DNS delegation updates

2019-12-18 - News - Tony Finch

Season's greetings! I bring tidings of great joy! A number of long term DNS projects have reached a point where some big items can be struck off the to-do list.

This note starts with two actions item for those for whom we provide secondary DNS. Then, a warning for those who secondary our zones, including stealth secondaries.

There are still a few more delegation updates to do, including for cam.ac.uk itself, which will happen in the new year. There will be further announcements near the time.

Replacement of ISC SNS

In October, we warned that our secondary DNS service sns-pb.isc.org is to be decommissioned at the end of January 2020

We are replacing the ISC SNS with secondary DNS service provided by Mythic Beasts.

If you have DNS zones that currently list sns-pb.isc.org in their NS records, please update them at your convenience to use the Mythic Beasts servers listed below. These servers are already configured with your zones.

The replacement servers are:

  • ns1.mythic-beasts.com (in Dallas)
  • ns2.mythic-beasts.com (in London)
  • ns3.mythic-beasts.com (in Amsterdam)

For zones that use ns2.ic.ac.uk (also in London) we are just using ns1 and ns3, and skipping ns2.mythic-beasts.com.

Mythic Beasts are the domain registrar we use for the Managed Zone Service. They also provide non-JANET network connectivity for commercial tenants on the CUDN. Outside the University, they are well known for hosting the Raspberry Pi web site.

DNS server renaming

Last year we started a DNS server renaming / renumbering project. That has been on hold for much of this year while we got some necessary infrastructure in place, and while other work took priority.

The delegations for almost all of our zones have now been updated to use the new authoritative DNS server names like auth0.dns.cam.ac.uk instead of authdns0.csx.cam.ac.uk.

Still remaining to do are cam.ac.uk itself, and a number of reverse DNS zones related to IP address space suballocated by JANET. These should be completed early in the new year.

If you have any zones that still use the old names, can you please update them to the new names.

DNSSEC algorithm rollover

A wholesale delegation clean-up is a good opportunity to make some wholesale DNSSEC improvements. Doing them at the same time saves us from repeating a lot of the same kinds of correctness checks.

We are changing the signature algorithm on all our zones from RSA-SHA-1 (and a few cases of RSA-SHA-256) to ECDSA-P256-SHA-256. This improves things in a couple of ways:

  • ECDSA has much smaller signatures than RSA, which leads to smaller DNS packet sizes. This helps to avoid difficulties related to packet fragmentation and fallback to TCP.

  • Our RSA key sizes are rather too small, and SHA-1 is rather broken. Both were in serious need of upgrading to a better security level.

All Managed Zone Service domains are now signed with ECDSA. (A few lack secure delegations owing to missing third-party support.)

Most of our reverse DNS zones are now signed with ECDSA. (Reverse DNS zones related to IP address space suballocated by JANET and Mythic Beasts lack secure delegations.)

After the holidays we will do the algorithm rollover for our large zones, cam.ac.uk, 111.131.in-addr.arpa, and in-addr.arpa.cam.ac.uk. During the rollover the zones will have two sets of signatures, so they will be approximately 50% larger. When the rollover is complete they will be about 25% smaller than before. The rollover process will take a few days, to allow for the long time-to-live on DNS delegations.

DNS servers need to run with at least twice as much RAM as they use in normal operations, to allow for certain kinds of reconfiguration that need two copies of a zone in memory. So the rollovers should not cause problems for properly provisioned servers.