CurrentstatusofYe-DNSProject

Davey Song @ BII Lab 2015.10.31 Yeti Workshop,Yokohama

Outline

• Background&Mo.va.on• Ye.Testbed&Sta.s.cs

•  Distribu.onmaster•  Authorityserver•  Resolver&traffic•  Datacollec.on&Monitoring

• Sometechnicalfindingsandbugsreport• Conclusion

Relatedwork&discussiononRootSystem

•  ICANNITIPanel&technicalreport•  hCps://www.icann.org/en/system/files/files/i.-report-15may14-en.pdf

•  ICANNRSSACdocuments•  RSSAC 002: Advisory on Measurements of the Root Server System

•  RSSAC003: Report on Root Zone TTLs

•  History and Technical Analysis of the Naming Scheme Used for Individual Root Servers (working on)

•  ICANNRootZoneKSKRolloverPlan(draG)•  ScalingtheRootbyGeoffHuston,IPJ,March2015

•  IETFworkonDNSRootsystem•  draft-ietf-dnsop-root-loopback-05

•  draft-ietf-dnsop-resolver-priming-05

•  RFC7626: DNS Privacy Considerations, by S. Bortzmeyer

Rootsystemis“special”? •  Thetopinfrastructure/entranceofDNSsystem/•  Theprimingprocess&hintfilestuffisnotfullydocumentedaspartofDNSprotocol

•  ProduceRootzone/ signedtheRootzone/Distributetherootzonebyvariouspar.es

•  TheKSKofRootzoneistheTrustanchor/NoparentDS•  RelyheavilyonBGProu.ngsystem(Anycast)tosupportRootsystem•  RegardingInternetgovernancefornon-technicalpeople

•  mayviewtherootas“thecontrolofInternet”

WhatisYe-?

• Ye.isanIPv6onlyLiveRootDNSServerSystemTestbed•  PreciselymirrorstheIANADNSnamespace•  Experimentalprojectwith3yearsdura.onandcleargoal

•  LikeIANA,hasdiverseserversglobally•  Serveroperatorsarevolunteersfrommanyna.ons

•  LikeIANA,hasDNSSEC,withapublishedsigningkey•  HasitsownDNSSECsigningandvalida.onkeys

• SystemisintendedforInternet-scalescience

Why:ProblemSpaceofYe-(1)

ConflictbetweenDNSCentraliza-onVs.NetworkAutonomy

• ExternalDependency•  Localservicesrelyonexternalrootservices• Requireexternalmanagementandsupport

• Surveillancerisk•  Informa.onleakagecausebytheDNSRootlookup

• RFC7626:DNSPrivacyConsidera.ons,byS.Bortzmeyer

Why:ProblemSpaceofYe-(2)

• CanIPv6-onlyDNSsurvive?•  SomeDNSserverswhichsupportbothA&AAAA(IPv4&IPv6)recordss.lldonotrespondtoIPv6queries

•  IPv6introduceslargerMTU(1280bytes), butadifferentfragmenta.onmodel

•  IsitreadyforKSKRollover,ornot?•  NotallresolveriscomplianttoRFC5011•  Largerpacketswillintroducerisksduringksk/zskrollover

• And,Renumberingissue

https://github.com/BII-Lab/Yeti-Project/blob/master/doc/Yeti_PS.md

Hypothesis&ExperimentsexpectedonYe-

•  IPv6-onlyopera.on• DNSSECKeyrolloverandevenalgorithmrollover• Renumberingwithlargerfrequency• Addingmorethan13rootservers(Howabout25ormore?)• Mul.plezonefilesigners• Mul.plezonefileeditors(somekindofSharedzonecontrol)

15/11/2

“a good design could allow a political process of deciding how control for a particular zone should be shared to start” --- ICANN ITI technical report

ArchitectureDesignforYe-

IANA

A B M

UniqueIANAnamespaceandKSK

UniqueIANAnamespaceandKSK

GroupAofrootserver

GroupBofrootserver

Current Model： Yeti Model ：

Verisign

NTIA

DM

Veingtherootzonechanges

Signanddistributetherootzonefile

Signanddistributetherootzonefile

IANA

DM DM DM

DM coordination protocal

DM:distribu.onmaster

ThreeDMssetupandcoordina-on

https://github.com/BII-Lab/Yeti-Project/blob/master/doc/Yeti-DM-Setup.md https://github.com/BII-Lab/Yeti-Project/blob/master/doc/Yeti-DM-Sync.md

