Adrian Kinderis

1
NAME SERVER DIVERSITY ADRIAN KINDERIS
AUSREGISTRY INTERNATIONAL
2
NAME SERVER DIVERSITY ADRIAN KINDERIS
AUSREGISTRY INTERNATIONAL

• Diversity of Name Servers How Much is Enough?
• APTLD Meeting Bali
• Tuesday February 27th 2007
• Adrian Kinderis
• Managing Director AusRegistry International

3
DIVERSITY

• the art of thinking independently together
• Malcolm S. Forbes publisher of Forbes magazine
  from 1957 to 1990
• diversity may be the hardest thing for a society
  to live with, and perhaps the most dangerous
  thing for a society to be without
• William Sloane Coffin, Jr.
• I could be wrong, but I believe diversity is
  an old, old wooden ship that was used during the
  Civil War era
• Ron Burgundy - Anchorman

4
WHO IS AUSREGISTRY?

• AusRegistry
• Registry Operator for the .au ccTLD since July
  2002
• Operates .au Domain Name Servers (DNS)
• Consultation to industry and government
• Website www.ausregistry.com.au
• AusRegistry International
• Consults globally on ccTLD operations
• Registry Operator for the Solomon Islands .sb
  ccTLD
• Registry Operator for the Australian ENUM Trial
• Registry Operator for the REC Registry
• Website www.ausregistryint.com

5
THE IMPORTANCE OF DNS

• The internet is increasingly important in daily
  life
• Every key sector relies on its availability to
  conduct their operations
• Business
• Government
• Education
• Collaboration
• Research
• Failure of the DNS could have wide ranging
  implications

6
SECURITY AND STABILITY OF THE DNS

• Responsibilities of the delegated ccTLD Manager
• Assignment of domains
• Delegation of sub-domains
• Operation of Name Servers
• The security and stability of the Internet is
  increasingly a concern to government and industry
  bodies
• In many cases government is seeking greater
  accountability

7
WHY BE DIVERSE?

• The DNS is only as good as the sum of its parts
• Threats
• Denial of Service Attacks
• Hardware failure
• Software failure
• Lack or failure of policies procedures
• Personnel errors
• Service provider failure
• Uniformity allows for a single point of failure
• Diversity overcomes the single point of failure,
  however guidelines and collaborative effort is
  required

8
CONCEPTS AND DEFINITIONS

• DNS Service
• The overall ability to resolve, or not resolve,
  resource records for any given domain, E.g.
  com.au
• Name Service
• A collection of Name Servers, that may or may not
  be located at the same Name Server Site and
  respond to DNS queries at the same IP or set of
  IPs
• Name Server
• An individual server that is responsible for
  providing DNS resolution services

9
CONCEPTS AND DEFINITIONS

• Name Server Site
• A site or more specifically the area within a
  site that is used to house Name Servers
• DNS Provider
• An organisation that manages one or more Name
  Service
• DNS Operator
• An individual that manages and maintains the
  Name Service and its associated equipment

10
CONCEPTS AND DEFINITIONS

• Monitoring, Logging Statistics
• Allows trends, capacity planning and anomaly
  detection to be quickly and easily performed
• Policies Procedures
• A set of policies and procedures to be adopted by
  all DNS providers for a particular zone

11
DNS SERVICE

• MUST have gt 5 Name Services consisting of
  independent Name Servers
• MUST be designed such that a temporary loss of a
  significant number of the Name Servers SHOULD NOT
  affect the operation of the Internet
• MUST be supplied by multiple Name Services
• MUST ensure that Network topological diversity is
  maintained

12
DNS SERVICE

• MUST NOT be the responsibility of 1 DNS provider
• MUST ensure geographic diversity, at least 4
  continents should be covered for large TLDs and
  ccTLDs
• SHOULD consider diversity of
• DNS Software
• Operating System
• Architectures
• Networking Equipment

