Table of content

1. Overview
2. Zone file generation
3. Zone file maintenance performance parameters
4. Zone file transfer and zone file data escrow strategy
5. Backup
6. Compliance
7. Zone file distribution: Authoritative name servers: locations and organizations
8. World-map showing location of name servers for ORG
9. Monitoring
10. Security
11. Technical Parameters per Name Server
12. Contracting partner Nominum Inc.
13. Contracting partner IX Europe Telehouse
14. Appendix CA: Nominum Inc.

1. Overview

As part of the excellent registry concept, the name server network for ORG combines two differ-ent types of systems: one offering standard Domain Name System (DNS) algorithms to the que-rying resolvers, the other relying on the routing protocols.

From a resolver's perspective, the most important aspect of a system of authoritative name servers for a particular zone is its overall response time for DNS queries, which includes the processing time for the request and the network latency. While the former can, in principle, be kept as low as desired for every name server, the latter depends on the connectivity between the resolver and the server it has chosen to send its query to, which, in turn, depends on the placement of the replicated name servers in the Internet as well as the algorithm used by the resolver to select that particular server.

The algorithm used by most resolver implementations in use today favors the server that exhibits the smallest round trip time for DNS queries.

Another measure of the distance between two nodes is based on the view of the Internet topology by the interdomain routing system. The concept of "anycast" addresses applied to DNS servers lets the network itself chose to which one of a set of servers it will deliver a query based on the routing protocol's measure of distance.

Our proposition for the system of authoritative servers for the ORG zone contains a mixture of both methods by combining standard "unicast" servers with the anycast -based system of Nominum's Global Name Service (GNS).

A network of 12 to 14 name servers distributed over the globe will ensure redundancy and fast response times. Most sites will provide additional redundancy by employing multiple name server machines. In addition, emphasis on multiple architectures and platforms ensures that vulnerabilities of a certain architecture or platform do not affect the entire system.

Advantages of combining both systems:

Integration of a 'standard' name server system based on BIND and derivates, DJBDNS and Nominum Global Name Service (GNS) architecture:

• Provides control by the registry (SWITCH) over primary servers (a and b)
• 24/7 management (SWITCH and Nominum)
• Combined robustness aspects of multiple-server, -site, -software and -network infra-structure
• Combined redundancy aspects of multiple-server, -site, -software and -network infra-structure
• Combined security aspects of multiple-server, -site, -software and -network infrastruc-ture
• Combined connectivity aspects of multiple carrier-class name server locations

Zone file distribution will be scheduled for two hour intervals (Nominum recommendation) in the beginning, with the option to reduce these intervals to 15 minutes or lower if the need arises. Updates to the primary and distribution of the zone to the secondary is done efficiently through dynamic updates (RFC2136) and incremental zone transfers (IXFR, RFC1995) combined with the notification mechanism (NOTIFY, RFC1996).

Security will be provided by Secret Key Transaction Authentication for DNS (TSIG, RFC-2845), which allows for transaction level authentication using shared secrets and one way hashing. This method is used to authenticate zone transfers to secondaries and provide data integrity checking at the same time. It is also used to authenticate updates to the primary from the back end data-base as an additional layer of security.

Escrow agent for the ORG zone is IXEurope Telehouse Facilities, operator of the Telehouse Inter-net Exchange (TIX) point in Zurich (www.tix.ch), located in a carrier-class data center in the heart of Zurich's telecom district. Personnel at IXEurope have reputable DNS and name server know-how and are perfectly capable of performing this function. The escrow agent will be contracted both by ICANN and SWITCH to hold the zone file in escrow. IXEurope will also operate a sec-ondary for the ORG zone (c.org-servers.net).

Two name servers are involved per registry site: a stealth name server and the actual primary name server. The stealth name server is updated periodically with the accumulated changes since the last update using dynamic DNS. The initial frequency of these updates will be on two hour intervals and can be adjusted to meet customer expectations later on.

By definition, the stealth server is not listed in the NS resource record set of the org zone. It does also not perform any automatic outbound zone transfers. After each update, sanity checks (con-sistency with the database, serial number, etc.) are performed on the new zone to make sure that the update has been successful.

After the new zone has been cleared for distribution, an incremental transfer to the real primary name server, which is colocated with the stealth server, is initiated.

Propagation of the zone from the primary to the secondaries proceeds through the standard NO-TIFY/IXFR mechanism. Both primaries appear to secondaries and resolvers as one logical server by sharing the IP address that is used for zone transfers and DNS queries.

In contrast to the anycast service used for the secondary servers, the internal routing system of SWITCH will carry exactly one route to the shared IP address at any point in time. This ensures that packets sent to this address are always delivered to the same physical host, namely the primary name server colocated with the active registry system. (This implies that the shared address has the same semantics as a unicast address, i.e. it can be safely used even for stateful transport protocols). Upon a switchover of registry systems, a new route to the other physical primary is established. In short, resolvers and secondaries can use the same IP address to access the primary, irrespective of which of the two registry systems is active.

