Huston APNIC Labs March 2016

A Policy Story - IPv4 Transfer. TWNIC OPM 26, Taipei 14 December 2016 George Kuo, Services Director

AfriNIC 14 Shared cctld DNSSEC Signing Platform June 9, 2011 Bill Woodcock Research Director Packet Clearing House

APNIC Update. Elly Tawhai Senior Internet Resource Analyst/Liaison Officer, APNIC PacNOG

Feedback from RIPE NCC Registration Services. Alex Le Heux - RIPE NCC RIPE62, May 2011, Amsterdam

RIPE NCC DNS Update. K-root and DNSSEC. Anand Buddhdev October 2018 RIPE 77

FIRMS: a Future InteRnet Mapping System


Engineering Status Report. Mark Kosters

Tyre Kicking the DNS. Testing Transport Considerations of Rolling Roots. Geoff Huston APNIC

RIR Update. A Joint Presentation Prepared By APNIC, ARIN, RIPE NCC. 17 March 2002 IEPG - Minneapolis

Measuring IPv6 Deployment

IPv6 Support in the DNS. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

Internet Numbers Introduction to the RIR System

RPKI Trust Anchor. Geoff Huston APNIC

K-Root Nameserver Operations

That KSK Roll. Geoff Huston APNIC Labs

Internet Governance & Current Internet Eco-system. Filiz Yilmaz SNE Colloquium, University of Amsterdam September 2016

Monitoring DNSSEC, not everything is perfect, yet

Have We Reached 1000 Prefixes Yet?

RIPE NCC Status Update

Managing the Root KSK Rollover, Step by Step for Operators

THE BRUTAL WORLD OF DNSSEC

Update from the RIPE NCC

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: March 2017

2017 DNSSEC KSK Rollover. Guillermo Cicileo LACNIC March 22, 2017

Report from the RIPE NCC. Axel Pawlik. RIPE 50, 2-6 May 2005, Stockholm.

Implementing the Global Policy for Post Exhaustion IPv4 Allocation Mechanisms by the IANA

Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN. Mark Kosters CTO

APNIC Status Report. LACNIC III Mexico City 11 November 2002

Transcription:

RIPE NCC DNS Update Wolfgang Nagele DNS Services Manager

DNS Department Services Reverse DNS for RIPE NCC zones Secondary for other RIRs K-root F-reverse (in-addr.arpa & ip6.arpa) Secondary DNS for cctlds ENUM Tier-0 (e164.arpa) AS112 node at AMS-IX (RFC1918 space sink) 2

Anycast Cluster (AS197000) Two anycast instances operational London (LINX) & Amsterdam (AMS-IX) Production for critical zones in-addr.arpa (Reverse IPv4 parent zone) ip6.arpa (Reverse IPv6 parent zone) IPv4 and IPv6 reverse parent zones Primary for RIPE NCC Secondary for other RIRs RIPE NCC forward zones (ripe.net, etc.) 3

F-reverse Serves in-addr.arpa and ip6.arpa According to RFC5855 (BCP) Servers operated by ARIN, APNIC, AfriNIC, LACNIC, RIPE NCC, ICANN 4

New Provisioning System Production since January 2011 Using dynamic updates to allow near real-time updates Upcoming features: ERX provisioning equal to other space Support for RFC2317 delegation (< /24 Assignments) Simplified delegation checker 5

DNSSEC Outages: The Ugly Encountered a bug during KSK rollover Signature over DNSKEY set missing Affected e164.arpa on 15 February 2011 Vendor could not reproduce the problem and concluded that high load on system caused it 6

DNSSEC Outages: The Bad Second outage on 14 April 2011 Affected ripe.net and 0.a.2.ip6.arpa Same exact problem no high system load 7

DNSSEC Outages: The Good Gathered enough data to reproduce the bug Awaiting release with bug fix before our next rollover Called for broad work on a safeguard Spurred interest from others (SIDN, AFNIC, DENIC, ) Initial work on a DNSSEC verification proxy started Coordination on the DNSSEXY mailinglist http://nlnetlabs.nl/mailman/listinfo/dnssexy 8

DNSSEC: Signed Parents 9

DNSSEC: Signed Parents (By Fall 2011) 10

DNSSEC in Reverse DNS DS records over time 11

K-root Operations stable with 18 instances 12

F-reverse (in-addr.arpa) Operations stable with 2 instances 13

F-reverse (ip6.arpa) Operations stable with two instances 14

K-root IPv6 Queries per second received over IPv6 15

K-root and TCP Queries per second received over TCP 16

Future Plans: Analysis Extend operational analysis and monitoring Using scalable infrastructure based on Apache Hadoop Allows near real-time inspection of traffic patterns Continuous data input from our DNS systems AS112, K-root, F-reverse Code to be released on RIPE Labs 17

Future Plans: Anycast Cluster ns.ripe.net Secondary for LIR reverse space Hosts around ~4,500 zones ns-<cctld>.ripe.net Secondary for developing country cctlds Lots of communication with all the cctlds involved 18

Future Plans: Provisioning For < /24 Zones Currently done manually on request Will integrate into automated provisioning Create a domain object in RFC2317 format Example" 192.0.2.0/25 = domain: 0-128.2.0.192.in-addr.arpa 19

Dash Notation in Reverse DOMAIN Proposal sent to mailing list Drop current dash - syntax and expansion from third octet (1-100.2.10.in-addr.arpa) Causes problems with DNSSEC Allow dash in fourth octet for classless delegations (6-25.1.2.10.in-addr.arpa) Stored in RIPE Database with dash Expansion done by DNS provisioning 20

AP57.2: Cleanup Forward Domain Data Started with domain objects in the RIPE Database for 43 cctlds Three are still actively using the RIPE Database All three working on alternative solutions 40 deleted TLD object with all sub-domains Users cannot create new TLD objects Syntax will be changed when last three deleted 21

Questions? wnagele@ripe.net

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback