DATAS HEET

Authoritative Name Server Premier (ANSP)

AUTHORITATIVE DNS FOR ALWAYS-ON INTERNET PRESENCE
Authoritative DNS servers are a critical first step to configure, publish, and distribute access to IP services, making them visible and available. The user experience with an IP service relies on access to authoritative name servers, which provide quick and consistent access to addressing or other information needed to reach the service. Availability, performance, and security are essential to ensuring a positive end user experieAvailability and performance as well as security are essential to ensuring a positive end user experience. Massive scaling and simplified management through integration and automation are necessary to maximize operational efficiency. Authoritative Name Server Premier (ANSP) is Nominums high-end software-only DNS authoritative name server. Based on the industry-leading ANS, ANSP includes support for multimastering that allows two servers to act as masters for the same zone. This eliminates single points of failure in the DNS, which is especially needed for Dynamic DNS (DDNS). ANSP leads the industry with 100% uptime and resilient, secure, high-performance authoritative DNS services. In addition, ANSP provides completely integrated, automated, lifecycle management of DNSSEC and transforms its deployment from a labor-intensive, error-prone exercise into a process that is as simple as managing unsigned DNS data. Unlike general-purpose DNS servers, Nominum ANS Premier is designed and optimized specifically for the authoritative DNS function with performance and scaling that are unmatched. Proven management features help administrators readily support the most complex network environments while minimizing operational overhead. ANSP is also the right choice to meet government regulations mandating support for Domain Name System Security Extensions (DNSSEC). Nominum software makes it easy to achieve the highest level of security against attacks that tamper with or hijack DNS data for government domains.

KEY FEATURES
Software-only solution for authoritative DNS function, choice of OS and hardware Proprietary database optimized for scaling to a billion resource records Dual active masters that mirror DNS updates with no loss for data resiliency Network visibility and event awareness into DNS queries and trends High DNS query transaction rate of over 100K QPS with millisecond latency On-the-fly DNS zone updates without requiring server restart Fast reload time even with the highest number of resource records Full compliance with DNSSEC standards and optional DNSAUTH to secure DNS data and communication links Automated DNSSEC lifecycle management Templating to easily replicate common zone configuration elements IPv6 support

Vantio Caching DNS

Authoritative DNS

Internet Subscribers DNS Queries

High Performance and Availability

Nominum Global Network

End user growth, new applications and services, increasing traffic, and changing Internet usage patterns as well as next-generation network architectures all place new demands on the DNS infrastructure. ANS was designed for performance and specifically targeted at carrier grade DNS services. Unlike common industry practice, Nominum developed two entirely independent solutions for authoritative (ANSP) and caching (Vantio).

2010 Nominum, Inc. All rights reserved. Nominum, Navitas, Vantio, Centris and TRUE Architecture are registered trademarks of Nominum, Inc.

DATAS HEET

By building ANSP exclusively as an authoritative server, Nominum was able to achieve levels of performance and scalability not possible in dual-purpose name servers. Nominum VDB (Versioned Database) is the underpinning of all Nominum authoritative DNS offerings. VDB uses a unique in-memory process that makes data instantly available for queries and allows for automatic recovery and near instantaneous restart in the event of server failure. Superior design also allows ANS to support high update rates reliably with DDNS. As demonstrated in more than 140 major networks around the world, Nominum software and services deliver consistent, high-performance, low-latency DNS solutions. Nominums patented performance algorithms and other innovative technologies make it the undisputed performance leader.

DOMAIN OWNER BENEFITS

100% uptime for Internet presence Nonstop operation even during in-service maintenance and updates Real-time visibility into DNS query trends and activity Lossless DDNS updates to support VoIP and other critical services Zero operational overhead to sign zones with DNSSEC Elimination of risk associated with DNSSEC adoption Simple operation and maintenance using programmatic APIs Easy migration of DNS data from legacy servers High scalability eliminates the need to subdivide zone data into multiple masters Patch avoidance due to DNS vulnerabilities unrelated to authoritative servers

Resilient and Secure Operations

ANSP offers carrier-grade reliability and availability, creating the foundation for always-on services. With a hardened DNS engine, ANSP can be updated without service interruption or downtime, maintaining continuous and consistent service levels. Unlike other DNS engines that handle queries linearly, ANSP uses patented algorithms that monitor and manage system resources under both normal and load conditions to deliver consistent performance. As a result, ANSP can withstand increased query loads from DoS attacks or virus/worm replication without failures. Memory and CPU consumption remain low, even under load. In customer tests, ANSP has proven to be significantly more resilient to DoS attacks than other DNS engines. From a security perspective, ANSP shares no known vulnerabilities with open source software.

Multimastering Support
In the past, master authoritative nameservers were a single point of failure. When one failed, updates could not be propagated to slave nodes, and thus not reflected in the network. Active-standby designs or other techniques to address this problem introduce complexity, unacceptable delay or synchronization problems. This is incompatible with IP services that require frequent changes to DNS data while maintaining 100% uptime. Multimastering (MM) is unique to Nominum, allowing two active authoritative name servers to serve as masters for the same zone. As with existing master servers, each can have multiple slave servers. Multimastering is configured using federations that define groups of ANSP master authoritative name servers that exchange zone information. Zone information added in one multimaster name server using Dynamic DNS or manual updates is instantly synchronized to other multimaster name servers in a federation. Multimastering relies on DNS serial numbers to synchronize data between servers exchanging zones. Servers are instantly and seamlessly synchronized with the same data and do not require a restart. This is vital for services with a real-time component such as VoIP, or to facilitate disaster recovery efforts. Only one live master is required for DNS service, including updates, to be available. Multimastered servers also provide service in the event a network is partitioned, with separated masters serving data to their respective partitions. When a failed master recovers or partitioned masters are rejoined, they automatically synchronize with peers.