The clocks of all name servers will be synchronized to at least the interval required for successful application of TSIG, which includes a time stamp in the digital signature for protection against replay attacks.

Name server updates:

• Incremental updates once per hour (see above for explanation)
• Full zone transfers once per day
• On-demand updates when required

Incremental zone transfers are the preferred method. On demand zone transfers are possible as well as full zone transfers, but full zone transfers are reserved for special operational circumstances.

1. Service availability (fault tolerance) of zone per name server: 100% for Nominum GNS network, 99% for other name servers.

2. Planned outages per name server: 0% for Nominum GNS network, 1% for other name servers.

3. Full zone transfers (AXFR): full zone transfers are possible but will only be used in excep-tional circumstances and certainly on an infrequent basis.

4. Incremental zone transfers (IXFR): Nominum GNS network data base updates completed in zones of secondaries within 15 minutes (update delay time) after receiving incremental zone transfers. Nominum recommends incremental zone updates in two hour intervals. See Appendix CA.

5. On-demand zone transfers: Nominum GNS network data base updates completed in zones of secondaries within 15 minutes (update delay time) after receiving incremental zone transfers.
   

Strategy for secondary name servers: transfer ORG zone either from A or B or C (in this order of priority). All other secondaries must not allow zone transfers of the ORG zone (also not from each other). Name servers B and C are fallbacks. C is the escrow server (IX Europe Telehouse) and has special conditions:

C will only allow ORG zone transfers on explicit order from ICANN or from SWITCH. The contract between the escrow agent and ICANN and SWITCH will be stating that only in exceptional cases it should allow zone transfers and only in agreement with ICANN or SWITCH.

5. Backup

Daily local backup is planned for each site (Zurich and Geneva) independently via in-house tape stations.

6. Compliance

The name servers of each registry site and every secondary name server data center will be complying to the RFC’s listed below:

• RFC-1035 (Domain Names - Implementation and Specification)
• RFC-2136 (Dynamic Updates in the Domain Name System (DNS Update)
• RCF-2181 (Clarifications to the DNS Specification)
• RFC-2182 (Selection and Operation of Secondary DNS Servers)
• RFC-2845 (Secret Key Transaction Authentication for DNS (TSIG)
• RFC-2870 (Root Name Server Operational Requirements)

7. Zone file distribution: Authoritative name servers, locations and organizations (1)

Zone file distribution: Authoritative name servers, locations and organizations (2)

The agreement with the Asia Pacific Network Information Center (APNIC) could not be concluded by the time the application for ORG had to be submitted due to the absence from office of George Michaelson, APNIC's technical manager, who was overseas until 17.6.2002. The response received so far from APNIC’s Director General, Paul Wilson, was positive.

8. World-map showing location of name servers for ORG

click on map to enlarge

9. Monitoring

SWITCH:

The name servers located at both registry sites (A and B) and at both registrar service sites (H and S) are completely controlled by SWITCH staff. The health of these systems is monitored at several levels:

• A dedicated monitoring host continuously checks the basic functionality of the name servers by issuing various DNS queries and reporting any failures via email and/or SMS
• The log files on each server are analyzed periodically and any irregular event is reported
• Once a day, a digest of the log file is generated and sent to SWITCH staff for routine checks
• Special sanity checks of the stealth server are performed each time the zone is updated

The first of these checks will be performed from each name server to any other name server of the ORG name server network to discover connectivity problems.

Nominum:

Nominum has continuous console access to its equipment by means of multiple redundant paths. Access is available via the Internet and via a private virtual network. Nominum continually monitors all aspects of the system in order to catch and proactively correct any network or system issues. This monitoring also allows Nominum to best evaluate when to add capacity to some part of the GNS system in order to ensure that DNS service remains efficient. Portions of the system can be upgraded without the service itself going offline.

Graphical user interface:

A clear graphical interface is available to TLD Administrators via the World Wide Web. Query statistics and data transfer messages including over two-dozen possible messages related to success or failures of zone transfers are available through the GNS interface.

10. Security

Access to Nominum servers is restricted via multiple levels of firewalls. The routers filter incoming traffic, and the hosts have individual firewalls. The Nominum network equipment has filters applied to restrict access to authorized Nominum personnel, all of whom are required to log in via Secure Shell (SSH).

