draft-ietf-dnsop-as112-ops-07.txt   draft-ietf-dnsop-as112-ops-08.txt 
Network Working Group J. Abley Network Working Group J. Abley
Internet-Draft ICANN Internet-Draft ICANN
Intended status: Informational W. Maton Intended status: Informational W. Maton
Expires: October 29, 2011 NRC-CNRC Expires: October 31, 2011 NRC-CNRC
April 27, 2011 April 29, 2011
AS112 Nameserver Operations AS112 Nameserver Operations
draft-ietf-dnsop-as112-ops-07 draft-ietf-dnsop-as112-ops-08
Abstract Abstract
Many sites connected to the Internet make use of IPv4 addresses that Many sites connected to the Internet make use of IPv4 addresses that
are not globally-unique. Examples are the addresses designated in are not globally-unique. Examples are the addresses designated in
RFC 1918 for private use within individual sites. RFC 1918 for private use within individual sites.
Devices in such environments may occasionally originate Domain Name Devices in such environments may occasionally originate Domain Name
System (DNS) queries (so-called "reverse lookups") corresponding to System (DNS) queries (so-called "reverse lookups") corresponding to
those private-use addresses. Since the addresses concerned have only those private-use addresses. Since the addresses concerned have only
local significance, it is good practice for site administrators to local significance, it is good practice for site administrators to
ensure that such queries are answered locally. However, it is not ensure that such queries are answered locally. However, it is not
uncommon for such queries to follow the normal delegation path in the uncommon for such queries to follow the normal delegation path in the
public DNS instead of being answered within the site. public DNS instead of being answered within the site.
It is not possible for public DNS servers to give useful answers to It is not possible for public DNS servers to give useful answers to
such queries. In addition, due to the wide deployment of private-use such queries. In addition, due to the wide deployment of private-use
addresses and the continuing growth of the Internet, the volume of addresses and the continuing growth of the Internet, the volume of
such queries is large and growing. The AS112 project aims to provide such queries is large and growing. The AS112 project aims to provide
a distributed sink for such queries in order to reduce the load on a distributed sink for such queries in order to reduce the load on
the root and IN-ADDR.ARPA authoritative servers. The AS112 project the IN-ADDR.ARPA authoritative servers. The AS112 project is named
is named after the Autonomous System Number (ASN) that was assigned after the Autonomous System Number (ASN) that was assigned to it.
to it.
This document describes the steps required to install a new AS112 This document describes the steps required to install a new AS112
node, and offers advice relating to such a node's operation. node, and offers advice relating to such a node's operation.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 29, 2011. This Internet-Draft will expire on October 31, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 17 skipping to change at page 3, line 17
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. AS112 DNS Service . . . . . . . . . . . . . . . . . . . . . . 5 2. AS112 DNS Service . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Zones . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Zones . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Nameservers . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. Nameservers . . . . . . . . . . . . . . . . . . . . . . . 5
3. Installation of a New Node . . . . . . . . . . . . . . . . . . 6 3. Installation of a New Node . . . . . . . . . . . . . . . . . . 6
3.1. Useful Background Knowledge . . . . . . . . . . . . . . . 6 3.1. Useful Background Knowledge . . . . . . . . . . . . . . . 6
3.2. Topological Location . . . . . . . . . . . . . . . . . . . 6 3.2. Topological Location . . . . . . . . . . . . . . . . . . . 6
3.3. Operating System and Host Considerations . . . . . . . . . 6 3.3. Operating System and Host Considerations . . . . . . . . . 6
3.4. Routing Software . . . . . . . . . . . . . . . . . . . . . 7 3.4. Routing Software . . . . . . . . . . . . . . . . . . . . . 7
3.5. DNS Software . . . . . . . . . . . . . . . . . . . . . . . 8 3.5. DNS Software . . . . . . . . . . . . . . . . . . . . . . . 8
3.6. Testing a Newly-Installed Node . . . . . . . . . . . . . . 11 3.6. Testing a Newly-Installed Node . . . . . . . . . . . . . . 12
