Yeti DNS Project
•
2 likes•887 views
Yeti DNS Project, by Davey Song. A presentation given at the APNIC 40 Lightning Talks session on Tue, 8 Sep 2015.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (13)
Similar to Yeti DNS Project
Similar to Yeti DNS Project (20)
More from APNIC
More from APNIC (20)
Recently uploaded
Recently uploaded (20)
Yeti DNS Project
- 1. Ye# DNS Project Davey Song / BII Lab Ma Yan /BUPT 2015-09-08 / Internet
- 2. Goals 1. Yeti project want people to know about the project. 2. Yeti project welcome more Yeti participants! Outline l DNS root system as a background l What’s Ye8 DNS project l Some techinical findings
- 3. About Domain Name System & Root Applications Naming and Routing Physical infrastructure Authoriity server Root server ROOT SLD Server ZDNS CNTV SLD-N SLD-M recursive server ISP ISP … … … … TLD server ★ CN .com Domain System IP address: 201.101.1.2 2001:da8:adcf:ff:101::11 human-readable name: baidu.com news.baidu.com
- 4. The (very) uneven distribution of DNS root servers on the Internet 1. The number of Root server is limited to 13 due to technical reason (IPv4 MTU) 2. 400+Anycast Root instance, Only 4 in China(I,J,L,F) with 650million Internet users China: 0.2B/per site The Current Distribu#on of DNS Root Server
- 5. Why not increase more Root server • The number of Root server is limited to 13 due to technical reason • 512B limita8on on packets size in RFC1035 (20+ years ago in IPv4 MTU specifica8on RFC791) • Performance considera8on(UDP/ query&response pa]ern) • Anycast Root instance development heavily relies on BGP networking which is based on autonomous system and policy “it (root scaling issue) could be regarded as a byproduct of a single hierarchical name space, the centraliza:on of root informa:on in the DNS is opera:onally problema:cal and does not cleanly fit within a distributed and decentralized peer model of a network architecture.” -‐-‐-‐ Geoff Huston
- 6. Scaling the Root • Increase the capability of the system (more machines) – More anycast root instance – Slave the root by Localized cache • h]p://datatracker.ieb.org/doc/drac-‐ieb-‐dnsop-‐root-‐loopback/ – Universal Anycast (unowned anycast like AS112) • h]ps://tools.ieb.org/html/drac-‐lee-‐dnsop-‐scalingroot-‐00 • Increase the “le]er” (more Root operators) – Priming exchange via TCP or H]p (break the limita8on of 512B) • h]p://datatracker.ieb.org/doc/drac-‐song-‐dnsop-‐tcp-‐primingexchange/ – Server IANA root zone in different set of root server – Ye8 DNS project h]p://www.ye8-‐dns.org
- 7. Who is Ye#? • Ye8 is an IPv6 only Live Root DNS Server System Testbed • Precisely mirrors the IANA DNS namespace • Experimental project with 3 years dura8on and clear goal • Like IANA, has diverse servers globally • Server operators are volunteers from many na8ons • Like IANA, has DNSSEC, with a published signing key • Has its own DNSSEC signing and valida8on keys • Coordinators: BII (China), WIDE (Japan), TISF (US) • System is intended for Internet-‐scale science
- 8. Problem Space of Yeti(1) • DNS Centraliza#on Vs. Network Autonomy • External Dependency • Local services rely on external root services • Require external management • Surveillance risk • Informa8on leakage cause by the DNS Root lookup
- 9. Problem Space of Yeti(2) • Can IPv6-‐only DNS survive? • Some DNS servers which support both A & AAAA (IPv4 & IPv6) records s8ll do not respond to IPv6 queries • IPv6 introduces larger MTU (1280 bytes) , but a different fragmenta8on model • Is it ready for KSK Rollover, or not? • Not all resolver are compliant to RFC5011 • Larger packets will introduce risks during ksk/zsk rollover • And, Renumbering issue
