Created
March 8, 2023 20:18
-
-
Save moonshiner/d173b67b8c76d89bded8b5be609c84e4 to your computer and use it in GitHub Desktop.
My Attempt at BCP Section Breakdown
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Introduction | |
[In which we include some motivations about the document, who it is for, explain how it is organized, and offer a money-back guarantee.] | |
* Audience | |
- Anonymous/Public | |
- Account | |
- Contract - Employees/Students | |
## Random, unsorted list of things to consider | |
## Systems | |
* Resilience | |
- Diversity of software, geography, toplogy. | |
- (D)DoS measures, such as filtering/rate-limiting traffic, both authoritative and client sides | |
- Security best practices (keep stuff updated, follow CERTs, and so on) | |
- Platforms (it's all Unix these days) | |
* Capacity | |
- CPU/network | |
- Multi-layer caching | |
- How to estimate | |
- Bare metal vs. VM vs. containers, self-hosted vs. hosted vs. cloud | |
## Network | |
* Resilience | |
- Diversity of software, geography, toplogy. | |
- RPKI, other BGP tricks | |
- Common HA designs in DNS resolver space | |
* Anycasting | |
- Why and how (especially problems with listing multiple resolvers in user configurations). | |
- Other options to anycasting? | |
## DNS Services | |
* Software Considerations | |
- Open Source advantages (and disadvantages), licenses | |
- Custom tweaks/implementations | |
* Knobs to tweak in the DNS | |
- TTL limits (max & min) | |
- Local root (and maybe local TLD?) | |
- [RFC8806](https://www.rfc-editor.org/rfc/rfc8806.html) | |
- Verify root zone with ZONEMD | |
- [RFC8976](https://www.rfc-editor.org/rfc/rfc8976.html) | |
- EDNS0 sizes to minimize fragmentation, especially for IPv6 | |
- Aggressive NSEC caching | |
- [RFC8189](https://www.rfc-editor.org/rfc/rfc8189.html) | |
- QNAME minimization | |
- [RFC7816](https://www.rfc-editor.org/rfc/rfc7816.html) | |
- Negative trust anchors | |
- [RFC7646](https://www.rfc-editor.org/rfc/rfc7646.html) | |
- TTL record pre-fetch | |
- EDNS client subnet | |
- [RFC7871](https://www.rfc-editor.org/rfc/rfc7871.html) | |
- DNS cookies shared secret | |
- [RFC7873](https://www.rfc-editor.org/rfc/rfc7871.html) | |
- DoT | |
- [RFC7858](https://www.rfc-editor.org/rfc/rfc7858.html) | |
- DoH | |
- [RFC8484](https://www.rfc-editor.org/rfc/rfc8484.html) | |
- DoQ | |
- [RFC9250](https://www.rfc-editor.org/rfc/rfc9250.html) | |
- Trust anchor reporting | |
- DNS error reporting | |
- [draft-ietf-dnsop-dns-error-reporting](https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-error-reporting) | |
## Policies etc | |
- Diversity of organizations, legal frameworks | |
* Privacy & anonymity | |
- Logging considerations | |
- How to handle user accounts | |
* Filtering | |
- Legally required blocking (how to figure out which applies to any given query?) | |
- RPZ-based filtering | |
- Opt-in/opt-out mechanisms | |
* Transparency | |
- Policies | |
- Finances, ownership, and so on | |
- Outages | |
- Statistics | |
* Finances | |
- How to pay for all of this? | |
* Communication channels | |
- Web page | |
- E-mail (DANE protected) | |
- Security reporting channels | |
- Regular reports | |
- Snarky Mastodon intern completely optional | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment