draft-ietf-dnsop-as112-ops-00.txt   draft-ietf-dnsop-as112-ops-01.txt 
Network Working Group J. Abley Network Working Group J. Abley
Internet-Draft Afilias Canada Internet-Draft Afilias Canada
Intended status: Informational W. Maton Intended status: Informational W. Maton
Expires: August 30, 2007 NRC-CNRC Expires: May 19, 2008 NRC-CNRC
February 26, 2007 November 16, 2007
AS112 Nameserver Operations AS112 Nameserver Operations
draft-ietf-dnsop-as112-ops-00 draft-ietf-dnsop-as112-ops-01
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 30, 2007. This Internet-Draft will expire on May 19, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
Abstract Abstract
Many sites connected to the Internet make use of IPv4 addresses which Many sites connected to the Internet make use of IPv4 addresses which
are not globally unique. Examples are the addresses designated in are not globally unique. Examples are the addresses designated in
RFC1918 for private use within individual sites. RFC1918 for private use within individual sites.
skipping to change at page 7, line 29 skipping to change at page 7, line 29
software is not running. software is not running.
3.4. Routing Software 3.4. Routing Software
AS112 nodes signal the availability of AS112 nameservers to the AS112 nodes signal the availability of AS112 nameservers to the
Internet using BGP [RFC4271]: each AS112 node is a BGP speaker, and Internet using BGP [RFC4271]: each AS112 node is a BGP speaker, and
announces the prefix 192.175.48.0/24 to the Internet with origin AS announces the prefix 192.175.48.0/24 to the Internet with origin AS
112 (see also Section 2.2). 112 (see also Section 2.2).
Suitable choices of free software to allow hosts to act as BGP Suitable choices of free software to allow hosts to act as BGP
speakers include: speakers include, but are not limited to:
o OpenBGPD [1] o OpenBGPD [1]
o The Quagga Routing Suite [2] o The Quagga Routing Suite [2]
o GNU Zebra [3] o GNU Zebra [3]
The examples in this document are based on Quagga. The examples in this document are based on Quagga.
The "bgpd.conf" file is used by Quagga's bgpd daemon, which provides The "bgpd.conf" file is used by Quagga's bgpd daemon, which provides
skipping to change at page 8, line 15 skipping to change at page 8, line 15
! bgpd.conf ! bgpd.conf
! !
hostname as112-bgpd hostname as112-bgpd
password <something> password <something>
enable password <supersomething> enable password <supersomething>
! !
router bgp 112 router bgp 112
bgp router-id 198.32.149.123 bgp router-id 198.32.149.123
network 192.175.48.0 network 192.175.48.0
neighbor 198.32.149.1 remote-as 2884 neighbor 198.32.149.1 remote-as 2884
neighbor 198.32.149.1 ebgp-multihop
neighbor 198.32.149.1 next-hop-self neighbor 198.32.149.1 next-hop-self
neighbor 198.32.149.2 remote-as 2884 neighbor 198.32.149.2 remote-as 2884
neighbor 198.32.149.2 ebgp-multihop
neighbor 198.32.149.2 next-hop-self neighbor 198.32.149.2 next-hop-self
The "zebra.conf" file is required to provide integration between The "zebra.conf" file is required to provide integration between
protocol daemons (bgpd, in this case) and the kernel. protocol daemons (bgpd, in this case) and the kernel.
! zebra.conf ! zebra.conf
! !
hostname as112 hostname as112
password <something> password <something>
enable password <supersomething> enable password <supersomething>
skipping to change at page 8, line 43 skipping to change at page 8, line 41
! !
3.5. DNS Software 3.5. DNS Software
Although the queries received by AS112 nodes are definitively Although the queries received by AS112 nodes are definitively
misdirected, it is important that they be answered in a manner which misdirected, it is important that they be answered in a manner which
is accurate and consistent. For this reason AS112 nodes operate as is accurate and consistent. For this reason AS112 nodes operate as
fully-functional and standards-compliant DNS authority servers fully-functional and standards-compliant DNS authority servers
[RFC1034], and hence require DNS software. [RFC1034], and hence require DNS software.
Suitable choices of free DNS software for AS112 nodes include: Suitable choices of free DNS software for AS112 nodes include, but
are not limited to:
o ISC BIND9 [4] o ISC BIND9 [4]
o NLnet Labs' NSD [5] o NLnet Labs' NSD [5]
Examples in this document are based on ISC BIND9. Examples in this document are based on ISC BIND9.
