Date: Mon, 3 Mar 2014 14:37:42 +1100 From: John Marshall <john.marshall@riverwillow.com.au> To: Peter Wemm <peter@wemm.org> Cc: hubs@freebsd.org Subject: Re: Future of DNS, DNSSEC, country code delegations, etc. Message-ID: <20140303033742.GC1429@rwpc15.gfn.riverwillow.net.au> In-Reply-To: <530C59D7.30204@wemm.org> References: <530C59D7.30204@wemm.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--w7PDEPdKQumQfZlR
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
NB: I have not discussed this with hostmaster@au. The opinions below
are my own as an active NS/www/cvsup mirror operator of 7 years'
standing.
On Tue, 25 Feb 2014, 00:52 -0800, Peter Wemm wrote:
> We (with clusteradm@ hat on) have been looking at another round of broken
> mirrors, delegated DNS servers that have gone lame/missing, subzones that
> have gone missing. wwwN.freebsd.org / wwwN.cc.freebsd.org that now point =
to
> Ubuntu or Microsoft IIS pages, stale/missing ftp mirrors etc.
Thanks for this email Peter. It's helpful.
You start by citing broken mirrors as a catalyst for your proposal and
then offer a proposal which only touches DNS. Given that the cc zones
exist primarily for the purpose of supporting the regional mirror
infrastructure I don't think it makes sense to try to deal with the
issues separately: it makes the solution more complex (regional
co-ordinators) and prolongs the pain.
> There's also the DNSSEC and ipv6 reachability question. Many of our
> cc.freebsd.org zones are ipv4-only and only one has DNSSEC signatures.
I know you're not singling anybody out but, just for the record,
au.FreeBSD.org asked 9 months ago if we could sign our zone and send you
DS records for DNSSEC delegation. There's no point signing the cc zone
if we can't get delegation and, as far as I know, we never got an answer
on that. Also, we have NS and www/ftp mirror coverage on IPv6.
=2E..but never mind about any of that now.
> The question of what to do about it have come up many times inside
> clusteradm@/dnsadm@ and ideas have bounced around ranging from extremes l=
ike
> simply abandoning the whole *.cc.freebsd.org idea, through just taking th=
em
> back, or simply letting them die and quietly deleting them when they go =
stale.
>=20
> I'm leaning towards a middle ground. My preferred option at this point is
> to take the zones back so that we have a copy of the data within the core
> infrastructure, and switch to a regional coordinator model. We kind of
> already have this, except when current regional coordinators move on, we
> tend to lose the data.
I actually think the middle-ground approach is inefficient and simply
prolonging the agony/problem. All it does, really, is pull back the cc
zones (with history, which is a good thing) but leaves the rest of the
problem out there for even longer.
> We (freebsd.org) use ISC's global anycasted ISC-SNS dns servers. In our
> experience they have excellent coverage around the world so we'd prefer to
> fold the *.cc.freebsd.org zone into the main freebsd.org zone (like
> wwwN.us.freebsd.org and ftpN.us.freebsd.org are right now). Actual
> sub-zones could be done if there's a regional reachability problem but I
> would rather not unless we absolutely had to.
The ISC-SNS servers are, at best, ~200ms from Australia; but that is
better than we could expect from anything else inter-continental.
> Thoughts? How can we make this work without provoking (too many) ruffled
> feathers?
Ruffled feathers and hurt feelings happen when folks are ignored or
trampled underfoot after years of devoting their time and resources to
help the Project. An announcement (e.g. to freebsd-announce@) outlining
the new method of regional dissemination of the former regional mirror
content, which starts with an acknowledgement of all that's been done by
volunteers up until this point, and thanks them, would probably be a big
help.
For me, the hurt feelings thing happened back in August 2012 when we
realized there were new "plans" and we weren't allowed to go ahead and
provide an official regional svn mirror; but I think that was mostly
attributable to the fact that there had been no hint of any change in
policy until after we deployed that mirror. Since learning about the
policy change, the only painful thing has been waiting for it to happen;
where "it" is all of the distribution being pulled back onto
Project-managed infrastructure.
Being the operator of the only CVSup mirror in the region, we have felt
obliged to keep going, notwithstanding the greatly diminished use and
value of the CVSup service since CVS-SVN migration. I'd really like to
be told that the Project is managing all of this now and we don't need
to do it anymore.
I know that portsnap.FreeBSD.org has, for quite some time now, been
resolving to a local AWS EC2 instance in Sydney: I imagine that folks
who use portsnap would really appreciate that. I keep looking to see if
local svn, ftp or other services have appeared.
I think it would be helpful to have the nearest official content
distribution servers pointed to by <cc>.FreeBSD.org domain names. I'm
hoping that might be where things are heading; or will we just be doing
geolocation magic with <service>.FreeBSD.org?
Thank you clusteradm@, dsnadm@, and all involved in this infrastructure
planning and deployment. I really hope that we can get new stuff in
place soon and move on.
--=20
John Marshall
--w7PDEPdKQumQfZlR
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iEYEARECAAYFAlMT+QYACgkQw/tAaKKahKIH5ACfaHcvzYx9Blh4rXGTti70dawd
OzoAnRcYo/Usfoes5ox8Yac3P9xRs5zj
=DVvL
-----END PGP SIGNATURE-----
--w7PDEPdKQumQfZlR--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140303033742.GC1429>