Future of DNS, DNSSEC, country code delegations, etc.
Peter Wemm
peter at wemm.org
Tue Feb 25 08:52:50 UTC 2014
We (with clusteradm@ hat on) have been looking at another round of broken
mirrors, delegated DNS servers that have gone lame/missing, subzones that
have gone missing. wwwN.freebsd.org / wwwN.cc.freebsd.org that now point to
Ubuntu or Microsoft IIS pages, stale/missing ftp mirrors etc.
(by "cc" I mean country codes - "us", "eu", "au", "ru", etc.. I am not
picking on anyone in particular)
One of the problems we've been hitting is that *.cc.freebsd.org was
originally set outside of the core project infrastructure. When they go
stale and the volunteers who originally set it up go missing, the data
simply disappears and is lost. In retrospect, this was a mistake.
As things stand today, more than half of the original *.cc.freebsd.org
subzones have been lost. An uncomfortable number of the remaining records
are tragically stale.
There's also the DNSSEC and ipv6 reachability question. Many of our
cc.freebsd.org zones are ipv4-only and only one has DNSSEC signatures.
The question of what to do about it have come up many times inside
clusteradm@/dnsadm@ and ideas have bounced around ranging from extremes like
simply abandoning the whole *.cc.freebsd.org idea, through just taking them
back, or simply letting them die and quietly deleting them when they go stale.
I'm leaning towards a middle ground. My preferred option at this point is
to take the zones back so that we have a copy of the data within the core
infrastructure, and switch to a regional coordinator model. We kind of
already have this, except when current regional coordinators move on, we
tend to lose the data.
What I'm talking about is something like this..
As they stand now, in the parent dns zone:
; zone cc email for <person at univerity.edu.cc> MIA april 2008, data lost
; zone cc email for <person at somecompany.cc> email bouncing may 2012
; zone cc current contact is <somebody at somedomain.cc>
cc.freebsd.org. IN NS someserver1.cc.
cc.freebsd.org. IN NS someserver2.cc.
And after such a change, it'd be email alias:
coordinator-cc at freebsd.org: somebody at somedomain.cc
.. and we host the records inside the freebsd.org zone. This coordinator
will directly arrange with dnsadm@ to update the records in their area.
They would receive commit messages when records in their area were updated,
and be reachable via coordinator-cc at freebsd.org.
We (freebsd.org) use ISC's global anycasted ISC-SNS dns servers. In our
experience they have excellent coverage around the world so we'd prefer to
fold the *.cc.freebsd.org zone into the main freebsd.org zone (like
wwwN.us.freebsd.org and ftpN.us.freebsd.org are right now). Actual
sub-zones could be done if there's a regional reachability problem but I
would rather not unless we absolutely had to.
Advantages:
* We get better continuity and handovers if/when people want to move on.
* In theory, we should never lose zone data, contact addresses again.
* We still get local regional knowledge and coordination.
* 100% DNSSEC coverage and IPV6 connectivity.
Disadvantages:
* There has been resistance and hurt feelings when ideas like this have
come up in the past.
* Loss of independence.
* There are residual bad memories from when working with dnsadm@ was really
painful and slow. (I assure you, this is no longer a problem!)
Ideally this would be done zone by zone, by contacting the current
coordinator for obtaining the current zone source, setting up email aliases,
and adopting it into ns0.freebsd.org/ISC-SNS.
If we can do it this way then we get to preserve notes, comments, history
etc. On the other hand, doing a blind zone transfer or scraping/iterating
through likely records and documented mirrors is far less satisfactory and
practically begging for hurt feelings.
We even have a number of zones where we have *no working contact address*
for the current operator. I'm sure we can track them down eventually but it
doesn't look good if we have to resort to asking on public mailing lists
questions like "Does anyone know who runs yy.freebsd.org?"
Thoughts? How can we make this work without provoking (too many) ruffled
feathers?
--
Peter Wemm - peter at wemm.org; peter at FreeBSD.org; peter at yahoo-inc.com; KI6FJV
UTF-8: for when a ' just won\342\200\231t do.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-hubs/attachments/20140225/be20c326/attachment.sig>
More information about the freebsd-hubs
mailing list