draft-ietf-dnsop-as112-ops-06.txt   draft-ietf-dnsop-as112-ops-07.txt 
Network Working Group J. Abley Network Working Group J. Abley
Internet-Draft ICANN Internet-Draft ICANN
Intended status: Informational W. Maton Intended status: Informational W. Maton
Expires: May 16, 2011 NRC-CNRC Expires: October 29, 2011 NRC-CNRC
November 12, 2010 April 27, 2011
AS112 Nameserver Operations AS112 Nameserver Operations
draft-ietf-dnsop-as112-ops-06 draft-ietf-dnsop-as112-ops-07
Abstract Abstract
Many sites connected to the Internet make use of IPv4 addresses that Many sites connected to the Internet make use of IPv4 addresses that
are not globally-unique. Examples are the addresses designated in are not globally-unique. Examples are the addresses designated in
RFC 1918 for private use within individual sites. RFC 1918 for private use within individual sites.
Devices in such environments may occasionally originate Domain Name Devices in such environments may occasionally originate Domain Name
System (DNS) queries (so-called "reverse lookups") corresponding to System (DNS) queries (so-called "reverse lookups") corresponding to
those private-use addresses. Since the addresses concerned have only those private-use addresses. Since the addresses concerned have only
skipping to change at page 2, line 7 skipping to change at page 2, line 7
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 16, 2011. This Internet-Draft will expire on October 29, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 3, line 17 skipping to change at page 3, line 17
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. AS112 DNS Service . . . . . . . . . . . . . . . . . . . . . . 5 2. AS112 DNS Service . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Zones . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Zones . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Nameservers . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. Nameservers . . . . . . . . . . . . . . . . . . . . . . . 5
3. Installation of a New Node . . . . . . . . . . . . . . . . . . 6 3. Installation of a New Node . . . . . . . . . . . . . . . . . . 6
3.1. Useful Background Knowledge . . . . . . . . . . . . . . . 6 3.1. Useful Background Knowledge . . . . . . . . . . . . . . . 6
3.2. Topological Location . . . . . . . . . . . . . . . . . . . 6 3.2. Topological Location . . . . . . . . . . . . . . . . . . . 6
3.3. Operating System and Host Considerations . . . . . . . . . 6 3.3. Operating System and Host Considerations . . . . . . . . . 6
3.4. Routing Software . . . . . . . . . . . . . . . . . . . . . 7 3.4. Routing Software . . . . . . . . . . . . . . . . . . . . . 7
3.5. DNS Software . . . . . . . . . . . . . . . . . . . . . . . 8 3.5. DNS Software . . . . . . . . . . . . . . . . . . . . . . . 8
3.6. Testing a Newly-Installed Node . . . . . . . . . . . . . . 12 3.6. Testing a Newly-Installed Node . . . . . . . . . . . . . . 11
4. Operations . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4. Operations . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.1. Monitoring . . . . . . . . . . . . . . . . . . . . . . . . 13 4.1. Monitoring . . . . . . . . . . . . . . . . . . . . . . . . 12
4.2. Downtime . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.2. Downtime . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.3. Statistics and Measurement . . . . . . . . . . . . . . . . 13 4.3. Statistics and Measurement . . . . . . . . . . . . . . . . 12
5. Communications . . . . . . . . . . . . . . . . . . . . . . . . 14 5. Communications . . . . . . . . . . . . . . . . . . . . . . . . 13
6. On the Future of AS112 Nodes . . . . . . . . . . . . . . . . . 15 6. On the Future of AS112 Nodes . . . . . . . . . . . . . . . . . 14
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 8. Security Considerations . . . . . . . . . . . . . . . . . . . 16
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18
10.1. Normative References . . . . . . . . . . . . . . . . . . . 19 10.1. Normative References . . . . . . . . . . . . . . . . . . . 18
10.2. Informative References . . . . . . . . . . . . . . . . . . 19 10.2. Informative References . . . . . . . . . . . . . . . . . . 18
Appendix A. History . . . . . . . . . . . . . . . . . . . . . . . 21 Appendix A. History . . . . . . . . . . . . . . . . . . . . . . . 20
Appendix B. Change History . . . . . . . . . . . . . . . . . . . 22 Appendix B. Change History . . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
Many sites connected to the Internet make use of IPv4 addresses that Many sites connected to the Internet make use of IPv4 addresses that
are not globally unique. Examples are the addresses designated in are not globally unique. Examples are the addresses designated in
[RFC1918] for private use within individual sites. [RFC1918] for private use within individual sites.
Devices in such environments may occasionally originate Domain Name Devices in such environments may occasionally originate Domain Name
System (DNS) [RFC1034] queries (so-called "reverse lookups") System (DNS) [RFC1034] queries (so-called "reverse lookups")
corresponding to those private-use addresses. Since the addresses corresponding to those private-use addresses. Since the addresses
skipping to change at page 6, line 40 skipping to change at page 6, line 40
It is good operational practice to notify the community of users that It is good operational practice to notify the community of users that
may fall within the reach of a new AS112 node before it is installed. may fall within the reach of a new AS112 node before it is installed.
