PING

In this episode of PING, APNIC’s Chief Scientist Geoff Huston discusses the role of DNS in directing where your applications connect to, and where content comes from. Although this more “steering” traffic than it “routing” in the strict sense of IP packet forwarding, (that’s still the function of the border gateway protocol or BGP) It does in fact represent a kind of routing decision, to select a content source or server logistically “best” or “closest” to you. So in the spirit of “Orange is the new Black” -DNS is the new BGP.As this change in delivery of content has emerged, the effective control on this kind of routing decision has also become more concentrated, into the hands of the small number of at-scale Content Distribution Networks (CDN) and associated DNS providers worldwide. This is far less than the 80,000 or so BGP speakers with their own AS and represents another trend to be thought about. How we optimise content delivery isn’t decided in common amongst us, its managed by simpler contractual relationships between content owner and intermediaries.The upside of course remains the improvement in efficiency of fetch for each client, the reduction in delay and loss. But the evolution of the Internet over time and the implications for governance in “steering” decisions is going to be of increasing concern.Read more about Geoff’s views of Concentration in the Internet, Governance, and Economics on the APNIC Blog and at APNIC Labs:DNS is the new BGPInternet Governance in 2023On Internet Centrality and FragmentationThe Internet as a Public UtilityAn Economic Perspective on Internet CentralityLooking at Centrality in the DNS

In this episode of PING, Leslie Daigle from the Global Cyber Alliance (GCA) discusses their honeynet project, measuring bad traffic internet-wide. This was originally focussed on IoT devices with the AIDE project but is clearly more generally informative. Leslie also discusses the quad-nine DNS service, GCA’s domain trust work and the MANRS project. Launched in 2014 with support from ISOC, MANRS now has a continuing relationship with GCA and may represent a model for the routing community regarding the ‘bad traffic’ problem which the AIDE project explores.Leslie has a long history of work in the public interest, as Chief Internet Technology Officer of the Internet Society, and with the IETF. She is currently the chair of the MOPS working group, has co-authored 22 RFCs and was chair of the IAB for five years.Read more about GCA, AIDE, domain trust and honeynets:The Global Cyber Alliance (GCA)The AIDE programme at GCADomain Trust at GCAHoneynet tagged blog entries at APNIC

In this episode of PING, APNIC’s Chief Scientist Geoff Huston discusses the change in IP packet fragmentation behaviour adopted by IPv6, and the implications of a change in IETF “Normative Language” regarding use of IPv6 in the DNS.IPv4 arguably succeeds over so many variant underlying links and networks because it’s highly adaptable to fragmentation in the path. IPv6 has a proscriptive requirement that only the end hosts fragment, which limits how intermediate systems can handle IPv6 data in flight. In the DNS, increasing complexity from things like DNSSEC mean the the DNS packet sizes are getting larger and larger, which risks invoking the IPv6 fragmentation behaviour in UDP. This has consequences for the reliability and timeliness of the DNS service.For this reason, a revision of the IETF normative language (the use of capitalised MUST MAY SHOULD and MUST NOT) directing how IPv6 integrates into the DNS service in deployment has risks. Geoff argues for a “first, do no harm” approach to this kind of IETF document.Read more about IPv6, Fragmentation, the DNS and Geoff’s measurements on the APNIC Blog and APNIC Labs:IPv6, the DNS and Happy EyeballsHow we measure DNSSEC ValidationDNS is the new BGP To DNSSEC or Not 

In this episode of PING, Sara Dickinson from Sinodun Internet Technologies and Terry Manderson, VP, Information Security and Network Engineering at ICANN discuss the ICANN DNS stats collector system which ICANN commissioned, and Sinodun wrote for them.This system consists of two parts, a DNS stats compactor framework which captures data in the C-DNS format, a specified set of data in CBOR format, and the DNS stats visualiser which is uses Grafana. The C-DNS format is not a complete packet capture but allows the recreation of all the DNS context of the query and response. It was standardised in 2019, in an RFC authored by Sara, her partner John, Jim Hague, John Bond and Terry.Unlike DSC, which is a 5 minute sample aggregation system, this system is able to preserve a significantly larger amount of the seen DNS query information and can even be used to re-create an on-the-wire view of the DNS (albiet not 1 to 1 identical to the original IP packetflows)Read more about the systems, and IMRS online:RFC8618 Compacted-DNS (C-DNS): A Format for DNS Packet CaptureThe ICANN github repository for DNS StatsICANN Managed Root Server (IMRS)

