DNSOP Working Group Wei Wang Internet Draft Zhiwei Yan Intended status: Informational NANEL Expires: August 2015 February 24, 2015 A Survey of the DNS cache service in China draft-wang-dnsop-cachesurvey-00.txt Abstract DNS cache directly serves the DNS queries from stub resolvers as the data source in the specified network area. For the present, however, operators manage and run the cache service in a diversified manner. This arouses the main motivation of this survey report. Instead of regulating or specifying the operation of the DNS cache service, our aim is to investigate the situation of the DNS cache service (at least in mainland China) and propose the future operation recommendations with solid practical foundation. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress". The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on August, 2015. W. Wang et al. Expires August,2015 [Page 1] Internet-Draft DNS cache service in China February 24, 2015 Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Survey respondents .......................................... 2 2. Survey results .............................................. 3 2.1. Overview ............................................... 3 2.2. Architecture improvement of recursive service .......... 3 2.3. Local cache service .................................... 4 2.3.1. Root zone file cache .............................. 4 2.3.2. TLD zone file cache ............................... 4 2.3.3. TOP-N domain names cache .......................... 4 3. Analysis .................................................... 5 Survey contributors ............................................ 6 APPENDIX: Recommendations ...................................... 7 Author's Address ............................................... 7 Acknowledgment ................................................. 8 1. Survey respondents This survey covers three main Internet service providers (ISPs) in China and the top three recursive service providers in China, as following: 1) China Telecom Co.Ltd. 2) China United Network Communications Group Co.Ltd. 3) China Mobile Communications Co.,Ltd. 4) Qihoo 360 Technology Co. Ltd. 5) Alibaba Group Holding Ltd. W. Wang et al. Expires August,2015 [Page 2] Internet-Draft DNS cache service in China February 24, 2015 6) Tencent Holdings Ltd. 2. Survey results So as to present the survey results clearly and concisely, we select only the key results and have them listed with analytical logics. 2.1. Overview In order to make this survey rational, six most representative survey respondents are selected. Half of them are typical ISPs and the others are typical public recursive service providers in China. All the six survey respondents deploy recursive service quite widely with stable service scale. (In consider of the business secret protection, the geographical coverage, amount of the clients and service scale of the survey respondents are not given here because it is inappropriate to show them together.) 2.2. Architecture improvement of recursive service To meet the respective demands of business operation and IT operation, recursive service operators simultaneously take the same architecture model, transformingthe classical textbookish recursive server into a composite architecture consisted of three independent servers: online cache, recursive server and offline (or backup) server. We denote this kind of recursive service architecture as "Big recursive service" in view of its large scale and serious influence, as shown in Figure 1. +------------------------+ | | | +-+-+-+-+ | | |Backup | | | |server | | | +-+-+-+-+ | | | +-+-+-+-+-+ | +-+-+-+-+ +-+-+-+-+-+ | +-+-+-+-+-+-+-+ |Stub | | |Online | |Recursive| | |Authoritative| |resolver |-----|cache | |server |----|server | +-+-+-+-+-+ | +-+-+-+-+ +-+-+-+-+-+ | +-+-+-+-+-+-+-+ | | | Big recursive service | +------------------------+ Figure 1. Big recursive service model Specifically, the online cache serves the stub resolvers directly, and the backup server is mainly used in the emergency case as a W. Wang et al. Expires August,2015 [Page 3] Internet-Draft DNS cache service in China February 24, 2015 backup data source, while the recursive server fetches DNS data from the authoritative servers. 2.3. Local cache service All the six survey respondents deploy the local cache service. Due to different business requirements, they all cache the TOP-N domain names, while three of them cache the root and TLD zone files as well. (We here use the term "local" to manifest the administration boundary of the service, such as province region of an ISP, covering area of DNS end users and etc.) 2.3.1. Root zone file cache For the three ISPs, they all cache the root zone file. The actual requirement to cache the root zone file is for the emergency response and it is not used as online service. For each ISP, the root zone file cache is deployed in one server instance in a shared manner (in province level) to cover all the recursive servers in its related autonomous area. The data is updated once per day from open data source, but the integrity and correctness of the downloaded data are not verified (for example with DNSSEC). 2.3.2. TLD zone file cache For the three ISPs, all of them cache some TLD zone files. The actual requirement and deployment model of the TLD zone file cache is the same as the case of root zone file cache. The data is updated once per day from open data source but the integrity and correctness of the downloaded data are not verified (for example with DNSSEC). 2.3.3. TOP-N domain names cache All the six survey respondents cache the resource records of TOP-N domain names. The selected TOP-N domain names are different between different survey respondents based on respective online service log and scale. But the scales of cached domain names can varied from 1 million to 100 million regarding to the amount of end user and the business policy of operators. The cached data is directly used for responding the requests from the stub resolvers in order to satisfy the stub resolvers most efficiently. Besides, the cached data is maintained in an active manner with some respondents, for example, some recursive W. Wang et al. Expires August,2015 [Page 4] Internet-Draft DNS cache service in China February 24, 2015 servers anticipate the expiration of the cached data and fetch it without receiving the actual request from client. 