11. Technical Parameters per Name Server

Name Server A, location: Zürich, ETHZ

Name Server B, location: Geneva, CERN

Name Server C, location: Zürich, IX Europe Telehouse

Name Servers D, I, K, L, M, T (locations see para. 7)

Nominum: All responses are based on Global Name Service (GNS) system wide architecture

Name Server H and S, locations: Memphis and Singapore

Name Server N, location: Buenos Aires

Name Server R, location: Milton

Name Server W, location: Claremont (South Africa)

12. Contracting partner Nominum Inc.

Nominum, Inc. is the world's leading provider of Internet naming and address management solutions. Nominum offers enterprise customers, e-commerce businesses, Internet Service Providers and telecommunications companies infrastructure assistance with their most demanding name and IP address management requirements via training, technical support, consulting and our DNS hosting solution Global Name Service (GNS™). Nominum supports and writes the DNS implementation known as Berkeley Internet Name Domain (BIND), the most commonly used domain name server on the Internet, as well as Dynamic Host Configuration Protocol (DHCP), the most widely used Open Source software for the automated assignment of IP addresses. BIND and DHCP are freely available as Open Source via the Internet Software Consortium’s website at http://www.isc.org.

For more information about Nominum, please visit our web site at http://www.nominum.com.

The GNS name servers run proprietary DNS server software written by the experts at Nominum. These servers have been optimized for specific functions within the GNS system, and have significantly better performance traits than general purpose DNS software. Server configurations can be rebuilt quickly if necessary as the information is stored via a source control system to ensure a server outage won’t necessitate starting a reconfiguration from scratch. In addition, Nominum keeps a store of pre-configured “hot spare” machines ready to be quickly deployed should the need arise.

Another key component of the GNS infrastructure are two systems that are used to transfer zone data from the GNS database and from customers’ primary servers to the public GNS name server hosts. The GNS servers receive their data from the transfer systems, which push information out as often as necessary without adding unduly to the load of the customers primary servers. The system has been optimized so that only updated data is copied. When the GNS customer sends a notify, it takes only 5 to 10 minutes for the GNS system to initialize a transfer from the customer site.

Nominum takes advantage of a dual-mesh anycast routing design for the GNS. This means that each of the servers at any one GNS site responds to an IP address in a specific subnetwork, while the other server responds to an address on another subnet. Each of these networks is announced via the anycast routing architecture, which enables machines at disparate physical locations to appear to the Internet to be on the same network. Therefore, if one individual machine goes down for some reason, the network automatically provides the options of a machine on the other subnet and another machine on the same subnet as the one that is down. Thus, DNS queries will always be responded to from one or the other of the routing meshes. Queries will be directed to the server closest topologically and/or to the server with the lowest calculated Round Trip Time (RTT). This technique allows GNS to provide better response speed than systems with traditional network configurations. Although not explicitly shown in the GNS architecture diagram above, this routing system obviously means that the routing architecture is also redundant at each GNS site and that each router has a backup.

Access to Nominum servers is restricted via multiple levels of firewalls. The routers filter incoming traffic, and the hosts have individual firewalls. The Nominum network equipment has filters applied to restrict access to authorized Nominum personnel, all of whom are required to log in via Secure Shell (SSH).

Nominum GNS provides:

• International Domain Name support
• DNS Security (DNSSEC) support
• IPv6 support

Please review appendix CA for more background information on Nominum Inc. and its Global Name Service (GNS) system.

13. Contracting partner IX Europe Telehouse

IXEurope is Europe’s premier neutral co-location company. Its IXDataCenters are built to exacting, rigorous standards. The sites are located at major network crossroads, providing unrivalled multi-carrier bandwidth allowing choice, control and resilience. Co-locating in an IXDataCenter gives the flexibility to customers to run the business while protecting their long term interests. In August 2000 IXEurope received the ISO-9002 quality certification becoming the only neutral co-location provider in Europe to do.

IXEurope’s operations team has first hand experience in running core parts of Internet infrastructure with their TIX Zurich Internet Exchange and the ccTLD.tix.ch secondary name server service.

IXEurope’s premier customers include Akamai Technologies, Google Inc., Rackspace.com, Deutsche Telekom, France Telecom Long Distance Services, Swisscom IP-Plus, NTT Europe and other top global Telecoms and Internet companies.

IXEurope has been awarded the 2002 ISPA (Internet Service Providers Association) award for Best Co-location Provider, another endorsement of its success in the market. The judging panel included executives from Cable & Wireless, Nokia, Energis, Easynet, LINX, XchangePoint and Nominet UK. IXEurope was appraised on its performance, support, price, facilities and service level agreement, after being short-listed along with five other co-location providers. The judges cited that IXEurope stood out from the other nominees for its 99.999% SLA commitment and outstanding support services. The ISPA awards, much respected amongst the industry are presented every year and have stringent judging standards. This year, market research company Durlacher, the quoted broking, research, publishing and investment group, determined the five-strong shortlist for the Best Co-location Provider award.

IXEurope partners with best-of-breed technology providers and integrators to add real value to its customers business from collocation, networking and managed services. Through a network of quality datacenters, integrating leading edge solutions, IXEurope provides critical support for Internet and IT Infrastructures, across a community of content providers, services providers and end-users.