In this episode of PING, APNIC’s Chief Scientist Geoff Huston discusses the rise of Low Earth Orbiting (LEO) Satellite based Internet, and the consequences for end-to-end congestion control in TCP and related protocols.Modern TCP has mostly been tuned for constant delay, low loss paths and performs very well at balancing bandwidth amongst the cooperating users of such a link, achieving maximum use of the resource. But a consequence of the new LEO internet is a high degree of variability in delay, loss and consequently an unstable bandwidth, which means TCP congestion control methods aren’t working quite as well in this kind of Internet.A problem is, that with the emergence of TCP bandwidth estimation models such as BBR, and the rise of new transports like QUIC (which continue to use the classic TCP model for congestion control), we have a fundamental mismatch in how competing flows try to share the link. Geoff has been exploring this space with some tests from starlink home routers, and models of satellite visibility. His Labs starlink page shows a visualisation of behaviour of the starlink system, and a movie of views of the satellites in orbit.Read more about TCP, QUIC, LEO and Geoff’s measurements on the APNIC Blog and APNIC Labs:APNIC Labs measurements of Starlink. (2023, Geoff Huston)Comparing TCP and QUIC (November 2022, Geoff Huston)Testing LEO and GEO Satellite Services in Australia (May 2022, Geoff Huston)Transport Protocols and the Network (May 2021, Geoff Huston)Congestion Control at IETF110 (March 2021, Geoff Huston)

In this episode of PING, Verisign fellow Duane Wessels discusses a late state (version 08) Internet draft he’s working on with two colleagues from Verisign. The draft is on Negative Caching of DNS Resolution Failures and is co-authored by Duane, William Carroll, and Matt ThomasThis episode discusses the behaviour of the DNS system overall in the face of failures to answer. There are already mechanisms to deny the existence of a queried name or a specific resource type. There are also mechanisms to define how long this negative answer should be cached, just as there are cache lifetimes defined for how long to hold valid answers, things that do exist, and have been supplied.This time, it’s a cache of not being able to answer. The thing asked about? It might exist, or it might not. This cached data isn’t saying if it does exist or not, it’s a caching failure to be able to answer. As the draft states: “… a non-response due to a resolution failure in which the resolver does not receive any useful information regarding the data’s existence.”Prior DNS specifications did provide guidance on caching in the context of positive responses and negative responses but the only guidance relating to failing to answer was to avoid aggressive re-querying of the nameservers that should be able to answer.Read more about the draft, and other DNS-related work by Duane on the APNIC Blog:The draft Negative Caching of DNS Resolution Failures (2023, Version 08)Adding ZONEMD protections to the root zone (2023, APNIC Blog post)[Podcast] Adding ZONEMD protections to the root zone (2023, related podcast on PING)[Podcast] A look back at notable root zone changes (Duane discusses three significant root zone changes over the last decade)

In this episode of PING, instead of a conversation with APNIC’s Chief Scientist Geoff Huston we’ve got a panel session from APNIC56 he facilitated, where Geoff and six guests got to discuss the 30 year history of APNIC.With Geoff on the panel were:Professor Jun Murai known as the ‘father of the Internet’ in Japan. In 1984, he developed the Japan University UNIX Network (JUNET), the first-ever inter-university network in that nation. In 1988, he founded the Widely Integrated Distributed Environment (WIDE) Project, a Japanese Internet research consortium, for which he continues to serve as a board member. Along with Geoff, Jun was one of the main progenitors of what became APNIC.Elise Gerich, a 31 year veteran of Internet networking, is recognised globally for her significant contributions to the Internet. Before retiring, Elise was President of PTI and prior to that, Vice President of IANA at ICANN. Elise served as the Associate Director National Networking at Merit Network in Michigan. While at Merit she was also a Principal Investigator for NSFNET’s T3 Backbone Project and the Routing Arbiter Project and was responsible for much of the early address management Impetus which led to the creation of the RIR system.David Conrad Previously the Chief Technology Officer of ICANN, who was involved in the creation of APNIC as its first full-time employee and founding Director-General.Akinori Maemura the JPNICChief Policy Officer, and a member of the APNIC EC for 16 years, 13 of which he was Chair of the EC.Gaurab Raj Upadhaya Head of WWW Video Delivery Strategy, Prime Video at Amazon. Gaurab has been active in the Internet community for more than a decade and like Akinori served on the APNIC EC for 12 years, 7 of these as Chair of the EC.Paul Wilson has more than thirty years’ involvement with the Internet, including 25 years’ experience as the Director General of APNIC.The Panel discussed the early years of the Internet and the processes which led to the creation of APNIC along with some significant moments in the life of the registry.