At an Internet Exchange, local mailing lists usually exist to At an Internet Exchange, local mailing lists usually exist to
facilitate such announcements. For nodes that are intended to be facilitate such announcements. For nodes that are intended to be
globally reachable, coordination with other AS112 operators is highly globally reachable, coordination with other AS112 operators is highly
recommended. See also Section 5. recommended. See also Section 5.
3.3. Operating System and Host Considerations 3.3. Operating System and Host Considerations
The use of a UNIX or UNIX-like operating system (e.g. FreeBSD [1], Examples in this document are based on UNIX and UNIX-like operating
OpenBSD [2], Linux [3]) is recommended for the construction of AS112 systems, but other operating systems exist which are suitable for use
nodes, primarily due to the cumulative experience of using such in construction of an AS112 node.
platforms for this purpose. Examples in this document will assume
use of such an operating system.
The chosen platform should include support for either cloned loopback The chosen platform should include support for either cloned loopback
interfaces, or the capability to bind multiple addresses to a single interfaces, or the capability to bind multiple addresses to a single
loopback interface. The addresses of the nameservers listed in loopback interface. The addresses of the nameservers listed in
Section 2.2 will be configured on these interfaces in order that the Section 2.2 will be configured on these interfaces in order that the
DNS software can respond to queries properly. DNS software can respond to queries properly.
A host that is configured to act as an AS112 anycast node should be A host that is configured to act as an AS112 anycast node should be
dedicated to that purpose, and should not be used to simultaneously dedicated to that purpose, and should not be used to simultaneously
provide other services. provide other services.
skipping to change at page 7, line 26 skipping to change at page 7, line 24
either the anycast addresses are not configured, or while the DNS either the anycast addresses are not configured, or while the DNS
software is not running. software is not running.
3.4. Routing Software 3.4. Routing Software
AS112 nodes signal the availability of AS112 nameservers to the AS112 nodes signal the availability of AS112 nameservers to the
Internet using BGP [RFC4271]: each AS112 node is a BGP speaker, and Internet using BGP [RFC4271]: each AS112 node is a BGP speaker, and
announces the prefix 192.175.48.0/24 to the Internet with origin AS announces the prefix 192.175.48.0/24 to the Internet with origin AS
112 (see also Section 2.2). 112 (see also Section 2.2).
Suitable choices of free software to allow hosts to act as BGP The examples in this document are based on the Quagga Routing
speakers include, but are not limited to: Suite [1], but other software packages exist which also provide
suitable BGP support for AS112 nodes.
o BIRD Internet Routing Daemon [4]
o OpenBGPD [5]
o The Quagga Routing Suite [6]
o GNU Zebra [7]
The examples in this document are based on Quagga.
The "bgpd.conf" file is used by Quagga's bgpd daemon, which provides The "bgpd.conf" file is used by Quagga's bgpd daemon, which provides
BGP protocol support. The router id in this example is 203.0.113.1; BGP protocol support. The router id in this example is 203.0.113.1;
the AS112 node peers with external peers 192.0.2.1 and 192.0.2.2. the AS112 node peers with external peers 192.0.2.1 and 192.0.2.2.
Note the local AS number 112, and the origination of the prefix Note the local AS number 112, and the origination of the prefix
192.175.48.0/24. 192.175.48.0/24.
! bgpd.conf ! bgpd.conf
! !
hostname as112-bgpd hostname as112-bgpd
skipping to change at page 8, line 49 skipping to change at page 8, line 30
Although the queries received by AS112 nodes are definitively Although the queries received by AS112 nodes are definitively
misdirected, it is important that they be answered in a manner that misdirected, it is important that they be answered in a manner that
is accurate and consistent. For this reason AS112 nodes operate as is accurate and consistent. For this reason AS112 nodes operate as
fully-functional and standards-compliant DNS authoritative servers fully-functional and standards-compliant DNS authoritative servers
[RFC1034], and hence require DNS software. [RFC1034], and hence require DNS software.
Suitable choices of free DNS software for AS112 nodes include, but Suitable choices of free DNS software for AS112 nodes include, but
are not limited to: are not limited to:
o ISC BIND9 [8] o ISC BIND9 [2]
o NLnet Labs' NSD [3]
o NLnet Labs' NSD [9]
Examples in this document are based on ISC BIND9. Examples in this document are based on ISC BIND9.
The following is a sample BIND9 "named.conf" file for a dedicated The following is a sample BIND9 "named.conf" file for a dedicated
AS112 server. Note that the nameserver is configured to act as an AS112 server. Note that the nameserver is configured to act as an
authoritative-only server (i.e. recursion is disabled). The authoritative-only server (i.e. recursion is disabled). The
nameserver is also configured to listen on the various AS112 anycast nameserver is also configured to listen on the various AS112 anycast
nameserver addresses, as well as its local addresses. nameserver addresses, as well as its local addresses.