The following is a sample BIND9 "named.conf" file for a dedicated The following is a sample BIND9 "named.conf" file for a dedicated
AS112 server. Note that the nameserver is configured to act as an AS112 server. Note that the nameserver is configured to act as an
authority-only server (i.e. recursion is disabled). The nameserver authority-only server (i.e. recursion is disabled). The nameserver
skipping to change at page 9, line 27 skipping to change at page 9, line 26
192.175.48.6; // blackhole-1.iana.org (anycast) 192.175.48.6; // blackhole-1.iana.org (anycast)
192.175.48.42; // blackhole-2.iana.org (anycast) 192.175.48.42; // blackhole-2.iana.org (anycast)
}; };
directory "/var/named"; directory "/var/named";
recursion no; // authority-only server recursion no; // authority-only server
query-source address *; query-source address *;
}; };
// log queries, so that when people call us about unexpected // log queries, so that when people call us about unexpected
// answers to queries they didn't realise they had sent, we // answers to queries they didn't realise they had sent, we
// have something to talk about // have something to talk about. Note that activating this
// has the potential to create high CPU and take enormous
// amounts of disk space.
logging { logging {
channel "querylog" { channel "querylog" {
file "/var/log/query.log" versions 2 size 500m; file "/var/log/query.log" versions 2 size 500m;
print-time yes; print-time yes;
}; };
category queries { querylog; }; category queries { querylog; };
}; };
// RFC 1918 // RFC 1918
zone "10.in-addr.arpa" { type master; file "db,empty"; }; zone "10.in-addr.arpa" { type master; file "db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "db.empty"; };
skipping to change at page 11, line 18 skipping to change at page 11, line 18
@ SOA flo.gigafed.net. dns.ryouko.imsb.nrc.ca. ( @ SOA flo.gigafed.net. dns.ryouko.imsb.nrc.ca. (
1 ; serial number 1 ; serial number
1W ; refresh 1W ; refresh
1M ; retry 1M ; retry
1W ; expire 1W ; expire
1W ) ; negative caching TTL 1W ) ; negative caching TTL
; ;
NS blackhole-2.iana.org. NS blackhole-2.iana.org.
NS blackhole-1.iana.org. NS blackhole-1.iana.org.
; ;
TXT "See http://as112.net/ for more information."
TXT "Federal GigaPOP" "Ottawa, Canada" TXT "Federal GigaPOP" "Ottawa, Canada"
TXT "See http://as112.net/ for more information."
; ;
LOC 45 25 0.000 N 75 42 0.000 W 80.00m 1m 10000m 10m LOC 45 25 0.000 N 75 42 0.000 W 80.00m 1m 10000m 10m
3.6. Testing a Newly-Installed Node 3.6. Testing a Newly-Installed Node
The BIND9 tool "dig" can be used to retrieve the TXT resource records The BIND9 tool "dig" can be used to retrieve the TXT resource records
associated with the domain "HOSTNAME.AS112.NET", directed at one of associated with the domain "HOSTNAME.AS112.NET", directed at one of
the AS112 anycast nameserver addresses. The response received should the AS112 anycast nameserver addresses. Continuing the example from
indicate the identity of the AS112 node which responded to the query. above, the response received should indicate the identity of the
See Section 3.5 for more details about the resource records AS112 node which responded to the query. See Section 3.5 for more
associated with "HOSTNAME.AS112.NET". details about the resource records associated with
"HOSTNAME.AS112.NET".
% dig @prisoner.iana.org hostname.as112.net txt +short +norec % dig @prisoner.iana.org hostname.as112.net txt +short +norec
"Internet Software Consortium, Inc." "Palo Alto, CA, USA" "Federal GigaPOP" "Ottawa, Canada"
"See http://www.as112.net/ for more information." "See http://www.as112.net/ for more information."
% %
If the response received indicates a different node is being used, If the response received indicates a different node is being used,
then there is probably a routing problem to solve. If there is no then there is probably a routing problem to solve. If there is no
response received at all, there might be host or nameserver problem. response received at all, there might be host or nameserver problem.
Judicious use of tools such as traceroute, and consultation of BGP Judicious use of tools such as traceroute, and consultation of BGP
looking glasses might be useful in troubleshooting. looking glasses might be useful in troubleshooting.
Note that an appropriate set of tests for a new server will include Note that an appropriate set of tests for a new server will include
skipping to change at page 12, line 35 skipping to change at page 12, line 35
node is not functioning normally. node is not functioning normally.
