[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [sig-dns] IETF notes
On Aug 2, 2007, at 9:45 PM, Edward Lewis wrote:
The following weekend was the OARC meeting also in Chicago. I did
not attend that, perhaps someone who stayed for the whole IETF might
want to make comments on that.
Ed,
here are my notes from the OARC meeting in Chicago last weekend.
Hopefully they will be of interest to some of the subscribers on here:
OARC Meeting Chicago
Friday 27th July
Keith Mitchell gave an OARC status report. He has signed up several
new members including
some root operators. Only two root operators are now missing. OARC
still needs more funding
more information will be in the members meeting on Saturday.
Steve Conte from ICANN gave a short presentation on how they dealt
with the Feb 6th attack
on L root. In short they very quickly brought some new nodes into
operation in a quicker
timeframe than planned. They are still not any-casting but have plans
to go ahead and do
this in the near future.
John Kristoff from Neustar gave a recap on the root attacks of the
6th of Feb. He commented
that there were lots of mis-representations in the press about who
got hit by who and when.
His investigations have revealed that although a lot of traffic came
from south east asia
this was actually all part of a botnet which was being controlled
from the US. It is still
not clear what the purpose of the attack was, current thinking is
that it was just a show
of strength.
Duane Wessels did a presentation on the DITL (Day in the life of the
internet) project that happened in January.
There are lots of interesting graphs and stats in Duanes presentation
well worth a look.
Peter Losher from ISC gave a presentation about dnscap, this is a
tool which is similar
to tcpdump but only designed to capture and analyse dns network traffic.
BIND Debugging experiences
Mark Andrews (BIND Author) gave a presentation showing several issues
that were regularly
reported to ISC on the mailing lists and gave some detail on how
these were usually
mis-configurations and not in fact bugs in bind. All the problems and
solutions are shown
in the slides, recommended to read.
John Dickinson gave a presentation on what nominet have done to sign
the UK zones,
they have a huge zone with millions of records (.co.uk) whichis
constantly being updated.
They looked at various crypto equipment and went through a steep
learning curve of the various equipment available. It is probably
worth reading iup opn this
for anyone contemplating the move to dnssec. More details are at
blog.nominet.org.uk/tech
DNSSEC with IPAM
A guy did a presentation on DNSSEC and integrating it with an IPAM
(IP Address Management System), again definitley worth reading up on
if you are contemplating
dnssec. He also mentioned some software/hardware DNSX Secure Signer
that may be worth investigating at some point.
ISC did a presentation on the expansion of statistics facilities in
BIND 9.5 there will be a lot
more stats available. Full details are in the presentation. Input was
solicited.
ISC did a presentation on improvements to the way caching works in
bind 9.5.
Saturday 28th July AM
The morning session was dedicated to DSC and similar products.
Duane Wessels did a presentation on the status of DSC and some new
features recently added
IPV6 has been enabled and the XML extractor has been improved. Future
plans are to add
SQL DB support and also to change from lots of small xml files to a
single large xml file.
Lars Liman gave a presentation on the changes that Autonomica have
made to DSC, they have
changed to threading instead of forking to improve performance. They
are adding features
to enable the control of remote collectors from a central point,
collector control protocol
based on XML. They have added SSL support for authentication. They
have installed at selected
I Root nodes on dedicated boxes they will be expanding this. There
modified code is not
currently publicly available but this should change in the near future.
A guy gave a presentation on dns2db this is a tool which captures dns
traffic pushes
it into a sql db and provides a gui tool developed in Adobe Flex for
visualising the results,
this includes being able to drill down into stats on the servers.
This is a very interesting
project that you should look into further. http://opensource.iis.se/
trac/dns2db
Keith Mitchell from OARC gave a presentation on passive dns, this is
a new project that ISC/OARC
have started where they gather network traces from large volume
resolvers, this data when collated
from several sources can be very valuable in looking at patterns of
data, in particular it is very
good for botnet hunting. OARC see this as an area that it would be
very valuable for them to get
involved in.
Sebastian Castro from nic.cl did a presentation on DNS Load
visulaisation, this was a very interesting
presentation on how they setup a monitoring/visualisation system to
show where the .cl anycast DNS
servers were getting queries from. I think it may be useful for us to
look further into this.
The animated query map was very impressive and it would be really
nice if we can do something similar
for K.
Steve Gibbard from PCH did a presentation on Anycast performance.
PCH Did some analysis of how effective root server anycasting was.
PCH also went on to do some research on their own anycast network and
this concluded that
"Transit Consistency" across nodes improves the location of queries a
lot but this has to be
balanced with diversity of carriers.
Joao Damas did a short presentation on BIND 10, this will be
developed over the coming 5 years, it will be
much more modular and scalable than the current 9. It will enable you
to have a choice of back ends. It will
be much easier to cluster and the user interface will be greatly
improved. If we have any feature requests
or strong opinions now would be a good time to submit them.
All presentations are available on the oarc website at: http://
public.oarci.net/dns-operations/workshop-2007/agenda/
--
Brett Carr
Manager -- DNS Services Group
RIPE Network Coordination Centre
Amsterdam
