The new APNIC DNS generation system Previous System

  • Slides: 15
Download presentation
The new APNIC DNS generation system

The new APNIC DNS generation system

Previous System • Direct access to backend whois. db files – Constructed radix tree

Previous System • Direct access to backend whois. db files – Constructed radix tree in memory from domain objects – Walked tree in order to derive • Zone files for changed zones • • • Change was defined by changed: field in domain object being current date Zone files pushed to DNS via RSYNC Secondary zones controlled by PEERS files, p 2 n. pl script.

Problems • Monolithic solution – Hard to add new options • New database changed

Problems • Monolithic solution – Hard to add new options • New database changed data format – backend SQL in v 3 would require recoding anyway • NS reload slow, buggy – Too many periods with only one functional NS

Problems contd • Secondary management intertwined with primary function – Needed better functional separation

Problems contd • Secondary management intertwined with primary function – Needed better functional separation – Bind problems • master / secondary / master • Uneccessary DNS changes – SOA incremented for descr, nic-hdl changes

Goals for a new production system • Make zone update more efficient • Allow

Goals for a new production system • Make zone update more efficient • Allow addition of new features • Separate secondaries from main process • Simplify zonefile production

Goals (continued) • Make zone update more efficient – • Can support dynamic processes

Goals (continued) • Make zone update more efficient – • Can support dynamic processes when viable Allow addition of new features – – DNSSEC zone signing LAME delegation processing NOTIFY based push to DNS from master SOA serial increment on real change, not from changed: flag

Goals (continued) • Separate secondaries from main process – • Improves DNS stability Simplify

Goals (continued) • Separate secondaries from main process – • Improves DNS stability Simplify zonefile production – – staged pipeline of simple phases Use UNIX tools

Simple Pipelined process Easy to add parallel passes (eg to merge external data sources)

Simple Pipelined process Easy to add parallel passes (eg to merge external data sources)

Separated secondary processes • Not based on whois domain records • Separate servers •

Separated secondary processes • Not based on whois domain records • Separate servers • Better records management on prime source contacts • Improved management processes • Can offer scaleable secondary services – To cc. TLD, AP-community, members

Integrating the ERX process • ARIN ERX transfer process: – fetch of (partial) zone

Integrating the ERX process • ARIN ERX transfer process: – fetch of (partial) zone contents – Production of matching file for ARIN, RIPE to fetch from APNIC • Staged pipeline highly amenable to both local and ERX processes • Permits normal whois activity for enduser management of domain object.

Implementation timeline • April identify need for new process – Discuss DNS generation with

Implementation timeline • April identify need for new process – Discuss DNS generation with other RIR, IETF dnsops people • June ERX discussions Toronto – Implementation of treewalk->flatfile • July – Full DNS zone generation • August – Deployment

Issues • Time between ns 1, ns 3 restart – Needed to be kept

Issues • Time between ns 1, ns 3 restart – Needed to be kept to a minimum • soa serial/contents mismatch – Ensure at least one NS was functional at all times • Check in-addr. arpa resolution offsite • Check non-reverse-tree DNS status – cc. TLD secondaries, RIPE/ARIN secondaries

Interesting side-effects • DNS lookup times in reverse are faster for clients when no

Interesting side-effects • DNS lookup times in reverse are faster for clients when no cached data – Less recursion to find authoritative answer • NXDOMAIN is faster – Less noise on the wire • Top level /8 serial increments more often – We can adjust cache/ttl settings to tune

Traffic Measurements DNS cutover, Aug 19

Traffic Measurements DNS cutover, Aug 19

Post-Upgrade behaviour • • • DNS update is faster, simpler Less delay from whois

Post-Upgrade behaviour • • • DNS update is faster, simpler Less delay from whois -> DNS Overall DNS traffic dropped More consistent load share JP/AU US/Europe now fully serviced APNIC can deploy new services – Pre-creation of domain objects – LAME checks

DNS frank https url fitdns DNS DNS DNSDNS frank https url fitdns DNS DNS DNS
DNS Setup DNS CONFIGURATION DNS Setup DNS ConfigurationDNS Setup DNS CONFIGURATION DNS Setup DNS Configuration
DNS DNS LDNS DNS DNS Cache NXDOMAIN UDPDNS DNS LDNS DNS DNS Cache NXDOMAIN UDP
DNS Petrus SP DNS DNS DNS adalah DomainDNS Petrus SP DNS DNS DNS adalah Domain
APNIC Membership Fees APNIC Members Meeting APNIC 22APNIC Membership Fees APNIC Members Meeting APNIC 22
APNIC Open Policy Meeting APNIC Reverse DNS StatusAPNIC Open Policy Meeting APNIC Reverse DNS Status
DNS DNS Domain Name System DNS services HostnameDNS DNS Domain Name System DNS services Hostname
DNS HZMET DNS DNS ngilizce Domain Name SystemDNS HZMET DNS DNS ngilizce Domain Name System
Discussion of the new DNS generation system DNSDiscussion of the new DNS generation system DNS
APNIC reverse DNS management roadmap DNS operations SIGAPNIC reverse DNS management roadmap DNS operations SIG
DNS DNS introduction DNS les domaines ulysse cnamDNS DNS introduction DNS les domaines ulysse cnam
DNS Server EP DNS Sever Paul Albitz DNSDNS Server EP DNS Sever Paul Albitz DNS
DNS Server EP DNS Sever Paul Albitz DNSDNS Server EP DNS Sever Paul Albitz DNS
DNS replikci A DNS szerkezete A DNS kmiaiDNS replikci A DNS szerkezete A DNS kmiai