The UIA Team has at its disposal an extensive constellation of globally
deployed DNS nameservers. Each site has multiple load-balanced DNS servers
managed remotely over secure VPNs and monitored around the clock in
four-second intervals.
Figure C17.5-1: Global DNS Constellation
The locations of the 13 DNS sites are shown in Figure C17.5-1. Each
site contains multiple servers and a complete set of redundant hardware
components so that there are no single points of failure. Each site has a
minimum of two 100mb network connections and is served by at least two
separate Tier-1 network bandwidth providers. By the end of 2002, four of
the sites will be upgraded to "super" sites, with network
capacity of 1gb. Additionally, all the sites were specifically selected
because of their location at major Internet peering points. So critical
are these sites to the stability of the Internet, and so extensively
monitored, that the National Communications Center (NCC) and the FBI's
National Infrastructure Protection Center (NIPC) have requested and
received a direct link to the monitoring screens used by the Registry
Command Center (RCC) to monitor the status and performance of these sites.
Zone file publication and distribution is a function that requires
extremely high levels of quality control. Even six sigma quality
(99.9999%, or 3.4 defects per million units) means that a TLD with 2
million registrations would have seven that weren't working properly at
any given time. Seven may not seem significant, but that would depend on
the individual criticality of those seven. Many civil society/non-profit
organizations would be seriously impacted if their Internet presence were
disabled. Each time a zone file is moved from one physical location to
another, it will be audited to ensure that data is not lost or changed.
Many registry providers today don't even measure their quality with regard
to zone file publication and distribution. In 2001, the .org registry
maintained an overall quality rating for the .org zone of 99.99999995%.
Achieving this level of quality meant that only one registration was
impacted all year.
Figure C17.5-2: .org Zone Integrity
Figure C17.5-2 shows the monthly .org zone integrity. Thus far in 2002, .org zone integrity has been 100%.
Two separate and redundant mechanisms for distributing zone files to
the global DNS constellation are utilized. The first is a traditional
method of periodically generating zone files from the database and
distributing them to the DNS constellation. For security reasons, standard
BIND transfer mechanisms will not be used. Instead, a proprietary mechanism
will be utilized to enable faster and more reliable distribution of zone file
modifications. Additionally, a modified version of BIND will be utilized.
Although based on versions in the public domain, it has been modified to
improve performance and security. This will reduce the risks of newly
discovered exploits. For example, in 2001, an exploit in BIND was
discovered that necessitated a patch be installed on all Internet root
servers within a 48-hour period. Upgrading the DNS software on all
Internet root servers within 48 hours is clearly a risky and undesirable
thing to do. Fortunately, the BIND currently used for .org had that
portion of the software subject to the exploit disabled. Therefore, it was
possible to take a more methodical approach to testing and deploying the
new BIND software (after having applied the proprietary modifications).
In 3Q2002, the new ATLAS platform will be deployed to the global DNS
constellation. The UIA Team proposes making use of the new ATLAS platform
in order to facilitate real-time zone updates while maintaining the
current levels of reliability and integrity. ATLAS is a framework that
addresses the need to ensure that accurate and up-to-date information is
made available around the globe in near-real-time speeds. The distribution
of the data across the DNS constellation utilizes the "zone
file" philosophy as well as incremental changes. Upon validation of a
given zone file or change, the information is queued up for distribution
to the remote sites of the DNS constellation. Upon receiving the
information at the remote site, the constellation site is updated with the
new information and immediately makes this information available for
Internet resolution. The real-time distribution mechanism is
depicted in Figure C17.5-3
Figure C17.5-3: ATLAS Real-Time Distribution
Mechanism
The UIA Team proposes the continuation of the current bulk download of
the .org zone file. However, it also proposes working closely with and
cooperating with ICANN and the other gTLD registries regarding the
potential for charging commercial organizations for bulk zone access in
order to reduce some of the current less desirable uses of the zone file.