You are here: Home > Publications > RIPE Labs > Romeo Zwart > Update on RIPE NCC Authoritative DNS Services

Update on RIPE NCC Authoritative DNS Services

Romeo Zwart — 07 Apr 2016
Recently we have seen an increase in the frequency of excessive traffic towards the RIPE NCC DNS infrastructure. Our servers generally absorb peak loads without an impact on our DNS services. However, to be better prepared for extreme traffic floods, we will work with an external party to provide additional DNS service capacity for serving the ripe.net zone.

 

Over the last year we saw an increase in the frequency of excessive traffic towards the RIPE NCC DNS infrastructure. Our servers generally absorb peak loads without an impact on our DNS services. However, we have also seen some exceptional cases where there was a noticeable effect on our services. For example, in December we reported DNS services affected due to an excessive load on our servers.

Our DNS services are run from two independent anycast server groups, one of which provides Root DNS Services ( K-root ). The other group supports our other DNS services, for example authoritative DNS for the ripe.net zone. We commonly refer to the latter as our AuthDNS cluster. The server group running K-root anycast is currently distributed over nearly 40 locations, while the AuthDNS services are provided from three locations.

We are preparing for further enhancements to both K-root and our AuthDNS clusters, to be better able to cater for high load events as mentioned above. These enhancements may include software changes as well as hardware and networking expansion in some or all of our service locations. We are also taking the opportunity to further harden our service platforms and reduce potential impact and attack surface where possible. We are currently investigating various options and expect to implement these improvements over the coming months.

However, in the case of the ripe.net zone, we already want to make sure that we have more than our normal over-provisioning in place in case of further extreme events. A service impact on our AuthDNS services could lead to collateral damage to other RIPE NCC services. We therefore want to have an overflow capability for our AuthDNS services in such cases.

We have decided to add third party DNS services to augment our own service capacity for the ripe.net zone. We will have a fully open Call For Proposals (CFP) to provide these additional (secondary) DNS services. The CFP will be issued within the coming months.

However, while the CFP process is ongoing, we will already have a temporary solution in place. The temporary solution, provided by Cloudflare, will be implemented today, Thursday 7 April 2016. You will therefore see changes in the NS resource records for the ripe.net zone and a few of our other DNS zones. This temporary arrangement will be in place for a period of 6 months.

We welcome your feedback. Please send any remarks you have to romeo.zwart _at_ ripe _dot_ net .

2 Comments

Konstantin Bekreyev says:
26 Apr, 2016 01:19 PM
What about using of CommunityDNS? http://cdns.net/
Romeo Zwart says:
26 Apr, 2016 01:40 PM
Hi Konstantin,
As mentioned in the article, there will be an open CFP to which any party will be welcome to respond.
Romeo
Add comment

You can add a comment by filling out the form below. Comments are moderated so they won't appear immediately. If you have a RIPE NCC Access account, we would like you to log in.