4. Operations . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4. Operations . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.1. Monitoring . . . . . . . . . . . . . . . . . . . . . . . . 12 4.1. Monitoring . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2. Downtime . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.2. Downtime . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.3. Statistics and Measurement . . . . . . . . . . . . . . . . 12 4.3. Statistics and Measurement . . . . . . . . . . . . . . . . 13
5. Communications . . . . . . . . . . . . . . . . . . . . . . . . 13 5. Communications . . . . . . . . . . . . . . . . . . . . . . . . 14
6. On the Future of AS112 Nodes . . . . . . . . . . . . . . . . . 14 6. On the Future of AS112 Nodes . . . . . . . . . . . . . . . . . 15
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
8. Security Considerations . . . . . . . . . . . . . . . . . . . 16 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
10.1. Normative References . . . . . . . . . . . . . . . . . . . 18 10.1. Normative References . . . . . . . . . . . . . . . . . . . 19
10.2. Informative References . . . . . . . . . . . . . . . . . . 18 10.2. Informative References . . . . . . . . . . . . . . . . . . 19
Appendix A. History . . . . . . . . . . . . . . . . . . . . . . . 20 Appendix A. History . . . . . . . . . . . . . . . . . . . . . . . 22
Appendix B. Change History . . . . . . . . . . . . . . . . . . . 21 Appendix B. Change History . . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction 1. Introduction
Many sites connected to the Internet make use of IPv4 addresses that Many sites connected to the Internet make use of IPv4 addresses that
are not globally unique. Examples are the addresses designated in are not globally unique. Examples are the addresses designated in
[RFC1918] for private use within individual sites. [RFC1918] for private use within individual sites.
Devices in such environments may occasionally originate Domain Name Devices in such environments may occasionally originate Domain Name
System (DNS) [RFC1034] queries (so-called "reverse lookups") System (DNS) [RFC1034] queries (so-called "reverse lookups")
corresponding to those private-use addresses. Since the addresses corresponding to those private-use addresses. Since the addresses
skipping to change at page 4, line 25 skipping to change at page 4, line 25
administrators to ensure that such queries are answered locally administrators to ensure that such queries are answered locally
[I-D.ietf-dnsop-default-local-zones]. However, it is not uncommon [I-D.ietf-dnsop-default-local-zones]. However, it is not uncommon
for such queries to follow the normal delegation path in the public for such queries to follow the normal delegation path in the public
DNS instead of being answered within the site. DNS instead of being answered within the site.
It is not possible for public DNS servers to give useful answers to It is not possible for public DNS servers to give useful answers to
such queries. In addition, due to the wide deployment of private-use such queries. In addition, due to the wide deployment of private-use
addresses and the continuing growth of the Internet, the volume of addresses and the continuing growth of the Internet, the volume of
such queries is large and growing. The AS112 project aims to provide such queries is large and growing. The AS112 project aims to provide
a distributed sink for such queries in order to reduce the load on a distributed sink for such queries in order to reduce the load on
the root and IN-ADDR.ARPA authoritative servers. the IN-ADDR.ARPA authoritative servers [RFC5855].
The AS112 project encompasses a loosely coordinated collection of The AS112 project encompasses a loosely coordinated collection of
independently operated nameservers. Each nameserver functions as a independently operated nameservers. Each nameserver functions as a
single node in an AS112 anycast cloud [RFC4786], and is configured to single node in an AS112 anycast cloud [RFC4786], and is configured to
answer authoritatively for a particular set of nominated zones. answer authoritatively for a particular set of nominated zones.
The AS112 project is named after the Autonomous System Number (ASN) The AS112 project is named after the Autonomous System Number (ASN)
that was assigned to it. that was assigned to it.
It is noted that recent guidance exists on the choice of origin ASN
for anycast services that is inconsistent with the choices made in
the AS112 project [I-D.ietf-grow-unique-origin-as].
