1. Ye#
DNS
Project
Davey Song / BII Lab
Ma Yan /BUPT
2015-09-08 / Internet
2. Goals
1. Yeti project want people to know about the project.
2. Yeti project welcome more Yeti participants!
Outline
l DNS
root
system
as
a
background
l What’s
Ye8
DNS
project
l Some
techinical
findings
3. About Domain Name System & Root
Applications
Naming and Routing
Physical infrastructure
Authoriity server
Root server
ROOT
SLD Server
ZDNS
CNTV
SLD-N
SLD-M
recursive
server
ISP
ISP
…
…
…
…
TLD server
★ CN
.com
Domain
System
IP
address: 201.101.1.2
2001:da8:adcf:ff:101::11
human-readable name: baidu.com
news.baidu.com
4. The (very) uneven
distribution of DNS root
servers on the Internet
1. The number of Root
server is limited to 13 due
to technical reason (IPv4
MTU)
2. 400+Anycast Root
instance, Only 4 in
China(I,J,L,F) with
650million Internet users China:
0.2B/per site
The
Current
Distribu#on
of
DNS
Root
Server
5. Why not increase more Root server
• The
number
of
Root
server
is
limited
to
13
due
to
technical
reason
• 512B
limita8on
on
packets
size
in
RFC1035
(20+
years
ago
in
IPv4
MTU
specifica8on
RFC791)
• Performance
considera8on(UDP/
query&response
pa]ern)
• Anycast Root instance development heavily relies on BGP networking which is
based on autonomous system and policy
“it
(root
scaling
issue)
could
be
regarded
as
a
byproduct
of
a
single
hierarchical
name
space,
the
centraliza:on
of
root
informa:on
in
the
DNS
is
opera:onally
problema:cal
and
does
not
cleanly
fit
within
a
distributed
and
decentralized
peer
model
of
a
network
architecture.”
-‐-‐-‐
Geoff
Huston
6. Scaling the Root
• Increase
the
capability
of
the
system
(more
machines)
– More
anycast
root
instance
– Slave
the
root
by
Localized
cache
• h]p://datatracker.ieb.org/doc/drac-‐ieb-‐dnsop-‐root-‐loopback/
– Universal
Anycast
(unowned
anycast
like
AS112)
• h]ps://tools.ieb.org/html/drac-‐lee-‐dnsop-‐scalingroot-‐00
• Increase
the
“le]er”
(more
Root
operators)
– Priming
exchange
via
TCP
or
H]p
(break
the
limita8on
of
512B)
• h]p://datatracker.ieb.org/doc/drac-‐song-‐dnsop-‐tcp-‐primingexchange/
– Server
IANA
root
zone
in
different
set
of
root
server
– Ye8
DNS
project
h]p://www.ye8-‐dns.org
7. Who
is
Ye#?
• Ye8
is
an
IPv6
only
Live
Root
DNS
Server
System
Testbed
• Precisely
mirrors
the
IANA
DNS
namespace
• Experimental
project
with
3
years
dura8on
and
clear
goal
• Like
IANA,
has
diverse
servers
globally
• Server
operators
are
volunteers
from
many
na8ons
• Like
IANA,
has
DNSSEC,
with
a
published
signing
key
• Has
its
own
DNSSEC
signing
and
valida8on
keys
• Coordinators:
BII
(China),
WIDE
(Japan),
TISF
(US)
• System
is
intended
for
Internet-‐scale
science
8. Problem Space of Yeti(1)
• DNS
Centraliza#on
Vs.
Network
Autonomy
• External
Dependency
• Local
services
rely
on
external
root
services
• Require
external
management
• Surveillance
risk
• Informa8on
leakage
cause
by
the
DNS
Root
lookup
9. Problem Space of Yeti(2)
• Can
IPv6-‐only
DNS
survive?
• Some
DNS
servers
which
support
both
A
&
AAAA
(IPv4
&
IPv6)
records
s8ll
do
not
respond
to
IPv6
queries
• IPv6
introduces
larger
MTU
(1280
bytes) , but
a
different
fragmenta8on
model
• Is
it
ready
for
KSK
Rollover,
or
not?