13
NAME SERVICE

• MUST consist of more than one individual Name
  Server
• MUST be capable of processing 10 times the peak
  transactions experienced to date
• MUST have sufficient bandwidth available to
  satisfy the above mentioned transaction loads
• MUST be used EXCLUSIVELY for the purposes of
  providing DNS services

14
NAME SERVER

• MUST use DNS software which is fully compliant
  with IETF standards for DNS (currently RFC1035,
  RFC2181, STD40 etc)
• MUST provide authoritative responses ONLY from
  the zones they serve and not cache any
  information
• MUST be used EXCLUSIVELY for the purposes of
  providing DNS services

15
NAME SERVER SITE

• MUST house multiple Name Servers, which MUST be
  load balanced and must NOT be listed as
  individual Name Services
• MUST have physical security expected of
  datacenters critical to a major enterprise
• MUST have an N1 redundancy on ALL critical path
  devices and services
• MUST use multiple redundant Internet feeds
• SHOULD organise Name Servers so that automatic
  failover and isolation of a malfunctioning server
  occurs

16
NAME SERVER SITE

• SHOULD have spare equipment on standby
• SHOULD have appropriate support contracts in
  place with suppliers to ensure timely resolution
  of failures
• MUST ensure that ONLY Name Servers and their
  supporting infrastructure are connected to the
  Name Service network

17
DNS PROVIDERS OPERATORS

• DNS Provider
• MUST at all times have a minimum of 2 suitably
  experienced / qualified Operators on staff
• MUST ensure that an Operator is available 24 x 7
  x 365 on a centralised contact number
• MUST follow all requirements outlined by the
  ccTLD Manager
• MUST notify the ccTLD Manager immediately of any
  failure of DNS service
• MUST ensure that planned outages are communicated
  and that only one site is undergoing maintenance
  at any one time

18
DNS PROVIDERS OPERATORS

• DNS Operator
• MUST have significant experience in operating
  iterative DNS services
• MUST be adequately trained and experienced in the
  operation and maintenance of all equipment used
  to provide the service
• MUST keep up to date with the latest developments
  and standards relating to DNS

19
MONITORING STATISTICS

• Monitoring
• MUST be performed by each DNS provider for all
  Name Servers and Name Services they provide
• SHOULD be performed at global level from several
  different locations by an independent party

20
MONITORING STATISTICS

• Statistics
• MUST be kept by each DNS provider for each Name
  Server they operate
• MUST be aggregated on a regular basis to a
  central location
• SHOULD cover
• Query counts
• Query types
• Usage rates
• Loads
• OS statistics
• Response times
• Outages

21
POLICIES PROCEDURES

• Service Level Agreements
• Security Policies
• Regular reviews of Name Server Sites
• Emergency and Disaster Recovery Procedures
• Maintenance of Information
• Procedures for emergency and after hours updates
  MUST be defined

22
SO HOW MUCH IS ENOUGH?

• Enough is subjective!
• The amount of diversity will be a function of
• The greater the reliability of service required
  the greater the costs will be
• Evaluated based on the purpose of the domain
• E.g. Large ccTLD will require greater diversity
  than the domain of a small accounting firm

23
SO HOW MUCH IS ENOUGH?

• What is the risk of the temporary loss?
• The name service should be designed in such a way
  that a temporary loss of a significant number of
  the Name Servers SHOULD NOT affect the operation
  of the domain
• Operation is the ability to process
  transactions in a timely fashion
• What number is significant?
• Lets say 80 is significant
• Therefore 20 of your DNS Service should be
  capable of serving current transaction load

24
FURTHER READING

• RFC 1591 Domain Name System Structure and
  Delegation
• RFC 2182 Selection and Operation of Secondary
  DNS Servers
• RFC 2541 DNS Security Operational Considerations
• RFC 3833 Threat Analysis of the Domain Name
  System (DNS)
• RFC 1591 Domain Name System Structure and
  Delegation

25
(No Transcript)