2. AS112 DNS Service 2. AS112 DNS Service
2.1. Zones 2.1. Zones
AS112 nameservers answer authoritatively for the following zones, AS112 nameservers answer authoritatively for the following zones,
corresponding to [RFC1918] private-use netblocks: corresponding to [RFC1918] private-use netblocks:
o 10.IN-ADDR.ARPA o 10.IN-ADDR.ARPA
o 16.172.IN-ADDR.ARPA, 17.172.IN-ADDR.ARPA, ..., 31.172.IN-ADDR.ARPA o 16.172.IN-ADDR.ARPA, 17.172.IN-ADDR.ARPA, ..., 31.172.IN-ADDR.ARPA
skipping to change at page 6, line 52 skipping to change at page 6, line 52
in construction of an AS112 node. in construction of an AS112 node.
The chosen platform should include support for either cloned loopback The chosen platform should include support for either cloned loopback
interfaces, or the capability to bind multiple addresses to a single interfaces, or the capability to bind multiple addresses to a single
loopback interface. The addresses of the nameservers listed in loopback interface. The addresses of the nameservers listed in
Section 2.2 will be configured on these interfaces in order that the Section 2.2 will be configured on these interfaces in order that the
DNS software can respond to queries properly. DNS software can respond to queries properly.
A host that is configured to act as an AS112 anycast node should be A host that is configured to act as an AS112 anycast node should be
dedicated to that purpose, and should not be used to simultaneously dedicated to that purpose, and should not be used to simultaneously
provide other services. provide other services. This guidance is provided due to the
unpredictable (and occasionally high) traffic levels that AS112 nodes
have been seen to attract.
System startup scripts should be arranged such that the various System startup scripts should be arranged such that the various
AS112-related components start automatically following a system AS112-related components start automatically following a system
reboot. The order in which interfaces are configured and software reboot. The order in which interfaces are configured and software
components started should be arranged such that routing software components started should be arranged such that routing software
startup follows DNS software startup, and DNS software startup startup follows DNS software startup, and DNS software startup
follows loopback interface configuration. follows loopback interface configuration.
Wrapper scripts or other arrangements should be employed to ensure Wrapper scripts or other arrangements should be employed to ensure
that the anycast service prefix for AS112 is not advertised while that the anycast service prefix for AS112 is not advertised while
skipping to change at page 7, line 25 skipping to change at page 7, line 27
software is not running. software is not running.
3.4. Routing Software 3.4. Routing Software
AS112 nodes signal the availability of AS112 nameservers to the AS112 nodes signal the availability of AS112 nameservers to the
Internet using BGP [RFC4271]: each AS112 node is a BGP speaker, and Internet using BGP [RFC4271]: each AS112 node is a BGP speaker, and
announces the prefix 192.175.48.0/24 to the Internet with origin AS announces the prefix 192.175.48.0/24 to the Internet with origin AS
112 (see also Section 2.2). 112 (see also Section 2.2).
The examples in this document are based on the Quagga Routing The examples in this document are based on the Quagga Routing
Suite [1], but other software packages exist which also provide Suite [1] running on Linux, but other software packages exist which
suitable BGP support for AS112 nodes. also provide suitable BGP support for AS112 nodes.
The "bgpd.conf" file is used by Quagga's bgpd daemon, which provides The "bgpd.conf" file is used by Quagga's bgpd daemon, which provides
BGP protocol support. The router id in this example is 203.0.113.1; BGP protocol support. The router id in this example is 203.0.113.1;
the AS112 node peers with external peers 192.0.2.1 and 192.0.2.2. the AS112 node peers with external peers 192.0.2.1 and 192.0.2.2.
Note the local AS number 112, and the origination of the prefix Note the local AS number 112, and the origination of the prefix
192.175.48.0/24. 192.175.48.0/24.
! bgpd.conf ! bgpd.conf
! !
hostname as112-bgpd hostname as112-bgpd
skipping to change at page 8, line 27 skipping to change at page 8, line 46
! !
