Wednesday, November 20, 2013

New DNS Top Level Domains

If you follow DNS news, you may know that ICANN has put in place a program to introduce many new generic top level domains (GTLD) into the DNS. I haven't been a fan. ICANN says there is market demand for GTLD expansion (perhaps), and that it allows innovation in the DNS ecosystem (how?). It probably will have an effect of diluting the entrenched market power of the big TLD operators (.com, .org etc), which may be a good thing. But the system may end up being primarily a significant financial windfall for ICANN. Even Esther Dyson (original ICANN chair) has spoken out against the program.

There appear to be some trademark protection mechanisms built in to the new system. But it seems clear that many organizations will rush to defensively register their names under some of the new TLDs. Strictly speaking, DNS domain names have no intended or actual relation to trademarks, but we have to deal with the real world. My university's upper administration has already contacted the IT department to discuss the topic. A while back, we defensively registered "" to protect against possible reputational damage (and no, I wasn't involved in that decision).

On a more technical note, one interesting and welcome feature of the new GTLDs, is that they must be deployed with DNSSEC. This should significantly increase the proportion of signed top level domains in the DNS. My dnsstat DNS monitoring site has been monitoring the TLDs for a while now, and I just updated it with the latest list of TLDs.

Since late August, 32 new TLDs have been introduced, 27 normal GTLDs, 5 IDN (Internationalized domains) TLDs. But 11 IDN TLDs have also disappeared. That's a net gain of 21 TLDs, bringing the total count to 339.

Some DNSSEC specific stats: 143 (or 42.2%) of the TLDs are signed with DNSSEC. Here's a breakdown of type key and zone signing algorithms in use for the signed TLDs:

Key Signing Keys (KSK):
RSASHA256 (8) = 119 (63.0%)
RSASHA512 (10) = 6 (3.2%)
RSASHA1 (5) = 16 (8.5%)
RSASHA1-NSEC3-SHA1 (7) = 48 (25.4%)

Zone Signing Keys (ZSK):
RSASHA256 (8) = 133 (62.4%)
RSASHA512 (10) = 8 (3.8%)
RSASHA1 (5) = 17 (8.0%)
RSASHA1-NSEC3-SHA1 (7) = 55 (25.8%)

Note: new GTLDs continue to be added, so the numbers in this article might be out of date soon.

Here are the added TLDs so far (as of November 20th 2013):

+ bike
+ camera
+ clothing
+ construction
+ contractors
+ diamonds
+ directory
+ enterprises
+ equipment
+ estate
+ gallery
+ graphics
+ guru
+ holdings
+ kitchen
+ land
+ lighting
+ photography
+ plumbing
+ sexy
+ singles
+ tattoo
+ technology
+ tips
+ today
+ ventures
+ voyage

Here are the new IDN TLDs:

+ xn--80asehdb
+ xn--80aswg
+ xn--mgba3a4f16a
+ xn--ngbc5azd
+ xn--unup4y

Here are the deleted IDN TLDs:

- xn--0zwm56d
- xn--11b5bs3a9aj6g
- xn--80akhbyknj4f
- xn--9t4b11yi5a
- xn--deba0ad
- xn--g6w251d
- xn--hgbk6aj7f53bba
- xn--hlcj6aya9esc7a
- xn--jxalpdlp
- xn--kgbechtv
- xn--zckzah

Note: one IDN TLD (xn--l1acc) has had a severely busted DNSSEC deployment for a while. My monitoring system detects that its DS records in the root of the DNS do not match any DNSKEY records in the zone, and furthermore, the signatures on the DNSKEY records have expired. I hope they get their act together soon.

--Shumon Huque

Saturday, November 16, 2013

Penn wins NSF Campus CyberInfrastructure Award

A while back in a blog article on our 100 Gigabit Ethernet campus upgrades, I mentioned that Penn had applied for a National Science Foundation (NSF) CC-NIE grant to enhance campus network infrastructure for research purposes.

We did in fact win an award. Here's the official notice from NSF. It's about $500,000 which will be used to deploy a dedicated high performance router for researchers and bump up our external connectivity to Internet2 to 100 Gbps. I hope to provide more updates as we begin deploying the necessary pieces of equipment.

--Shumon Huque

An excerpt from the award notice:


The University of Pennsylvania's central computing organization is partnering with leading campus researchers in engineering, physics, biology, pathology, genomics, bioinformatics, and computer science to optimize the campus network in support of big data research and high-performance computing. This project establishes a 100 Gbps-capable Science DMZ that is distinct from the general purpose campus network and is engineered for research applications. Additionally, it extends 10 Gbps connectivity to select research projects and increases Penn's connection to Internet2 from 1 Gbps to 100 Gbps, while also extending that connection to the Science DMZ. The project also lays the foundation for further enhancements to research networking infrastructure by extending IPv6 capabilities; upgrading network monitoring tools such as perfSONAR; and enhancing Penn's ability to support experimental networks and network architectures, including OpenFlow and Software Defined Networking.

The project will benefit a range of scientifically meritorious research. It will provide support for the large-scale data transfer, processing, and storage needs of researchers across Penn, while supporting intra- and inter-institutional collaborations and the broad dissemination of research results. Rather than focusing on the logistics of data storage and transfer, researchers will be able to concentrate on the transformation of these data into the information that will drive new discoveries and the creation of new technologies, drugs, therapies, and cures. Network enhancements will also support Penn's commitment to integrating research and education by supporting the network needs of the cross-disciplinary Penn Institute for Computation Science that where faculty actively integrate computation-based research with the training of future generations of STEM researchers.