- 10. “ One Namespace, Many Circles” Model IANA A B M Unique IANA name space and KSK Unique IANA name space and KSK Group A of root server Group B of root server Current Model: Yeti Model : Verisign NTIA DM Venng the root zone changes Sign and distribute the root zone file Sign and distribute the root zone file IANA DM DM DM DM coordination protocol DM: distribu8on master
- 11. Experiments expected on Yeti • IPv6-‐only opera8on • DNSSEC Key rollover and even algorithm rollover • Renumbering with larger frequency • Adding more than 13 root servers (How about 25 or more?) • Mul8ple zone file signers • Mul8ple zone file editors (Shared zone control) 15/9/7
- 12. Roles and Participants • Coordinators and DMs • WIDE, BII and TISF • Root Server Operators • 11 root servers are operating , other 5 show their interests • Par#cipants from client side • Research labs, • DNS software implementers, • Developers of CPE devices, IoT devices, … • Traffic and Data Collector • BII • Experiment Proposer • Any interested par8es 15/9/7
- 13. Ye# Components l Yeti Distribution Masters (DM) - Start with IANA root (via AXFR) - Change IANA root servers to Yeti root servers - Sign using Yeti KSK l Yeti root servers - AXFR Yeti root from Yeti DM - Serve as DNS root servers - Capture traffic information l Yeti resolvers - Use Yeti root servers - May capture traffic information l IPv6-only FTW ;)
- 14. Current Status l System functioning l Infrastructure up - Web site, http://yeti-dns.org - Mailing lists, DSC, RT ticketing, ... l Docs & scripts in GitHub (IPv4 only!) - https://github.com/BII-Lab/Yeti-Project l Currently gathering Yeti root operators - 11 up now
- 15. Things That Ye# is Not... l NOT research into alternatives to the IANA root/namespace l NOT interested in policy or political work - Although such work may eventually result from Yeti findings
- 16. Some Findings So Far l Root Glue issues (Resolved!) l Current root servers answer for the root-servers.net zone, but Yeti root server dose not (independent domain),Without this setup, BIND 9 does not include glue in answers to priming queries. l Resolved! With a patch of BIND l A Bug in Knot 2.0 (Resolved!) l Knot 2 compress even the root. It is useless (since it is a zero-length label, only one byte. Knot 1.6 used for K-root do not do that l Resolved! https://gitlab.labs.nic.cz/labs/knot/issues/398 l DNSCAP issues l Current DNSCAP(both DNS-OARC and Verisign versions ) was observed losing some packet which is not ideal
- 17. Experiment in BUPT • Test the feasibility of Ye8 concept in campus network with over 10,000 IPv6 ac8ve users • Accessibility of one Ye8 DNS root server from BUPT • Setup a dual stack Recursive-‐DNS and DHCPv6 server in WiFi network of BUPT Buiding-‐3 • Setup IPv6-‐Ye8-‐test as one WiFi SSID • Distribute R-‐DNS to IPv6 users via DHCPv6 server • Encourage student to try • Collect access informa8on for further analysis 教1楼 10G 教2楼 10G 教3楼 10G 教4楼 10G 主楼 10G 明光楼 10G 科研楼 10G 1G 宏福校区 1G 10G ⽆无 控制器1 10G ⽆无 控制器2 10G ⽆无 控制器3/WAPI 1G 1G ⼩小 位 教1楼⽆无 1G 教2楼⽆无 1G 教3楼⽆无 1G 教4楼⽆无 1G 主楼⽆无 1G 明光楼⽆无 1G 科研楼⽆无 1G ⽆无 1G ⾷食堂 体育 室外 ⽆无 1G Yeti DNS DHCPv6 server R-DNS Internet System Ready for Yeti Experiment
- 18. Yeti R-DNS Traffic Analysis Peak: 1900qps AVG: 170qps Major Qtype: AAAA,A Peak: 13 bytes AAAA query:29% A query: 68% Other Qtype: 3%
- 19. Yeti R-DNS Traffic Analysis Mainly range from 60-150 Bytes Peak : 90 bytes 0-8191 : 5% 8192-28671: 27% 28672-45055: 28% 45056-65535: 40%
- 20. Current Yeti traffic status Query rate of Yeti root system (1.6 qps) Query rate at BUPT (0.86 qps)
- 21. Next Steps l Get ”enough” Yeti root servers l Introduce experiment traffic from Universities and research labs l Design and conduct some experiments in Yeti Testbed l Hopefully deliver some experiment report and feedback to the community or standard bodies
- 22. Thank you!