DENIC wants to be ready for future business models and additionally wants to improve the operation exellence of their processes. Because of that DENIC decided to speedup our zone propagation times to a duration of a few minutes or faster from registration of a domain to serve it at a nameserver location. This should be a big enhancement of user experience for the Registrars and domain owners. To reach this goal, we developed a totally renewed signing cluster with the following requirements:
- High performance updates ( in peak situations until 4000/min )
- High available ( 3 nodes per datacenter )
- Signing software should be open source
- Cost efficiency
( alternatives for the expensive HSMs, hardware costs should be in a range of 50-60k Euro )
To fullfill this requirements we created a signing cluster based on Kubernetes, dynamic DNS updates and KNOTdns as signing software.
During the development there was a need to discuss several core questions again like:
- Security requirements / concerns
- Testing of the zone before propagation or do it asynchronously
- Run the cluster in a Kubernetes environment or not
- How can we reach the duration goal
.. and many more..
During our journey to this fast cluster we had a lot of challenges to master and we found out again how great our DNS community is and what we can reach all together if we share informations and work together. With this presentation we will give this interesting experiences back to the community.
|Talk Duration||30 Minutes|