Timing setting Synchronizing

WIDEDMREOP

BIIDMREPO TISFDMREPO

KSK, ZSK, server list, IANA serial number Time of Fetching the zone

Yeti Map

Ye-Rootserver

• Machine,OSsystem,DNSsolware

1

5

6NetBSD

FreeBSD

Linux

8

2

4

BIND

Knot

NSD11

3

VirtualMachine

PhysicalMachine

Bind9.10.3, BIND 9.10.2, BIND 9.9.7-P2,BIND9.9.8

NSD 4.1.5, NSD 4.1.0

Knot 2.0.1,, Knot 2.1.0

Resolvers

Experimentaltraffic

Resolversandexperimentaltraffic

ExperimentinBUPT

•  TestthefeasibilityofYe.conceptincampusnetworkwithover10,000IPv6ac.veusers

•  AccessibilityofoneYe.DNSrootserverfromBUPT

•  SetupadualstackRecursive-DNSandDHCPv6serverinWiFinetworkofBUPTBuiding-3

•  SetupIPv6-Ye.-testasoneWiFiSSID •  DistributeR-DNStoIPv6usersviaDHCPv6server

•  Encouragestudenttotry•  Collectaccessinforma.onforfurtheranalysis

教1楼

10G

教2楼

10G

教3楼

10G

教4楼

10G

主楼

10G

明光楼

10G

科研楼

10G 1G

宏福校区

1G

10G

⽆ 控制器1

10G

⽆ 控制器2

10G

⽆ 控制器3/WAPI

1G

1G

⼩ 位

教1楼⽆

1G

教2楼⽆

1G

教3楼⽆

1G

教4楼⽆

1G

主楼⽆

1G

明光楼⽆

1G

科研楼⽆

1G

⽆

1G

⾷堂 体育 室外⽆

1G

Yeti DNS

DHCPv6 server

R-DNS

Internet

System Ready for Yeti Experiment

Ye-R-DNSTrafficAnalysis

Peak: 205 qps

Major Qtype: AAAA，A

AAAA query：37% A query: 58% Other Qtype: 5%

Datacollec-onandmonitoring

• DSCpageinYe.website: hCp://ye.-dns.org/sta.s.cs.html• Healthmonitoringpage: hCp://ye.-dns.org/ye._server_status.txt•  Ye.debugpage: hCp://ye.-dns.org/resource/ye.-bug.txt

0

2

4

6

8

10

12

14

16

specifica.onbug solwarebug ye.rootnameserverbug

changeManagementbug

scriptbug Networkbug

Findings&bugs

l  Root Glue issues (Resolved!) l  Current root servers answer for the root-servers.net zone, but Yeti root

server dose not (independent domain),Without this setup, BIND 9 does not include glue in answers to priming queries.

l  Resolved! With a patch for BIND9

l  Related issues l  .arpa. zone issue l  Unused Glue issue

Findings&bugs

l  A Bug in Knot 2.0 (Resolved!) l  Knot 2 compress even the root. It is useless since it is a zero-length label,

only one byte. Knot 1.6 used for K-root do not do that l  Resolved! https://gitlab.labs.nic.cz/labs/knot/issues/398

l  DNSCAP issues l  Current DNSCAP(both DNS-OARC and Verisign versions ) was observed

losing some packet which is not ideal

Findings&bugs

• FailureonRootserverzonetransfer•  Someauthorita.veserveronsomeVPSfailedtopullthezonefromDistribu.onMaster

•  Onefact:TCPfailstorespectIPV6_USE_MIN_MTU(draG-andrews-tcp-and-ipv6-use-minmtu-04

•  Anotherfact:therearebugsinVirtualmachinesolwarefailingtoreceiveIPv6fragments(OneExample:FreeBSDonVMwareESXI5.5)

• Recommenda.on:•  1)ChangetheIPV6_USE_MIN_MTUseingonserversideto1500(DMinYe.case)

•  2)OrsetTCPMSSto1280onclientside(RootserverinYe.case)

In conclusion

May~June September: Yeti Virtual meeting

Oct 31th : Yeti Workshop

Preparing the Testbed Initial experiment Ready for more scientific experiments and output

Next 3 years

l  All most finish the engineering part of Yeti testbed l  Three DMs are running, more than 13 root servers are running l  Lack of traffic , resolvers, and end-to-end measurement l  Experiments agenda expected

Thankyou!AnyQues.ons?Moreinforma-ononwebsite:

hCp://ye.-dns.org/hCps://github.com/BII-Lab/Ye.-ProjecthCp://lists.ye.-dns.org/mailman/lis.nfo/discuss