3.5. DNS Software 3.5. DNS Software
Although the queries received by AS112 nodes are definitively Although the queries received by AS112 nodes are definitively
misdirected, it is important that they be answered in a manner that misdirected, it is important that they be answered in a manner that
is accurate and consistent. For this reason AS112 nodes operate as is accurate and consistent. For this reason AS112 nodes operate as
fully-functional and standards-compliant DNS authoritative servers fully-functional and standards-compliant DNS authoritative servers
[RFC1034], and hence require DNS software. [RFC1034], and hence require DNS software.
Suitable choices of free DNS software for AS112 nodes include, but Examples in this document are based on ISC BIND9 [2], but other DNS
are not limited to: software exists which is suitable for use in construction of an AS112
node.
o ISC BIND9 [2]
o NLnet Labs' NSD [3]
Examples in this document are based on ISC BIND9.
The following is a sample BIND9 "named.conf" file for a dedicated The following is a sample BIND9 "named.conf" file for a dedicated
AS112 server. Note that the nameserver is configured to act as an AS112 server. Note that the nameserver is configured to act as an
authoritative-only server (i.e. recursion is disabled). The authoritative-only server (i.e. recursion is disabled). The
nameserver is also configured to listen on the various AS112 anycast nameserver is also configured to listen on the various AS112 anycast
nameserver addresses, as well as its local addresses. nameserver addresses, as well as its local addresses.
// named.conf // named.conf
// global options // global options
skipping to change at page 12, line 35 skipping to change at page 13, line 35
node is not functioning normally. node is not functioning normally.
4.3. Statistics and Measurement 4.3. Statistics and Measurement
Use of the AS112 node should be measured in order to track long-term Use of the AS112 node should be measured in order to track long-term
trends, identify anomalous conditions, and to ensure that the trends, identify anomalous conditions, and to ensure that the
configuration of the AS112 node is sufficient to handle the query configuration of the AS112 node is sufficient to handle the query
load. load.
Examples of free monitoring tools that might be useful to operators Examples of free monitoring tools that might be useful to operators
of AS112 nodes include, but are not limited to: of AS112 nodes include:
o bindgraph [4] o bindgraph [3]
o dnstop [5] o dnstop [4]
o DSC [6] o DSC [5]
5. Communications 5. Communications
It is good operational practice to notify the community of users that It is good operational practice to notify the community of users that
may fall within the reach of a new AS112 node before it is installed. may fall within the reach of a new AS112 node before it is installed.
At Internet Exchanges, local mailing lists usually exist to At Internet Exchanges, local mailing lists usually exist to
facilitate such announcements. facilitate such announcements.
For nodes that are intended to be globally reachable, coordination For nodes that are intended to be globally reachable, coordination
with other AS112 operators is especially recommended. The mailing with other AS112 operators is especially recommended. The mailing
skipping to change at page 17, line 9 skipping to change at page 18, line 9
The zones hosted by AS112 servers are not signed with DNSSEC The zones hosted by AS112 servers are not signed with DNSSEC
[RFC4033]. Given the distributed and loosely-coordinated structure [RFC4033]. Given the distributed and loosely-coordinated structure
of the AS112 service, the zones concerned could only be signed if the of the AS112 service, the zones concerned could only be signed if the
private key material used was effectively public, obviating any private key material used was effectively public, obviating any
security benefit resulting from the use of those keys. security benefit resulting from the use of those keys.
9. Acknowledgements 9. Acknowledgements
The authors wish to acknowledge the assistance of Bill Manning, John The authors wish to acknowledge the assistance of Bill Manning, John
Brown, Marco D'Itri, Daniele Arena, Stephane Bortzmeyer, Frank Brown, Marco D'Itri, Daniele Arena, Stephane Bortzmeyer, Frank
Habicht, Chris Thompson, Peter Losher, Peter Koch and Alfred Hoenes Habicht, Chris Thompson, Peter Losher, Peter Koch, Alfred Hoenes and
in the preparation of this document. S. Moonesamy in the preparation of this document.
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, November 1987.
