Trust and Internet Identity Meeting Europe
Feb 2020: Workshops and Unconference

A higher ED – route 53

(Heather Flanagan)

Route 53 and Higher Education

Proposers: Heather Flanagan, Leif Johansson

This came from a discussion of the RA21 IdP Persistence Service. We want multiple CDNs and no dependency on any one organization. We want fairly complex rules on routing.

If we were to do this with a commercial provider, could possibly use Route 53. After discussions with Netnod, sounds like Netnod’s service, despite being any cast, geared towards more static zones and not significant business logic.

Is it worth it? One opinion, not worth reinventing Route 53. The traffic won’t be high, but the resilience would be important. Still, Amazon has more resources to do this right.

The problem is: is the functionality there that will let us load balance between CDNs? You can do anything you want; what Amazon has is very powerful.

Route 53 is only related to your resolver, which may be ok, as we’re looking at hosting a zone. Suggestion: register your own zone and use route 53 for your booster. But, does Route 53 allow you to set policy rules (yes, georules, load balancing values, health checks on end points, etc.). Cost is $1 per six million queries. Look closely at the traffic prices with Amazon, as they might have some hidden costs. Be very specific about what’s needed, what the scenarios are that might have you move from one tier to the next.

Another issue might be trust. Does Higher Ed feel the need for additional control over critical DNS zones? NRENs do different things, which gives enough impetus to do our unique set of services ourselves.

Consider what kind of service we’re trying to provide, and what issues we’re trying to resolve. Will it be better to invest in our localized infrastructure, or pay money to Amazon?

How to load balance between multiple DNS anycast servers? By using tools outside of DNS. But if you use BGP, then you’re back to your own DNS and your own Route 53.

One use case for doing our own is Discovery. Are there any other use cases? Services that we cannot let outside our networks. Managing the large data flows in research (unsure if there is a DNS aspect to this, but if this can help pull off any HA needs, that will help). Any other infrastructure built across CDNs where you have DNSSEC requirements.

If we did do our own anycast service, NRENs would all have to agree to point their AS to it.

What about how much infrastructure is already built on AWS - how does it tie into the route 53 services.

Is there a China aspect to this? Are there any blocking issues? There’s just no telling what China will block from one day to the next. They do have a cloud hosting service, but you must be in China to purchase into it.

Cloudflare may have equivalent services to Route 53 - something to consider.

Are there any requirements for DNSSEC or dynamically signed zones? Note that Route 53 will not support DNSSEC (it is very hard to do key management, so this isn’t a surprise). We don’t know that this will be a requirement for the discovery use case.

How much does the R&E community need another trust anchor in DNS? With a hierarchical federation concept in OIDC, you must get to the root, and that’s the DNS query. This might be a use case, though there is likely not one route that will act as a failure point.