In this episode of PING, Stephen Song discusses his work mapping the Internet. This is a long-term project, which he carries out alongside and supported by Mozilla Corporation, and the Association for Progressive Communications (APC).Stephen has long championed the case for Open Data in telecommunications decision-making and maintains a list of resources for capacity building and development of the Internet with a particular focus on Africa.The combination of some opaque business practices and the change from end delivery to mediated proxies from the content distribution network model raises questions about where the things users engage with and depend on are, so network infrastructure can be efficiently and openly planned. The latest episode of PING explores the issues inherent in understanding ‘where things are’ in the modern Internet.Explore Stephen’s resources:Many Possibilities websiteConnectivity indexes, maps, and reports (GitHub)Open Data map of Content Distribution Networks around the worldAfter FibreVillage Telco

In this episode of PING, APNIC’s Chief Scientist Geoff Huston discusses the technique APNIC Labs uses to measure end user behaviour in the global internet. This is probably the only worldwide web advert based measurement system in continuous use since 2010.Originally written in Adobe Flash, the system is now coded in Javascript and HTML5, and continuously samples as many as 25 million users per day, across mobile devices and desktop PCs, Android, iPhone and Chromebook.The system was first designed to inform the community on the rate of IPv6 deployment. The APNIC Labs measurements now encompass IPv6, RTT, HTTP/3 (Quic) adoption, DNSSEC, use of public DNS resolvers, IPv6 EH support, RPKI validation amongst other measurements.Data is available at a per-economy, and per-AS (origin-AS) level, both as a web view and as JSON downloads. No end user identifying material is held, or distributed in any way. The measurement program is generously supported by Google, ICANN and APNIC.Read more about some recent research outcomes from the labs advert on the APNIC Blog:Measuring the use of DNSSEC (September 2023, Geoff Huston)Measuring NXDOMAIN responses (July 2023, Geoff Huston)A Further Update on IPv6 Extension Headers (June 2023, Geoff Huston)A second look at QUIC use (September 2022, Geoff Huston)

In june of this year, the Dashboard for AS Health or DASH, a service operated by APNIC saw a leak of approximately 260,000 BGP routes from a vantage point in Singapore, and sent alerts to around 90 subscribers to our routing mis-alignment notification service which is part of DASH.BGP is the state of announcements made and heard worldwide, calculated by every BGP speaker for themselves and although its globally connected and represents “the same” network, not everyone sees all things, as a result of filtering and configuration differences around the globe. BGP also should align with two external information systems, the older Internet Routing Registry (IRR) system which uses a notation called RPSL to represent routing policy data, including the “route” object, and Resource Public Key Infrastructure or RPKI, which represents the origin-AS (in BGP, who originates a given prefix) in a cryptographically signed objected called a ROA. The BGP prefix and origin (the route) should align with whats in an IRR route object and an RPKI ROA, but sometimes these disagree. Thats what DASH is designed to do: tell you when these three information sources fall out of alignment.I discussed this incident, and the APNIC Information Product family (DASH, a collaboration with RIPE NCC called NetOX, and the delegation statistics portal called REX) with Rafael Cintra, the product manager of these systems, and with Dave Phelan who works in the APNIC Academy and has a background in Network Routing Operations.You can find the APNIC Information products here: (note that the DASH service needs a MyAPNIC login to be used)https://dash.apnic.net the DASH portal login page (MyAPNIC resource login needed)https://netox.apnic.net NetOX the Network Observatory web servicehttps://rex.apnic.net Resource Explorer: delegation statistics for the worldAnd you can read about the Information Products family in these blog articles:New Alert Options for DASHRouting Status added to DASHSuspicious Traffic Alerts added to DASHUsing DASH to rank economies by suspicious trafficHow DASH helps monitor Network HealthWorldwide REXIntroducing REX a new approach for the internet directoryHands-On with APNIC’s NetOX