2019-12-18 - News - Tony Finch
Season's greetings! I bring tidings of great joy! A number of long term DNS projects have reached a point where some big items can be struck off the to-do list.
This note starts with two actions item for those for whom we provide secondary DNS. Then, a warning for those who secondary our zones, including stealth secondaries.
There are still a few more delegation updates to do, including for
cam.ac.uk itself, which will happen in the new year. There will be
further announcements near the time.
Replacement of ISC SNS
We are replacing the ISC SNS with secondary DNS service provided by Mythic Beasts.
If you have DNS zones that currently list sns-pb.isc.org in their NS
records, please update them at your convenience to use the Mythic
Beasts servers listed below. These servers are already configured with
your zones.
The replacement servers are:
ns1.mythic-beasts.com(in Dallas)ns2.mythic-beasts.com(in London)ns3.mythic-beasts.com(in Amsterdam)
For zones that use ns2.ic.ac.uk (also in London) we are just using
ns1 and ns3, and skipping ns2.mythic-beasts.com.
Mythic Beasts are the domain registrar we use for the Managed Zone Service. They also provide non-JANET network connectivity for commercial tenants on the CUDN. Outside the University, they are well known for hosting the Raspberry Pi web site.
DNS server renaming
Last year we started a DNS server renaming / renumbering project. That has been on hold for much of this year while we got some necessary infrastructure in place, and while other work took priority.
The delegations for almost all of our zones have now been updated to
use the new authoritative DNS server names like auth0.dns.cam.ac.uk
instead of authdns0.csx.cam.ac.uk.
Still remaining to do are cam.ac.uk itself, and a number of reverse
DNS zones related to IP address space suballocated by JANET. These
should be completed early in the new year.
If you have any zones that still use the old names, can you please update them to the new names.
DNSSEC algorithm rollover
A wholesale delegation clean-up is a good opportunity to make some wholesale DNSSEC improvements. Doing them at the same time saves us from repeating a lot of the same kinds of correctness checks.
We are changing the signature algorithm on all our zones from RSA-SHA-1 (and a few cases of RSA-SHA-256) to ECDSA-P256-SHA-256. This improves things in a couple of ways:
ECDSA has much smaller signatures than RSA, which leads to smaller DNS packet sizes. This helps to avoid difficulties related to packet fragmentation and fallback to TCP.
Our RSA key sizes are rather too small, and SHA-1 is rather broken. Both were in serious need of upgrading to a better security level.
All Managed Zone Service domains are now signed with ECDSA. (A few lack secure delegations owing to missing third-party support.)
Most of our reverse DNS zones are now signed with ECDSA. (Reverse DNS zones related to IP address space suballocated by JANET and Mythic Beasts lack secure delegations.)
After the holidays we will do the algorithm rollover for our large
zones, cam.ac.uk, 111.131.in-addr.arpa, and
in-addr.arpa.cam.ac.uk. During the rollover the zones will have two
sets of signatures, so they will be approximately 50% larger. When the
rollover is complete they will be about 25% smaller than before. The
rollover process will take a few days, to allow for the long
time-to-live on DNS delegations.
DNS servers need to run with at least twice as much RAM as they use in normal operations, to allow for certain kinds of reconfiguration that need two copies of a zone in memory. So the rollovers should not cause problems for properly provisioned servers.