// named.conf // named.conf
skipping to change at page 13, line 37 skipping to change at page 12, line 37
4.3. Statistics and Measurement 4.3. Statistics and Measurement
Use of the AS112 node should be measured in order to track long-term Use of the AS112 node should be measured in order to track long-term
trends, identify anomalous conditions, and to ensure that the trends, identify anomalous conditions, and to ensure that the
configuration of the AS112 node is sufficient to handle the query configuration of the AS112 node is sufficient to handle the query
load. load.
Examples of free monitoring tools that might be useful to operators Examples of free monitoring tools that might be useful to operators
of AS112 nodes include, but are not limited to: of AS112 nodes include, but are not limited to:
o bindgraph [10] o bindgraph [4]
o dnstop [11] o dnstop [5]
o DSC [12] o DSC [6]
5. Communications 5. Communications
It is good operational practice to notify the community of users that It is good operational practice to notify the community of users that
may fall within the reach of a new AS112 node before it is installed. may fall within the reach of a new AS112 node before it is installed.
At Internet Exchanges, local mailing lists usually exist to At Internet Exchanges, local mailing lists usually exist to
facilitate such announcements. facilitate such announcements.
For nodes that are intended to be globally reachable, coordination For nodes that are intended to be globally reachable, coordination
with other AS112 operators is especially recommended. The mailing with other AS112 operators is especially recommended. The mailing
skipping to change at page 19, line 35 skipping to change at page 18, line 35
Protocol 4 (BGP-4)", RFC 4271, January 2006. Protocol 4 (BGP-4)", RFC 4271, January 2006.
[RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast [RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast
Services", BCP 126, RFC 4786, December 2006. Services", BCP 126, RFC 4786, December 2006.
10.2. Informative References 10.2. Informative References
[I-D.ietf-dnsop-as112-under-attack-help-help] [I-D.ietf-dnsop-as112-under-attack-help-help]
Abley, J. and W. Maton, "I'm Being Attacked by Abley, J. and W. Maton, "I'm Being Attacked by
PRISONER.IANA.ORG!", PRISONER.IANA.ORG!",
draft-ietf-dnsop-as112-under-attack-help-help-04 (work in draft-ietf-dnsop-as112-under-attack-help-help-05 (work in
progress), July 2010. progress), March 2011.
[I-D.ietf-dnsop-default-local-zones] [I-D.ietf-dnsop-default-local-zones]
Andrews, M., "Locally-served DNS Zones", Andrews, M., "Locally-served DNS Zones",
draft-ietf-dnsop-default-local-zones-14 (work in draft-ietf-dnsop-default-local-zones-15 (work in
progress), September 2010. progress), March 2011.
[RFC1876] Davis, C., Vixie, P., Goodwin, T., and I. Dickinson, "A [RFC1876] Davis, C., Vixie, P., Goodwin, T., and I. Dickinson, "A
Means for Expressing Location Information in the Domain Means for Expressing Location Information in the Domain
Name System", RFC 1876, January 1996. Name System", RFC 1876, January 1996.
[RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses", [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses",
BCP 153, RFC 5735, January 2010. BCP 153, RFC 5735, January 2010.
URIs URIs
[1] <http://www.freebsd.org/> [1] <http://www.quagga.net/>
[2] <http://www.openbsd.org/>
[3] <http://www.linuxfoundation.org/>
[4] <http://bird.network.cz/>
[5] <http://www.openbgpd.org/>
[6] <http://www.quagga.net/>
[7] <http://www.zebra.org/>
[8] <http://www.isc.org/software/BIND/> [2] <http://www.isc.org/software/BIND/>
[9] <http://www.nlnetlabs.nl/nsd/> [3] <http://www.nlnetlabs.nl/nsd/>
[10] <http://www.linux.it/~md/software/> [4] <http://www.linux.it/~md/software/>
[11] <http://dns.measurement-factory.com/tools/dnstop/> [5] <http://dns.measurement-factory.com/tools/dnstop/>
[12] <http://dns.measurement-factory.com/tools/dsc/> [6] <http://dns.measurement-factory.com/tools/dsc/>
Appendix A. History Appendix A. History
Widespread use of the private address blocks listed in [RFC1918] Widespread use of the private address blocks listed in [RFC1918]
followed that document's publication in 1996. followed that document's publication in 1996.
The idea of off-loading IN-ADDR.ARPA queries relating to [RFC1918] The idea of off-loading IN-ADDR.ARPA queries relating to [RFC1918]
addresses from the root nameservers was first proposed by Bill addresses from the root nameservers was first proposed by Bill
Manning and John Brown. Manning and John Brown.
 End of changes. 20 change blocks. 
65 lines changed or deleted 43 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/