Transcript ccTLD Best Practices

ccTLD Best Practices
Michuki Mwangi
AfriNIC5 - INET/AfTLD Meeting, Balaclava, Mauritius
30th Nov 2006
Agenda
1.
ccTLD Establishment
2.
Policy Development
3.
Registry Automation
4.
Stability and Redundancy
5.
Security Consideration
ccTLD Establishment
Considerations

Stakeholder participation





Involvement of Private sector
Academia
Civil Society
Legal fraternity
Government participation

Government support
Considerations …(cont’d)

Domain Registry Model



Open or Closed
Registry/Registrar etc
Sustainability & Commercial Model



Cost of registration
CAPEX
OPEX
Policy Development
Bottom up process

Open Public forums

Mailing lists

Interactive media

Registry/Board proposals
Registry Automation
Registry Software

Identifying the appropriate Registry Software


Avoid re-inventing the wheel


Saves on time and development costs
Online System


Guided by Registry model and policies
Online Registrations, Transfers etc
Whois System
Monitoring & Statistics



Its important to monitor Registry Services
 Ensures more uptime on services
Open Source applications available for monitoring
 E.g Nagios, MRTG, webalizer, cflowd, etc
Statistics enables projection and planning for growth
Stability & Redundancy
Selection of Slave DNS Servers

RFC 2182 (BCP16) provides guidelines
on selection of Secondary (slave)
Servers.





Consider geographic placement
At least 2 Slave Servers and a master
This helps spread name resolution load
Improves efficiency with servers close to
resolvers
Avoid NAT
Finding Suitable Slave Servers



Swap slave servers with other ccTLDs in the
region (Common practice).
AfTLD, ISOC can help find suitable hosts and
organizations to host Slave servers.
Consider Anycast hosting for slave servers
www.pch.net
Hardware and Software



Scalability is Key
Provide sufficient memory, processor
and disk space.
DNS Software should be fast and
capable of handling load (multiple
queries per second)
Internet Connection




Ensure upstream provider must be multihomed
Interconnect at the local/national IXP
Registry should have redundant links to
upstream provider
Provider Independent (PI) IP address Space
and ASN to enable for effective multi-homing
Security Considerations
Best Practice

Implement routing security features

Operating system hardening

Disable Recursion

Have a Stealth Server

Run secure applications

Run TSIG for secondary zone transfers
References


http://ws.edu.isoc.org/workshops/2006/PacNOG2/tra
ck1/day3/draft-wenzel-cctld-bcp-02.txt
http://www.pch.net/resources/papers/anycastservices/

www.isc.org

ftp://ftp.rfc-editor.org/in-notes/rfc2182.txt

www.aftld.org
Thank you
www.aftld.org