• Not
all
resolver
are
compliant
to
RFC5011
• Larger
packets
will
introduce
risks
during
ksk/zsk
rollover
• And,
Renumbering
issue
10. “ One Namespace, Many Circles” Model
IANA
A B M
Unique
IANA
name
space
and
KSK
Unique
IANA
name
space
and
KSK
Group
A
of
root
server
Group
B
of
root
server
Current Model: Yeti Model :
Verisign
NTIA
DM
Venng
the
root
zone
changes
Sign
and
distribute
the
root
zone
file
Sign
and
distribute
the
root
zone
file
IANA
DM DM DM
DM coordination protocol
DM:
distribu8on
master
11. Experiments expected on Yeti
• IPv6-‐only
opera8on
• DNSSEC
Key
rollover
and
even
algorithm
rollover
• Renumbering
with
larger
frequency
• Adding
more
than
13
root
servers
(How
about
25
or
more?)
• Mul8ple
zone
file
signers
• Mul8ple
zone
file
editors
(Shared
zone
control)
15/9/7
12. Roles and Participants
• Coordinators
and
DMs
• WIDE, BII and TISF
• Root
Server
Operators
• 11 root servers are operating , other 5 show their interests
• Par#cipants
from
client
side
• Research labs,
• DNS software implementers,
• Developers of CPE devices, IoT devices, …
• Traffic
and
Data
Collector
• BII
• Experiment
Proposer
• Any
interested
par8es
15/9/7
13. Ye#
Components
l Yeti Distribution Masters (DM)
- Start with IANA root (via
AXFR)
- Change IANA root servers to
Yeti root servers
- Sign using Yeti KSK
l Yeti root servers
- AXFR Yeti root from Yeti DM
- Serve as DNS root servers
- Capture traffic information
l Yeti resolvers
- Use Yeti root servers
- May capture traffic
information
l IPv6-only FTW ;)
14. Current
Status
l System functioning
l Infrastructure up
- Web site, http://yeti-dns.org
- Mailing lists, DSC, RT ticketing, ...
l Docs & scripts in GitHub (IPv4 only!)
- https://github.com/BII-Lab/Yeti-Project
l Currently gathering Yeti root operators
- 11 up now
15. Things
That
Ye#
is
Not...
l NOT research into alternatives to the IANA root/namespace
l NOT interested in policy or political work
- Although such work may eventually result from Yeti findings
16. Some Findings So Far
l Root Glue issues (Resolved!)
l Current root servers answer for the root-servers.net zone, but Yeti root
server dose not (independent domain),Without this setup, BIND 9 does
not include glue in answers to priming queries.
l Resolved! With a patch of BIND
l A Bug in Knot 2.0 (Resolved!)
l Knot 2 compress even the root. It is useless (since it is a zero-length
label, only one byte. Knot 1.6 used for K-root do not do that
l Resolved! https://gitlab.labs.nic.cz/labs/knot/issues/398
l DNSCAP issues
l Current DNSCAP(both DNS-OARC and Verisign versions ) was
observed losing some packet which is not ideal
17. Experiment in BUPT
• Test
the
feasibility
of
Ye8
concept
in
campus
network
with
over
10,000
IPv6
ac8ve
users
• Accessibility
of
one
Ye8
DNS
root
server
from
BUPT
• Setup
a
dual
stack
Recursive-‐DNS
and
DHCPv6
server
in
WiFi
network
of
BUPT
Buiding-‐3
• Setup
IPv6-‐Ye8-‐test
as
one
WiFi
SSID
• Distribute
R-‐DNS
to
IPv6
users
via
DHCPv6
server
• Encourage
student
to
try
• Collect
access
informa8on
for
further
analysis
教1楼
10G
教2楼
10G
教3楼
10G
教4楼
10G
主楼
10G
明光楼
10G
科研楼
10G 1G
宏福校区
1G
10G
⽆无 控制器1
10G
⽆无 控制器2
10G
⽆无 控制器3/WAPI
1G
1G
⼩小 位
教1楼⽆无
1G
教2楼⽆无
1G
教3楼⽆无
1G
教4楼⽆无
1G
主楼⽆无
1G
明光楼⽆无
1G
科研楼⽆无
1G
⽆无
1G
⾷食堂 体育 室外
⽆无
1G
Yeti DNS
DHCPv6 server
R-DNS
Internet
System Ready for Yeti Experiment
18. Yeti R-DNS Traffic Analysis
Peak: 1900qps
AVG: 170qps
Major Qtype: AAAA,A
Peak: 13 bytes
AAAA query:29%
A query: 68%
Other Qtype: 3%
20. Current Yeti traffic status
Query rate of Yeti root system (1.6 qps) Query rate at BUPT (0.86 qps)
21. Next Steps
l Get ”enough” Yeti root servers
l Introduce experiment traffic from Universities and research
labs
l Design and conduct some experiments in Yeti Testbed
l Hopefully deliver some experiment report and feedback to the
community or standard bodies