2006.02.13 Steve Gibbard

DNS infrastructure Distribution
Steve Gibbard
Packet Clearing House
http://www.pch.net/
scg at pch.net

Introduction
Previous talk on importance of keeping criticical
 infrastructure local
Without local infastructure, local communications are
 subject to far away outages, costs, and performance
Critical infrastructure includes DNS
If a domain is critical, so is everything above it in the
 hierarchy
Sri Lanka a case in point.

Previous talk was in Seattle last spring, highlighted
undersea cable being cut; even local DNS queries failed
since TLD servers couldn't be reached, even though
local connectivity still worked.  The ship dragging
anchor in harbor cut only undersea path out of the
country; international calling was down, and all of
the Internet.  But unlike local telephone system,
even local networks failed to work.

Root server placement
Currently 110 root servers(?)
 Number is a moving target
Operated by 12 organizations
13 IP addresses
 at most 13 servers visible from any one place at any one
  time
 six are anycast
 four are anycasted in large numbers
All remaining unicast roots are in the bay area, LA,
 or washington DC

Distribution by continet
34 in NA
 8 each in BA/DC/ 5 in LA
 Only non-coastal roots in US are Chicago and Atlanta
 canada, monterrey, mexico some others
34 in Europe
 clusters of 4 each in London, and amsterdam, Europe's
  biggest exchanges
 even throughout rest of europe for rest.

Distribution by continent
26 in Asia (excluding middle east)
5 in japan (4 tok, 1 kyoto)
3 in india, korea, singapore
2 in hongkong, jakarta, and beijing
south asia an area of rapid expansion
6 in australia/new zealand
 2 in brisbane
 1 each in auckland, perth, sydney, and wellington

5 in middle east
 1 each ankara, tel aviv, doha, dubai, abu dhabi
3 in africa
 2 in johannesburg
1 in nairobi, 1 more being shipped
very little intercity onr intercountry connectivity
2 in SA
 sao palo
 santiago de chile

other parts of world not really served at all.
world map with blobs showing coverage.  Huge areas
not covered.
overlaid fiber maps with dots to get ideas of
coverage (redundant); everyone else is one fiber
or satellite cut from being isolated and dark.
Pretty much follows the areas with money.

Root server expansion
4 of 12 root servers actively installing new roots
110 root servers big improvement over 13 from 3 years
 ago
two operators (autonomica, ISC) (I and F) are installing
wherever they can get funding
 funding sources typically RIRs, local governments, or
  ISP associations
 Limitations in currently unserved areas are generally due
  to lack of money

Fs and Is
In large portions of world, several closest roots are
 Is and Fs
 At most 2 root IP addresses visible; others far way
 Does this matter?
  gives poorly connected regions less ability to use
   BINDs failure and closest server detection mechanisms
  non-BIND implementations may default to far-away roots
 Should all 13 roots be anycasted evenly?
  CAIDA study from 2003 assumed a maximum of 13 locations;
   not really relevant anymore

Big Clusters
Lots of complaints about uneven distribution
Only really a concern if resources are finite
Large numbers in some places donesn't prevent growth in
 others
Bay Area and DC clusters seem a bit much, but sort of match
 topology
Western Europe's dense but relatively even distribution
 exactly right
Two per city perhaps a good goal for everywhere

TLD distribution
Like the root, locally used TLDs need to be served
  locally
Locally used TLDs: local ccTLD; any other TLDs commonly
 in use
Regions don't need ALL TLDs.

gTLD distribution: .com/.net
.com/.net
 well connected to the "internet core"
 servers in the big cities of US, Europe, Asia
 non-core location: sydney.

Map of world with .com/.net overlaid with fiber maps
shows "well-served areas" again following the money,
with even less coverage outside NA/Europe/Asia.

gTLD dist: .org/.info/.coop
share same servers
considered confidential.  data may be incomplete
significantly fewer publically visible servers,
almost all in internet core.
only one public locatino in each of asia and europe

Even worse coverage worldwide, though they do have
south africa.

Do have some caching boxes next to caching resolvers
at the big ISPs; not sure if it increases coverage
or not.

Few other gTLDs, didn't map them.
.gov is us-centric
.edu is US, some eu, some asia
.int is california, netherlands, UK
  (not very international!!)

Where should gTLDs be?
presumably depend on their markets
if it's ok for large portiions of the world to not use
  those gTLDs, then it's OK for them to not be hosted there.

ccTLD dist:
 answers to where ccTLDs should be more straightforward
  working in their own regions a must
  working in the "core" could be a plus
just over 2/3 of ccTLDs are hosted in their own
  countries
(but a lot of those aren't ...

Green map shows those countries that host their own
ccTLDs locally.  Most islands are red, in danger of
being cut off from their ccTLDs.

ccTLDs not slaved in the core
18 ccTLDs aren't slaved in the global core
if their regions are cut off, those ccTLDs won't be visible
 to the rest of the world
is that really an issue, if you can't get to the end site
  anyhow?
 violation of RFC2182, unclear data results
 not so much matters if nobody from out

.bb
.bd
.bh
.cn
.ec
.gf
.jm
.kg
.kw
.mp
.mq

Example countries
Kenya
 exchange point, root server, ccTLD server, all external
  connectivity by satellite
Pakistan
 root server, no exchange point, no TLDs locally
 (so how much use is the local root server?)

Kenya:
 local exchange in nairobi
 root server
 ccTLD server
 so even if external link goes down, country can stay
 mostly functional.

Pakistan:
 local root server (for at least one ISP)
 no TLDs
 .pk hosted entirely in US
 no local exchange to share local root server
 single fiber connection; when it breaks, nothing works.

Local peering caveat
local traffic has to be kept local before keeping DNS local
 is of much benefit.
 Requires either strict monopoly, or local exchange points
Examples here highlight that.

Methodology
Get name server addresses for TLDs
Assume everything in a /24 is same place or set of places.
(really down and dirty shell scripts)
  bad assumption for UUnet nameservers; didn't find others.
  625 /24s contain name servers for TLDs
  135 host multiple TLDs; over 60 in RIPEs case
Figure out where those subnets are
 traceroutes/ask questions

Subnets with 10+ TLDs--read it from the slides.  :D
193.0.12/24
192.36.125/24

Other sources
www.root-servers.org had root server data; assumed accurate.
ultraDNS locations considers its locations confidential
 Got info from Afilias's .Net application.  Told missed some.
In general, most other TLD operators were very helpful.

Thanks!

http://www.pch.net/resources/papers/infrastructure-distribution/

Mark Kosters, Verisign; notes there's two other root
server groups also going anycast wherever people will
pay to host them.  K with RIPE is now going outside
region, and Verisign (J?) is also talking about
serving in multiple regions.
Dealing with local customs getting in country tends
to be the biggest challenge; PCH has seen similar
challenges getting into countries.

OK, break time now.