From owner-freebsd-hubs@FreeBSD.ORG Mon Mar 3 04:08:05 2014 Return-Path: Delivered-To: hubs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 20AB1F19 for ; Mon, 3 Mar 2014 04:08:05 +0000 (UTC) Received: from mail1.riverwillow.net.au (mail1.riverwillow.net.au [IPv6:2001:8000:1000:1801::36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CD3A12F3 for ; Mon, 3 Mar 2014 04:08:03 +0000 (UTC) Received: from rwpc15.gfn.riverwillow.net.au (rwpc15.gfn.riverwillow.net.au [IPv6:2001:8000:1000:18e1:20c:76ff:fe0a:2117]) (authenticated bits=56) by mail1.riverwillow.net.au (8.14.8/8.14.8) with ESMTP id s233bg58058992 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 3 Mar 2014 14:37:45 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=riverwillow.com.au; s=m1001; t=1393817866; bh=JhVx1kp8Am5dDww35H/RLxUk+4vZHwj2EiQEEdZ3chk=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=cKZQ89+97B95NnO1eMRezgvd0LTQGA8mUUc1QmBrQBqOKXtK3m67EyVVMUxm91B4X l0eqNT8ZgidMnrmHmJuSDQzqdlrifIgGgi7SEjVWBQgT/RKJef9dGBL++6GKcewYhj /hOonhYypcd4yFb0lWyJcwHecJYOhNni6cWNc94w= Date: Mon, 3 Mar 2014 14:37:42 +1100 From: John Marshall To: Peter Wemm Subject: Re: Future of DNS, DNSSEC, country code delegations, etc. Message-ID: <20140303033742.GC1429@rwpc15.gfn.riverwillow.net.au> References: <530C59D7.30204@wemm.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="w7PDEPdKQumQfZlR" Content-Disposition: inline In-Reply-To: <530C59D7.30204@wemm.org> OpenPGP: id=A29A84A2; url=http://pki.riverwillow.com.au/pgp/johnmarshall.asc User-Agent: Mutt/1.5.22 (2013-10-16) Cc: hubs@freebsd.org X-BeenThere: freebsd-hubs@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "FreeBSD Distributions Hubs: mail sup ftp" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 04:08:05 -0000 --w7PDEPdKQumQfZlR Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable NB: I have not discussed this with hostmaster@au. The opinions below are my own as an active NS/www/cvsup mirror operator of 7 years' standing. On Tue, 25 Feb 2014, 00:52 -0800, Peter Wemm wrote: > We (with clusteradm@ hat on) have been looking at another round of broken > mirrors, delegated DNS servers that have gone lame/missing, subzones that > have gone missing. wwwN.freebsd.org / wwwN.cc.freebsd.org that now point = to > Ubuntu or Microsoft IIS pages, stale/missing ftp mirrors etc. Thanks for this email Peter. It's helpful. You start by citing broken mirrors as a catalyst for your proposal and then offer a proposal which only touches DNS. Given that the cc zones exist primarily for the purpose of supporting the regional mirror infrastructure I don't think it makes sense to try to deal with the issues separately: it makes the solution more complex (regional co-ordinators) and prolongs the pain. > There's also the DNSSEC and ipv6 reachability question. Many of our > cc.freebsd.org zones are ipv4-only and only one has DNSSEC signatures. I know you're not singling anybody out but, just for the record, au.FreeBSD.org asked 9 months ago if we could sign our zone and send you DS records for DNSSEC delegation. There's no point signing the cc zone if we can't get delegation and, as far as I know, we never got an answer on that. Also, we have NS and www/ftp mirror coverage on IPv6. =2E..but never mind about any of that now. > The question of what to do about it have come up many times inside > clusteradm@/dnsadm@ and ideas have bounced around ranging from extremes l= ike > simply abandoning the whole *.cc.freebsd.org idea, through just taking th= em > back, or simply letting them die and quietly deleting them when they go = stale. >=20 > I'm leaning towards a middle ground. My preferred option at this point is > to take the zones back so that we have a copy of the data within the core > infrastructure, and switch to a regional coordinator model. We kind of > already have this, except when current regional coordinators move on, we > tend to lose the data. I actually think the middle-ground approach is inefficient and simply prolonging the agony/problem. All it does, really, is pull back the cc zones (with history, which is a good thing) but leaves the rest of the problem out there for even longer. > We (freebsd.org) use ISC's global anycasted ISC-SNS dns servers. In our > experience they have excellent coverage around the world so we'd prefer to > fold the *.cc.freebsd.org zone into the main freebsd.org zone (like > wwwN.us.freebsd.org and ftpN.us.freebsd.org are right now). Actual > sub-zones could be done if there's a regional reachability problem but I > would rather not unless we absolutely had to. The ISC-SNS servers are, at best, ~200ms from Australia; but that is better than we could expect from anything else inter-continental. > Thoughts? How can we make this work without provoking (too many) ruffled > feathers? Ruffled feathers and hurt feelings happen when folks are ignored or trampled underfoot after years of devoting their time and resources to help the Project. An announcement (e.g. to freebsd-announce@) outlining the new method of regional dissemination of the former regional mirror content, which starts with an acknowledgement of all that's been done by volunteers up until this point, and thanks them, would probably be a big help. For me, the hurt feelings thing happened back in August 2012 when we realized there were new "plans" and we weren't allowed to go ahead and provide an official regional svn mirror; but I think that was mostly attributable to the fact that there had been no hint of any change in policy until after we deployed that mirror. Since learning about the policy change, the only painful thing has been waiting for it to happen; where "it" is all of the distribution being pulled back onto Project-managed infrastructure. Being the operator of the only CVSup mirror in the region, we have felt obliged to keep going, notwithstanding the greatly diminished use and value of the CVSup service since CVS-SVN migration. I'd really like to be told that the Project is managing all of this now and we don't need to do it anymore. I know that portsnap.FreeBSD.org has, for quite some time now, been resolving to a local AWS EC2 instance in Sydney: I imagine that folks who use portsnap would really appreciate that. I keep looking to see if local svn, ftp or other services have appeared. I think it would be helpful to have the nearest official content distribution servers pointed to by .FreeBSD.org domain names. I'm hoping that might be where things are heading; or will we just be doing geolocation magic with .FreeBSD.org? Thank you clusteradm@, dsnadm@, and all involved in this infrastructure planning and deployment. I really hope that we can get new stuff in place soon and move on. --=20 John Marshall --w7PDEPdKQumQfZlR Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iEYEARECAAYFAlMT+QYACgkQw/tAaKKahKIH5ACfaHcvzYx9Blh4rXGTti70dawd OzoAnRcYo/Usfoes5ox8Yac3P9xRs5zj =DVvL -----END PGP SIGNATURE----- --w7PDEPdKQumQfZlR--