Real-Time Network Visibility and Event Awareness

ANSP is built on an extremely high-performance database designed by Nominum for optimal query handling. Visibility and awareness capabilities leverage the ANSP database to collect, correlate, and aggregate DNS query data. The data can either be logged for offline analysis or live query traffic can be analyzed. Monitoring is offloaded to a separate process to eliminate any impact on fast path query handling in multiprocessor systems. Filters can be used to screen data for specific attributes of interest.
2010 Nominum, Inc. All rights reserved. Nominum, Navitas, Vantio, Centris and TRUE Architecture are registered trademarks of Nominum, Inc.

DATAS HEET

END USER BENEFITS

Analysis capabilities include fine-grained query data such as: Most or least active clients uery counts per domain or per time Q uery rates per domain or per time Q Activity of rogue recursive servers

Fast access to favorite web sites Instant network response for any application Always-on service for any device attached to the network No network slowdowns, even during peak periods No risk of reaching a spoofed or fake web site DNS resolution continues even if the network is under attack

Query streams can also be replayed. The combination of all of this data can be used for planning, tracking, usage trends, forensics or other purposes.

Powerful Management Capabilities

Nominum is the industry leader in enhanced DNS management features and functionality. ANSP tools deliver unsurpassed DNS management functionality to simplify network operations, planning and provisioning, and zone data management. Zone templates simplify the configuration and ongoing maintenance of DNS zones. NSP versioning increments and journals all changes to DNS data, making updates or A rollback to prior configurations a straightforward exercise. he Command Line Interface supports real-time configuration and updates without T service interruption. etailed zone and view reporting help administrators understand and maintain D DNS configuration. plit-DNS views allow segmentation of resources that are available to different S communities, such as internal and external users. ominum tools for provisioning and managing zone data and ANSP servers simplify N manageability of DNS services.

DNSSEC Integration and Automation

DNSSEC offers superior protection against cache poisoning by cryptographically protecting DNS data. Until now this has required major changes to well-established procedures for rapidly and reliably updating servers. Further, DNSSEC is extremely intolerant of improper or incomplete configuration, which results in loss of connectivity to affected resources. Nominum has addressed these challenges with integration and automation of the critical functions needed to deploy DNSSEC. New ANSP features integrate and automate all of the functions needed for complete lifecycle management of DNSSEC data. Key generation, signing of DNS data, loading signed zones, key rollover and sharing trust anchors are integrated in ANSP. Processes that were previously multi-step, manual operations, can now be executed with a single command that creates keys for signing, signs the data, and installs the protected file for use on the ANSP server. The high degree of automation makes handling signed DNSSEC data as simple as handling unsigned, unprotected data - with all the attendant accuracy and reliability so that Internet resources are always available.

DNSSEC Online and Offline Signing

ANS supports both online and offline signing modes. The online mode offers a completely integrated DNSSEC platform with all of the authoritative DNS functions as well as automated lifecycle management of DNSSEC data. ANS can also perform signing on the fly for DDNS data. These powerful capabilities, implemented on standard hardware, completely eliminate the need for external signing appliances and the associated limitations of proprietary hardware and operating systems.

2010 Nominum, Inc. All rights reserved. Nominum, Navitas, Vantio, Centris and TRUE Architecture are registered trademarks of Nominum, Inc.

DATAS HEET

Offline signing is preferred in environments where network owners want private keys used for signing DNS data to be separated from DNS servers. Offline signing takes advantage of a subset of ANSP software, with complete DNSSEC lifecycle management, running on an external server. The protected data is then transferred to another instance of ANS that serves qeueries, thus eliminating the need for proprietary signing appliances.

DNSSEC Performance and Scale

Signing of zones is a compute intensive process. The ANS signing process is multithreaded so in multicore platforms a processor can be dedicated to answering queries and additional processors can be allocated for the signing function. This ensures queries are always answered with high performance and predictable latency. At the same time, signing is not only out of the fast path, but gets additional computing horsepower. Another major issue with DNSSEC is that signed DNS data is 8 10 times larger than unsigned data. This has implications for server hardware. Nominums ANS was developed with a purpose-built database that makes extremely efficient use of memory. Implementing DNSSEC on a Nominum authoritative DNS server has far less impact on memory. This means that DNSSEC can be deployed on existing hardware without impacting performance or exceeding memory limitations of typical platforms.

DNSAUTH
DNSAUTH is a protocol developed by DNS experts at Nominum to secure DNS data while maximizing compatibility with existing DNS infrastructure. It extends Nominum leading DNS defenses by securing communication links between Vantio caching servers and ANSP authoritative servers. DNSAUTH relies on authentication of the authoritative server and optional encryption of DNS responses in transit between caching and authoritative servers. Cryptographic protection of DNS links introduced with DNSAUTH makes it statistically impossible for an attacker to compromise the DNS data. It is fully compatible with DNSSEC.

An Architecture for the Future

ANSP has unique capabilities that that todays Internet demands. Designed for carrier-grade services, it provides the essential foundation of high performance, massive scalability and security as well as support for new protocols like IPv6 and DNSSEC. Supporting tomorrows advanced services will require new features like multimastering to assure instant availability of DNS data even through failure of a master authoritative server with no performance degradation. Enhancing DNS security without increasing operational overhead (and risk) will require the significant improvements Nominum has made in ANSP to integrate and automate deployment of DNSSSEC. As a long-term participant in standards development, Nominum has a deep commitment to enhance and extend DNS capabilities to facilitate the delivery of highvalue network services and ANSP will always be at the forefront of the new Internet.

2010 Nominum, Inc. All rights reserved. Nominum, Navitas, Vantio, Centris and TRUE Architecture are registered trademarks of Nominum, Inc.