Future of DNS, DNSSEC, country code delegations, etc.

Will Mitayai Rowe mitayai at gmail.com
Wed Feb 26 21:22:52 UTC 2014

I've been honoured to have the responsibility of maintaining a CC domain
for many years, but i can see the value in central management and have no
arguments against Peter's proposal


On Tue, Feb 25, 2014 at 3:52 AM, Peter Wemm <peter at wemm.org> wrote:

> We (with clusteradm@ hat on) have been looking at another round of broken
> mirrors, delegated DNS servers that have gone lame/missing, subzones that
> have gone missing. wwwN.freebsd.org / wwwN.cc.freebsd.org that now point
> to
> Ubuntu or Microsoft IIS pages, stale/missing ftp mirrors etc.
> (by "cc" I mean country codes - "us", "eu", "au", "ru", etc.. I am not
> picking on anyone in particular)
> One of the problems we've been hitting is that *.cc.freebsd.org was
> originally set outside of the core project infrastructure.  When they go
> stale and the volunteers who originally set it up go missing, the data
> simply disappears and is lost.  In retrospect, this was a mistake.
> As things stand today, more than half of the original *.cc.freebsd.org
> subzones have been lost.  An uncomfortable number of the remaining records
> are tragically stale.
> There's also the DNSSEC and ipv6 reachability question.  Many of our
> cc.freebsd.org zones are ipv4-only and only one has DNSSEC signatures.
> The question of what to do about it have come up many times inside
> clusteradm@/dnsadm@ and ideas have bounced around ranging from extremes
> like
> simply abandoning the whole *.cc.freebsd.org idea, through just taking
> them
> back, or simply letting them die  and quietly deleting them when they go
> stale.
> I'm leaning towards a middle ground.  My preferred option at this point is
> to take the zones back so that we have a copy of the data within the core
> infrastructure, and switch to a regional coordinator model.  We kind of
> already have this, except when current regional coordinators move on, we
> tend to lose the data.
> What I'm talking about is something like this..
> As they stand now, in the parent dns zone:
> ; zone cc email for <person at univerity.edu.cc> MIA april 2008, data lost
> ; zone cc email for <person at somecompany.cc> email bouncing may 2012
> ; zone cc current contact is <somebody at somedomain.cc>
> cc.freebsd.org. IN NS someserver1.cc.
> cc.freebsd.org. IN NS someserver2.cc.
> And after such a change, it'd be email alias:
> coordinator-cc at freebsd.org:     somebody at somedomain.cc
> .. and we host the records inside the freebsd.org zone.  This coordinator
> will directly arrange with dnsadm@ to update the records in their area.
> They would receive commit messages when records in their area were updated,
> and be reachable via coordinator-cc at freebsd.org.
> We (freebsd.org) use ISC's global anycasted ISC-SNS dns servers.  In our
> experience they have excellent coverage around the world so we'd prefer to
> fold the *.cc.freebsd.org zone into the main freebsd.org zone (like
> wwwN.us.freebsd.org and ftpN.us.freebsd.org are right now).  Actual
> sub-zones could be done if there's a regional reachability problem but I
> would rather not unless we absolutely had to.
> Advantages:
>  * We get better continuity and handovers if/when people want to move on.
>  * In theory, we should never lose zone data, contact addresses again.
>  * We still get local regional knowledge and coordination.
>  * 100% DNSSEC coverage and IPV6 connectivity.
> Disadvantages:
>  * There has been resistance and hurt feelings when ideas like this have
> come up in the past.
>  * Loss of independence.
>  * There are residual bad memories from when working with dnsadm@ was
> really
> painful and slow.  (I assure you, this is no longer a problem!)
> Ideally this would be done zone by zone, by contacting the current
> coordinator for obtaining the current zone source, setting up email
> aliases,
> and adopting it into ns0.freebsd.org/ISC-SNS.
> If we can do it this way then we get to preserve notes, comments, history
> etc.  On the other hand, doing a blind zone transfer or scraping/iterating
> through likely records and documented mirrors is far less satisfactory and
> practically begging for hurt feelings.
> We even have a number of zones where we have *no working contact address*
> for the current operator.  I'm sure we can track them down eventually but
> it
> doesn't look good if we have to resort to asking on public mailing lists
> questions like "Does anyone know who runs yy.freebsd.org?"
> Thoughts?  How can we make this work without provoking (too many) ruffled
> feathers?
> --
> Peter Wemm - peter at wemm.org; peter at FreeBSD.org; peter at yahoo-inc.com;
> UTF-8: for when a ' just won\342\200\231t do.

Mit Rowe
Toronto, Canada
mitayai at gmail.com

More information about the freebsd-hubs mailing list