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets", E. Lear, "Address Allocation for Private Internets",
skipping to change at page 18, line 43 skipping to change at page 19, line 43
Abley, J. and W. Maton, "I'm Being Attacked by Abley, J. and W. Maton, "I'm Being Attacked by
PRISONER.IANA.ORG!", PRISONER.IANA.ORG!",
draft-ietf-dnsop-as112-under-attack-help-help-05 (work in draft-ietf-dnsop-as112-under-attack-help-help-05 (work in
progress), March 2011. progress), March 2011.
[I-D.ietf-dnsop-default-local-zones] [I-D.ietf-dnsop-default-local-zones]
Andrews, M., "Locally-served DNS Zones", Andrews, M., "Locally-served DNS Zones",
draft-ietf-dnsop-default-local-zones-15 (work in draft-ietf-dnsop-default-local-zones-15 (work in
progress), March 2011. progress), March 2011.
[I-D.ietf-grow-unique-origin-as]
McPherson, D., Donnelly, R., and F. Scalzo, "Unique Per-
Node Origin ASNs for Globally Anycasted Services",
draft-ietf-grow-unique-origin-as-00 (work in progress),
November 2010.
[RFC1876] Davis, C., Vixie, P., Goodwin, T., and I. Dickinson, "A [RFC1876] Davis, C., Vixie, P., Goodwin, T., and I. Dickinson, "A
Means for Expressing Location Information in the Domain Means for Expressing Location Information in the Domain
Name System", RFC 1876, January 1996. Name System", RFC 1876, January 1996.
[RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses", [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses",
BCP 153, RFC 5735, January 2010. BCP 153, RFC 5735, January 2010.
[RFC5855] Abley, J. and T. Manderson, "Nameservers for IPv4 and IPv6
Reverse Zones", BCP 155, RFC 5855, May 2010.
URIs URIs
[1] <http://www.quagga.net/> [1] <http://www.quagga.net/>
[2] <http://www.isc.org/software/BIND/> [2] <http://www.isc.org/software/BIND/>
[3] <http://www.nlnetlabs.nl/nsd/> [3] <http://www.linux.it/~md/software/>
[4] <http://www.linux.it/~md/software/>
[5] <http://dns.measurement-factory.com/tools/dnstop/> [4] <http://dns.measurement-factory.com/tools/dnstop/>
[6] <http://dns.measurement-factory.com/tools/dsc/> [5] <http://dns.measurement-factory.com/tools/dsc/>
Appendix A. History Appendix A. History
Widespread use of the private address blocks listed in [RFC1918] Widespread use of the private address blocks listed in [RFC1918]
followed that document's publication in 1996. followed that document's publication in 1996.
The idea of off-loading IN-ADDR.ARPA queries relating to [RFC1918] The idea of off-loading IN-ADDR.ARPA queries relating to [RFC1918]
addresses from the root nameservers was first proposed by Bill addresses from the root nameservers was first proposed by Bill
Manning and John Brown. Manning and John Brown.
skipping to change at page 22, line 5 skipping to change at page 23, line 30
03 Fix BLACKHOLE-2.IANA.ORG IP address. 03 Fix BLACKHOLE-2.IANA.ORG IP address.
04 Bump version number. Refresh references. Add reference to BIRD. 04 Bump version number. Refresh references. Add reference to BIRD.
Minor wordsmithing. Minor wordsmithing.
05 Updated following review from Peter Koch. 05 Updated following review from Peter Koch.
06 Updated following review from Alfred Hoenes. 06 Updated following review from Alfred Hoenes.
07 Updated following IESG review.
08 Updated following review by S. Moonesamy.
Authors' Addresses Authors' Addresses
Joe Abley Joe Abley
ICANN ICANN
4676 Admiralty Way, Suite 330 4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292 Marina del Rey, CA 90292
US US
Phone: +1 519 670 9327 Phone: +1 519 670 9327
Email: joe.abley@icann.org Email: joe.abley@icann.org
 End of changes. 21 change blocks. 
46 lines changed or deleted 57 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/