4.3. Statistics and Measurement 4.3. Statistics and Measurement
Use of the AS112 node should be measured in order to track long-term Use of the AS112 node should be measured in order to track long-term
trends, identify anomalous conditions and to ensure that the trends, identify anomalous conditions and to ensure that the
configuration of the AS112 node is sufficient to handle the query configuration of the AS112 node is sufficient to handle the query
load. load.
Examples of free monitoring tools which might be useful to operators Examples of free monitoring tools which might be useful to operators
of AS112 nodes include: of AS112 nodes include, but are not limited to:
o bindgraph [6] o bindgraph [6]
o dnstop [7] o dnstop [7]
o DSC [8] o DSC [8]
5. Communications 5. Communications
It is good operational practice to notify the community of users It is good operational practice to notify the community of users
skipping to change at page 14, line 31 skipping to change at page 14, line 31
future. future.
There may be a requirement in the future for AS112 nodes to answer There may be a requirement in the future for AS112 nodes to answer
for their current set of zones over IPv6 transport. Such a for their current set of zones over IPv6 transport. Such a
requirement would necessitate the assignment of a corresponding IPv6 requirement would necessitate the assignment of a corresponding IPv6
netblock for use as an anycast service prefix. netblock for use as an anycast service prefix.
There may be a requirement in the future for AS112 nodes to serve There may be a requirement in the future for AS112 nodes to serve
additional zones, or to stop serving particular zones that are additional zones, or to stop serving particular zones that are
currently served. Such changes would be widely announced in currently served. Such changes would be widely announced in
operational forums, and published at <http://wwwn.as112.net/>. operational forums, and published at <http://www.as112.net/>.
7. Security Considerations 7. Security Considerations
Hosts should never normally send queries to AS112 servers; queries Hosts should never normally send queries to AS112 servers; queries
relating to private-use addresses should be answered locally within a relating to private-use addresses should be answered locally within a
site. Hosts which send queries to AS112 servers may well leak site. Hosts which send queries to AS112 servers may well leak
information relating to private infrastructure to the public network, information relating to private infrastructure to the public network,
which could represent a security risk. This risk is orthogonal to which could represent a security risk. This risk is orthogonal to
the presence or absence of authority servers for these zones in the the presence or absence of authority servers for these zones in the
public DNS infrastructure, however. public DNS infrastructure, however.
skipping to change at page 19, line 8 skipping to change at page 19, line 8
In 2002, the first AS112 anycast nodes were deployed. In 2002, the first AS112 anycast nodes were deployed.
The use of anycast nameservers in the AS112 project contributed to The use of anycast nameservers in the AS112 project contributed to
the operational experience of anycast DNS services, and can be seen the operational experience of anycast DNS services, and can be seen
as a precursor to the anycast distribution of other authority servers as a precursor to the anycast distribution of other authority servers
in subsequent years (e.g. various root servers). in subsequent years (e.g. various root servers).
Appendix B. Acknowledgements Appendix B. Acknowledgements
The authors wish to acknowledge the assistance of Bill Manning, John The authors wish to acknowledge the assistance of Bill Manning, John
Brown, Marco D'Itri and Peter Losher in the preparation of this Brown, Marco D'Itri, Daniele Arena, Stephane Bortzmeyer, Frank
document. Habicht and Peter Losher in the preparation of this document.
Appendix C. Change History Appendix C. Change History
This section to be removed prior to publication. This section to be removed prior to publication.
00 Initial draft, circulated as draft-jabley-as112-ops-00 and 00 Initial draft, circulated as draft-jabley-as112-ops-00 and
reviewed at the DNSOP working group meeting at IETF 66. reviewed at the DNSOP working group meeting at IETF 66.
00 Document adoped by the DNSOP working group and renamed 00 Document adoped by the DNSOP working group and renamed
accordingly. accordingly.
01 Input from reviewers of DNSOP and others, some cosmetic tweaks.
Authors' Addresses Authors' Addresses
Joe Abley Joe Abley
Afilias Canada Corp. Afilias Canada Corp.
Suite 204, 4141 Yonge Street Suite 204, 4141 Yonge Street
Toronto, ON M2P 2A8 Toronto, ON M2P 2A8
Canada Canada
Phone: +1 416 673 4176 Phone: +1 416 673 4176
Email: jabley@ca.afilias.info Email: jabley@ca.afilias.info
 End of changes. 17 change blocks. 
20 lines changed or deleted 24 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/