Presentation is loading. Please wait.

Presentation is loading. Please wait.

RFC 7706: Decreasing Access Time to Root Servers by Running One on Loopback A good idea or not? Petr Špaček • petr.spacek@nic.cz • 2017-09-29.

Published byMarvin Gallagher Modified over 6 years ago

Similar presentations

Presentation on theme: "RFC 7706: Decreasing Access Time to Root Servers by Running One on Loopback A good idea or not? Petr Špaček • petr.spacek@nic.cz • 2017-09-29."— Presentation transcript:

1 RFC 7706: Decreasing Access Time to Root Servers by Running One on Loopback
A good idea or not? Petr Špaček • •

2 Talk outline Problems with RFC 7706 Comparison with RFC 8198
theoretical experimental Possible improvements Shameless self-promotion

3 RFC 7706: Root on loopback "Because of the significant operational risks described in this document, distributions of recursive DNS servers MUST NOT include configuration for the design described here." Is it worth the trouble?

4 RFC 7706: Root on loopback recap
Primary goals faster negative responses preventing queries from being visible faster positive responses Side effects higher resiliency? maybe?

5 RFC 8198: Aggressive cache recap
Primary goals faster negative responses faster positive responses (wildcards) Depends on data in cache Side effects preventing queries from being visible

6 RFC 7706 and 8198 overlap RFC 8198 almost provides what 7706 calls for
How effective is 8198? Gut feeling: good Measurements?

7 Experimental setup Replay PCAP to Knot Resolver Log cache accesses
Replay cache accesses to RFC 2308 & simulator Record hit/miss for nodes in the root zone

8 Data sets 4+ days of traffic in PCAP
Public Open Resolver ran by CZ.NIC ("big") 3500 q/second anonymised Two households in Czech Republic ("small") dominated by "noise"

9 Tools Knot Resolver 1.3 patched to log cache access
Drool to replay traffic RFC 2308 & 8198 simulator: unlimited cache size

10 Results for root zone data
Households = noise (no further analysis) Public resolver = RFC 8198 show case only 0,25 % cache misses for root zone data About 3300 cache misses per day 73 % of root zone ~ 6600 UDP packets Public resolver 4 days of data: 300 milions user queries 784 milions cache accesses 5 milion cache accesses for root data

11 Data from the public resolver
Data from the public resolver. Data from households not shown because these are dominated by noise.

12 4th minute 2nd minute 4th minute Data from the public resolver. Data from households not shown because these are dominated by noise. 2nd minute

13 Root zone content Minimal TTL = 1 day 1548 nodes with NSEC RR
4497 non-glue non-RRSIG RRs AXFR 388 TCP packets bytes

14 RFC 7706's goals except for 0,25 % of queries
☑ Faster negative responses ☑ Preventing queries from being visible ☑ Provided by RFC 8198 except for 0,25 % of queries ☐ Higher resiliency not provided by RFC 8198 but ...

15 Leftovers after RFC 8198 0,25 % cache miss rate
caused by empty/expired cache Pre-fill cache to get to 0 % Min TTL 1 day = 1 AXFR/day AXFR/day requires just 6 % of packets for queries Higher resiliency use a variant of draft-tale-dnsop-serve-stale-01

16 Is RFC 7706 worth the trouble?
NO! Replace it with RFC 8198 cache pre-fill open question: AXFR from where? a variant of draft serve-stale Watch out for Knot Resolver in 2018!

17 Thanks to Ondřej Surý!

18 Stay tuned for Knot news!

19 Knot news for October 2017 Knot DNS 2.6 Knot Resolver 2.0
Automatic DNSSEC algorithm rollover In-line signing on slave Knot Resolver 2.0 RFC 8198 aka Aggressive Use of DNSSEC-Validated Cache

Download ppt "RFC 7706: Decreasing Access Time to Root Servers by Running One on Loopback A good idea or not? Petr Špaček • petr.spacek@nic.cz • 2017-09-29."

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
L-Root: Expanding Distribution in Africa. 2 One of 13 root name servers containing Internet Protocol addresses Operated by ICANN using anycast technology.

L-Root: Expanding Distribution in Africa. 2 One of 13 root name servers containing Internet Protocol addresses Operated by ICANN using anycast technology.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.

Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April 18 2012.

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April
DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, 2013 1 Jelte Jansen, Antoin Verschuren.

DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
Geoff Huston APNIC Labs

Geoff Huston APNIC Labs
Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.

Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
DNS Security Pacific IT Pros Nov. 5, 2013. Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
DNS Dynamic Update Performance Study 2014.10.10. The Purpose Dynamic update and XFR is key approach to perform zone data replication and synchronization,

DNS Dynamic Update Performance Study The Purpose Dynamic update and XFR is key approach to perform zone data replication and synchronization,
Module 6: Managing and Monitoring Domain Name System (DNS)

Module 6: Managing and Monitoring Domain Name System (DNS)
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Similar presentations

Ads by Google