Optimizing Authoritative Servers Deployment on TLDs (abstract)

نویسندگان

  • Ricardo de O. Schmidt
  • Giovane C. M. Moura
  • John Heidemann
  • Moritz Müller
  • Marco Davids
  • Cristian Hesselman
چکیده

If you were to setup a new top-level domain (TLD), how many authoritative servers would you deploy? Figure 1 shows that most TLDs (∼ 50%) nowdays use 4 servers. Where would you deploy them (geographically)? And would you use anycast services (local on CDNs/ISPs, global elsewhere), unicast services or a combination of both? For existing TLDs, how can you optimize your authoritative servers setup to optimize round-trip time (RTT) to your clients, as well as better resilience against DDoS attacks [1]? These are questions that TLD operators continuously face. Consider the example of the .nl TLD (the Netherlands), which has 8 authoritative servers. Figure 2 shows how they are deployed (3 employ IP anycast). A resolver, on the user’s behalf, would resolve example.nl by contacting any of these eight servers, and the choice is based on the resolvers’ implementation [4]. Due to IP anycast – which allows for an authoritative server to share the same IP address across multiple machines distributed around the globe –, not all authoritative servers have the same number of physical machines. Figure 3 shows the authoritative servers for .nl, in which the area of each authoritative server is proportional to their number of sites/locations. netnod auth. server is by far the largest. As a result of these differences, one could expect that the .nl netnod auth. server would receive more traffic than the others. That is not the case. Figure 4 shows traffic to the auth servers (area proportional to the total number of incoming queries in June, 2016). First, ns5 in fact handles more traffic than netnod. One of the reasons is that ns5 is an local anycast server deployed in most of Dutch ISPs, which are responsible for a large portion of the total ammount of traffic [3]. Another interesting and not yet clear observation is that while ns1-ns4 are all deployed in the Netherlands as unicast sites, ns1 still gets 50% less traffic than the others. What we can derive from these two observations is that the distribution of queries sources must be also taken into account when designing the deployment of a TLD. These two examples cry out for a systematic study that aims at optimizing TLD authoritative servers deployments, for both

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Measuring the Placement of DNS Servers in Top-Level-Domain

DNS is a critical infrastructure of the global Internet. To assure DNS’s efficient and robust operations, each domain, especially each of the Top-Level-Domains (TLDs), should deploy multiple redundant nameservers in diverse locations. To assess the robustness of TLD nameserver deployment regarding the nameserver redundancy and location diversity, we conduct a measurement study by sending specia...

متن کامل

A Longitudinal, End-to-End View of the DNSSEC Ecosystem

The Domain Name System’s Security Extensions (DNSSEC) allow clients and resolvers to verify that DNS responses have not been forged or modified inflight. DNSSEC uses a public key infrastructure (PKI) to achieve this integrity, without which users can be subject to a wide range of attacks. However, DNSSEC can operate only if each of the principals in its PKI properly performs its management task...

متن کامل

Operational Implications of the DNS Control Plane

The Domain Name System (DNS) [7] provides vital mapping services for the Internet. It maps domain names such as ucla.edu to values ranging from IP addresses to email servers to geographic locations and more. Virtually every Internet application relies on looking up some form of DNS data. This article first describes a dichotomy that exists between DNS’ well structured and ordered data plane (th...

متن کامل

A Case for Comprehensive DNSSEC Monitoring and Analysis Tools

The Domain Name System Security Extensions (DNSSEC) add an element of authentication to the DNS, which is a foundational component of today’s Internet. However, the complexity involved in maintaining a DNSSEC deployment is significantly more than that of its insecure counterpart, and there are more places where problems can occur. Our analysis shows that errors in DNSSEC configuration have been...

متن کامل

An integrated testing system for IPv6 and DNSSEC

IPv6 protocol, which should replace the actual IPv4 protocol, brings many new possibilities and improvements considering simplicity, routing speed, quality of service, and security. In comparison to IPv4, IPv6 improves mechanisms for assuring a secure and confidential transfer of information. DNS has been extended to provide security services (Domain Name System Security Extensions (DNSSEC)) ma...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2016