Routing Policy Change for AS20115 Charter/Spectrum

With the activation of the Hurricane Electric POP in Reno, NV the time has finally come to turn down our transit connection to AS20115 Charter/Spectrum. We’ve given our required 30 day termination notice to Charter/Spectrum effective today, April 9, for a end of service date of May 10, 2019.

In the meantime, our routing policy for AS20115 will change to that of a local peering type connection for data collection purposes. We’re curious how much utilization we will see if we restrict it for its last month. Incoming announcements from AS20115 will be filtered with an as-path-access-list of “permit ^20115$” and outgoing announcements will be tagged with community 20115:666 (Do not advertise outside of Charter AS). We will also move the physical connection away from the border router where our policy is one provider per router – a role now assigned to Hurricane Electric on that router – and over to our core peering router. With these filters we only expect to see about 2700 IPv4 prefixes. Charter’s IPv6 BGP session is broken again, but it’s not worth the fight to fix it so this exercise will be IPv4 only.

While we would like to maintain a regional peering connection with Charter/Spectrum, our previous account reps were not able to understand our needs (and our customer’s needs) to successfully negotiate a renewal for interconnection and peering over simply “buying internet”, the latter of which is no longer interesting to us as a colocation datacenter operator.

UPDATE: Effective 4/10/2019, AS20115 has been moved to our core peering router where it will remain until it’s shut down for good.

UPDATE 2: As soon as our Any2 peering port is ready we will remove our connection to Charter/Spectrum. (5/7/2019)

UPDATE 3: Shut down BGP to AS20115. (5/8/2019)

UPDATE 4: Our port to AS20115 Charter/Spectrum is now unplugged and cross connects removed: disconnect complete. (5/8/2019)

Checking DNSSEC Domains

Recently we’ve started to receive support requests about DNS problems that turn out to be broken DNSSEC. Unfortunately we can’t fix DNSSEC problems on external domains, but you can run the following tests:

These tools will also show if a domain does not have DNSSEC. Running DNSSEC checks is particularly handy when using another tool that is not DNSSEC aware. Test tools that are not DNSSEC aware may return false positives when validation is broken.

Primary DNS DNSSEC Supported Algorithms Update

We’ve made a few changes to the DNSSEC Supported Algorithms.

  • Added support for ECDSA P-256 with SHA256
  • Added support for ECDSA P-384 with SHA384
  • Removed ECC-GOST (algorithm 12) as an option for KSK and ZSK

RFC6986 deprecates the use of GOST R 34.11-2012, and the Algorithm Implementation Requirements and Usage Guidance for DNSSEC intends to move DNSSEC ECC-GOST support in signers to the ‘MUST NOT’ category. Existing GOST keys should be rolled to another key type.

Quad9 DNS

Have you tried Quad9 DNS 9.9.9.9 yet? It’s run by PCH Global, they’ve got a local node right here in Reno, and they’re peered on TahoeIX.

  • Set your DNS server to 9.9.9.9 to use Quad9 DNS
  • Quad9 has IPv6 support at 2620:fe::fe
  • Quad9 supports DNS over TLS on port 853 (the standard) using an auth name of dns.quad9.net
  • Quad9 also supports DNS over HTTPS using the query https://dns.quad9.net/dns-query

For more information see https://www.quad9.net/faq/

Charter Second Maintenance Attempt

Charter (Spectrum) has notified us they’re going to try maintenance again Thu 6 Dec 2018 12:00 AM – Fri 7 Dec 2018 6:00 AM with a claimed 240 minutes loss of service during this timeframe.

Since the previous attempt went extremely poorly and resulted in 57 hours loss of service, we can only hope their maintenance group is prepared for this second attempt. We will provide updates as necessary.

UPDATE 12/6/2018: Charter (Spectrum) tried to migrate our circuit again, and now IPv6 is broken due to BGP failing to establish.

UPDATE: Charter (Spectrum) IPv6 BGP was finally restored on December 10 at 22:01.