Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Root zone testing

discuss AT

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Root zone testing

Chronological Thread 
  • From: Jeff Taylor <shdwdrgn AT>
  • To: discuss AT
  • Subject: Re: [opennic-discuss] Root zone testing
  • Date: Wed, 10 Sep 2014 21:50:17 -0600
  • Authentication-results: SMTP11; dmarc=none
  • Dmarc-filter: OpenDMARC Filter v1.2.0 33EDE2D2A1

I will try to address your questions, let me know if I miss anything...

As far as how DNSSEC traffic has affected the opennic servers, I have not heard of anyone saying they have noticed an increase in traffic.  The reality is that most people do not use DNSSEC, however since some folks have asked for it, we are trying to provide it.  Currently we have signing at the root level, and some of the TLDs, but it is not complete.

The DNSSEC keys appear to expire after about 45 days, so I am currently renewing the keys every 30 days.  If you were to transfer a signed domain to someone else, I would assume they could simply generate a new key.  Since all of the keys are self-signed (we don't have a CA yet), I don't believe this is a problem.

Our root zone does not affect Tor because we do not sign the Tor zones.  You mentioned a concern about censorship, but remember that since we generate our own root, we are including all of the information available.  As long as you can read our root, you will have an unfiltered version of all the information, and if we discover that censorship is occurring, I will simply change the programming to work around the problem so that we once again have a clean root zone.

If you have trouble with your ISP hijacking your DNS traffic, let us know.  Some tier-2 servers accept connection on alternate ports which your ISP would not be monitoring.  We believe the internet should be open, and we will continue to develop tools to help those who are using hostile internet providers.

On 09/10/2014 06:19 PM, David wrote:
In my opinion, feel free to correct ME.

 what exactly is define as "root Zone and dnssec entries in opennic

This what I understand of DNSSEC
I read LOTS of article about it and honestly, it could be counter
productive and use as a tool of censorship or too much power to the Isp/
hostile governments. It does not help De-centralizing the internet.


What operational statistics have we gathered about DNSSEC?
Is it changing DNS patterns?

 How are our name servers handling DNSSEC traffic? Is the volume as

Have we seen anything other unusual incidents?

 Are there experiences being documented in the form of best practices,
or something similar, for transfer of signed zones?

I was wondering, How that will affect "tor users"
I'm not in favor of root zone, but favor openness, that will give too
much "power" to the regimental ISP, meaning they could force you to use
their default DNS tier2 ican settings in their local web servers.

 For example: I discover that my local ISP is making extra money on the
consumers by re-routing their base-band to

  Due to my bandwidth limitations, I noticed that was a main factor for
lagging at certain hours during the day.

  When I discover through my perseverance and research that opennic
offered a few DNS servers free from finger printing, and with faster
pings/tlc to my region, which is Singapore and Japan.

 Knowing this I had no issues and I'm able to cap my maximum base-band
of my pc by redirecting my DNS to Japan or Singapore.

Let us be clearly understood that the Philippines IS MONOPOLIZED by 2
major telecom, Smart and Globe.

 Globe owns or has bought rights to 3 major fiber optical transoceanic
under water cables. Including one of them from the Philippines to Japan.
This oceanic cables does not traverse across the Planet like the other
ones. Yet  it is beneficial for opennic users like me.
because Japan opennic dns Is free and very stable.

 Singapore opennic has its moments of glory and a lot of lag, too much
of it. So they sit on second place.

  Even is super fast, but they "DON'T RESPECT PRIVACY", they
finger print your browsing habits. I only use when the other
opennic DNS  are having  "DIGITAL HICCUPS OR ASTHMA".


On 9/9/2014 1:49 AM, Jeff Taylor wrote:
A recent discussion has brought up the possibility that not all tier2
servers may be carrying the same root zone, or even staying up to date
with the file.  This came to light when a user noticed they couldn't
resolve an icann TLD that was created this April.

So I would like to start a discussion on policies and testing
methodology.  First, what should we consider to be a standard policy for
the public tier2 servers?  The wiki pages on setting up a tier2 server
all state that the root zone should be slaved from NS0, however if you
are not running BIND then slaving a zone may not be possible (although
this setup should be passing the queries on to one of the tier1
servers).  There is also the situation where some folks also run servers
for other alt-roots, and they may not have the tools available to merge
multiple root zones together...  Do we want to enforce the usage of the
opennic root zone for tier2 servers (complete with dnssec entries), or
do we want to keep the openness that our project was created on, and
allow for the possibility of other root zones?

Second, how should we test for functionality of the root zone?  If we
insist on everyone using opennic's root, then it could be as simple as
checking the serial and making sure it is within a couple days of what
NS0 has posted.  However if we want to remain open, we still want to
ensure that the tier2 servers are carrying recent changes to
icann/opennic TLDs, but how do we detect that?  It could be quite a
chore to try and detect every time a new TLD is added to the icann list,
and we certainly couldn't reply on matching the serial for the root zone
if everyone is using a different source.

One more point -- the server that caused the original discussion has
been updated, so at this point every tier2 server is currently resolving
an up-to-date opennic root zone.  This means if we wanted to make it a
policy to require the use of our root, nobody would have to change
anything, and the policy would only have to be enforced moving forward
with new servers.

You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT

You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT

Archive powered by MHonArc 2.6.19.

Top of Page