3. Analysis In the following, the positive and negative impacts of the "Big recursive service" on the DNS ecosystem are analyzed: 1) Online cache a) Positive points: The online cache of the six survey respondents is in large amount, almost above million levels. In this way, stub resolvers can be served efficiently and it reduces the impacts of attacks towards the recursive server. b) Negative points: It will break the balance of the classical DNS model as the query amount of authoritative server is inversely proportional to the cache scale. The amount of queries will decrease with the enlargement of online cache. In an extreme case, the authoritative server could recognize only one request from China during valid TTL period if only one single online cache covers all DNS requests in China. 2) Backup server a) Positive points: The backup server is maintained in order to recover the DNS resolution service in the emergency case.There are two types of data in the backup server: a) zone files (including the root and TLDs); b) snapshot of the online service. b) Negative points: Currently, backup server can be activated by the operator without notifying the related authoritative server. It means that the authoritative server will be completely replaced by backup server in emergency area, and queries from that area will drop steeply even till to zero. 3) Recursive server a) Positive points: The load of the recursive server will be decreased significantly. And it only focuses on the communication with authoritative server. In this way, the operation and failure risk will reduce. b) Negative points: Due to the above mentioned cache functions, recursive server has degenerated as the "weak" tool, which only fetches and refreshes the authoritative data in the cache or helps scheduling some sophisticated applications like CDN service (e.g., to schedule the client to the suitable server instance according to the geographical location of the client). W. Wang et al. Expires August,2015 [Page 5] Internet-Draft DNS cache service in China February 24, 2015 In this way, requests sent from recursive server to authoritative server may not be actually triggered by stub resolvers, or if they are wholly simulated, it will result in the distortion of the query behavior at authoritative server, and the judgment of administrator will be affected correspondingly. Survey contributors The following individuals served as experts and representatives of the survey respondents during the completion of this survey report. The contributions from their respective experience as a stakeholder, a corporate manager or technical expert had bestowed essential guidance to the analysis and conclusions presented herein. Contributors may not agree with all the observations statedin the document, but all agree that it presents an important reference for succeeding works. In addition to those listed below, there were an equal number of contributors with equal stature whose names are not included for various reasons. Ziqian Liu China Telecom Co. Ltd. Email: liuzq@chinatelecom.com.cn Hailong Bai China United Network Communications Group Co. Ltd. Email: baihl@chinaunicom.cn Juan Zhang China Mobile Communications Co.,Ltd. Email: zhangjuan@chinamobile.com Shuang Li Alibaba Group Holding Ltd. Email: shuang.ls@alibaba-inc.com Xiaohong Shi Qihoo 360 Technology Co. Ltd. Email: shixiaohong@360.cn Yougen Zou Tencent Holdings Ltd. Email: living_stone@114dns.com W. Wang et al. Expires August,2015 [Page 6] Internet-Draft DNS cache service in China February 24, 2015 APPENDIX: Recommendations As emphasized in the abstract, this survey is motivated from the cooperation of cache service and then the following suggestions areproposed based on the above conclusions, in order to optimize the DNS cache service: 1) Considering the wide deployment of the "Big recursive service" and its impacts mentioned above, a transparent, harmonious and win- win cooperation between authoritative server and recursive server is needed. Typically, authoritative server may provide the recursive server with the latest authoritative data to improve the cache hit- ratio and emergency response ability, and the recursive server may provide the authoritative server the local query statistical data along with a normal NS or zone query as a service optimization factor for the authoritative service operator. 2) Operators individually manage the backup server mainly as an emergency response of the recursive service in the autonomous area. It is suggested that local community should construct and maintain a trusted and shared backup server cooperately, and in this way, the emergency recovery function of the backup servercan cover more recursive services. This trusted and shared backup server is the representative of local community and it is more eligible to build up a more efficient and fluent scheme to manage and collect the backup data. (We herein only list the main suggestions to coordinate the recursive service. Detailed solution and service architecture will be proposed in the future. Of course, some operators may favor these ideas, but they don't need to be standardized) Author's Address Wei Wang NANEL (Naming&Addressing National Engeering Lab) No.4 South 4th Street, Zhongguancun Beijing, P. R. China Email: wangwei@cnnic.cn Zhiwei Yan NANEL (Naming&Addressing National Engeering Lab) No.4 South 4th Street, Zhongguancun Beijing, P. R. China Email: yanzhiwei@cnnic.cn W. Wang et al. Expires August,2015 [Page 7] Internet-Draft DNS cache service in China February 24, 2015 Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. W. Wang et al. Expires August,2015 [Page 8]