OpenNIC DNS Specification:OpenNIC Wiki

OpenNIC DNS Specification

Status: second working draft

The DNS architecture for OpenNIC into 2007 has been pretty sound, with the exception of the "single point of failure" at ns0 due to a policy of all TLDs, both OpenNIC and ICANN, being aggregated into a single distributed root zone on that host alone.

Important and useful elments of this structure are preserved in the following suggestion for moving forward..

each TLD must sponsor one tier1 and preferably one tier2 DNS server

each TLD's tier1 server is authoritative master for their TLD zone, and slave for the other TLDs and root.

tier1 servers should provide appropriate responses to querys from recursing (tier2) nameservers

i.e. they do not need to provide recursive answers to the general public.

all tier1 servers must provide public authoritative response for all OpenNIC TLDs and the root

for Bind configurations, tier1 hosts will have 'zone' declarations for each OpenNIC TLD and the root

all tier1 servers must provide bi-directional zone transfer with all other tier1 servers

DNSSEC required for transfer between tier1 hosts ?? ref. DNSSEC deliberation
Policy for xfer to others than tier1 ?? ref. Xfer Deliberation

all tier2 servers provide recursive response to anybody and everybody so that the public can use them for all internet access.

for Bind configurations, tier2 hosts need only one 'zone' declaration as slave for the root zone '.' , with tier1 masters.

Can/Should we provide/support a "hint" zone file ?? ref. HintDeliberation

Ideally user ISPs would provide this service, but somebody has to, and more is better.

Zone files must specify the authoritative master in the SOA record, and should provide NS records for all tier1 hosts
Zone file SOA serials shall be in the form of yyyymmddnn where yyyy=year, mm=month(numeric), dd=date, n is in the range 0..9

ns0 should not be an authoritative host for anything other than root, but may serve as tier1

A single ns0 (tier0) host could continue to aggregate all the ICANN and other zones for integration into the tier1 distribution; however, several tier1 hosts should have the ability to become tier0/ns0 in the event ns0 goes out of service, thereby removing the historic single point of failure.

The tricky part about a distributed root is that the root zone which is authoritative for '.' must contain ALL served TLDs, aggregating OpenNIC's zones with ICANN's and others; and discovery of which TLDs are being used/served.

CategoryArchitecture
CategoryHostmastering

Comments [Hide comments]

Comment by AaronJAngel

2007-06-27 23:55:01

I think we'll suffice with having a TLD op run server[s] for their own TLDs. Preferably more than one, depending on the size of the TLD; but, that's up to the op. I don't think we need to have them sponser a tier-//n// server unless the op wants to do so. We should focus on having service providers sponsering recursive services for their users; most users aren't going to switch roots unless their ISP does, and even then, fewer really care or know what their ISP does unless someone makes a big deal about it.

[Comment deleted]

Comment by AvoYager

2007-07-09 13:08:01

The reason for a tier1 host is to provide an authoritative master for the TLD zone, to the tier1 servers, and as a slave for other zones in exchange for other zone hosts slaving for their TLD

The reason for a tier2 host is to provide public resolution for users whose ISPs are not providing it. It could be considered an optional requirement for a TLD, but somebody else would have to do it for them or they won't be visible to the public; and it seems to me to be reasonable responsibility for the zone ops. I have proposed this rquirement as "preferred".

Comment by JulianDemarchi

2007-06-28 23:58:37

Is FreeNICs DNS model ideal for the OpenNIC project? Having only one NS0 is not good, as a single point of failure could spell T-R-O-U-B-L-E. It was a single point of failure that started all of these discussions and the recent activity with OpenNIC.

[Comment deleted]

Comment by AvoYager

2007-07-09 13:02:41

Julian, the FreeNIC model would not work with our aggregated root, due to the aggregation. It is most appropriate for utilization in the TLD zones which use delegation, rather than aggregation.

To remove single point of failure, multiple tier1 hosts should be able to take over as ns0 if necessary. The aggreegate root should change only very seldom, as long as the sub-root servers are stable. Robin can hopefully share his experience with this.

Comment by JeffTaylor

2007-07-13 23:14:47

I have to ask again... what's the purpose behind having a tier0? The only thing I see that we get from zero is the tld-root file, correct? If that is true, it should be a simple matter of distributing the script used to create that file to each of the tier1 servers, and letting them regenerate an updated file every day (obviously with some sort of built-in check to ensure that everyone is generating an identical file).

Further down the chain, the tier2 servers all slave their copy from one of the tier1 servers (which can be a list of multiple IP's) so they have built-in redundancy in case a tier1 server goes down. And any end-users who are running their own personal DNS server will either slave their copy from the tier2 servers, or they can manually get it from the website, where we would have a list of mirrors pointing directly to the file on all the tier1 servers. Again, plenty of redundancy.

Comment by AvoYager

2007-07-13 23:27:19

My answer to your question Jeff about tier0 (pending Robin's more experienced perspective) is that, as you noted, it aggregates zone authorities into a single root. I don't think it changes very often. As noted in the draft spec, several tier1 hosts should be enabled to complete this assignment, but I think it should be a single authoritative master, since in part this aggregate root is the single definition and expression of OpenNIC.

The other important role it can serve is to be another slave for each zone, a useful additional host which tier1s can list as master for the zones they slave. Yes, maybe they can use any or all other tier1 for this also.

Comment by JulianDemarchi

2008-02-15 19:24:16

Quote from M/L
All T1s should allow AXFRs to and from other T1s, with only getting the root
zone from NS20(T0). AXFRs should not be allowed to any other servers.

Avo mentioned he has a system to ban servers who _abuse_ his T1s. Avo can you
elaborate on this more. I.E How do you do it, how do you recognize a
mis-configured server..... Should this method be adopted globally for T1s? If
so, we should discuss a way of informing ppl that there server is not configured
correctly, by instead of having dont.ask.me.XXXXXX have a pointer to a wiki/glue
site saying what could be wrong and how to fix.

OpenNIC Wiki : DnsSpec

OpenNIC DNS Specification

Status: second working draft