Difference between revisions of "Research:Beacon"

From sanctions
Line 10: Line 10:
 
[https://lookup.icann.org/lookup?q=sanctions-beacon.com&t=a '''sanctions-beacon.com''']
 
[https://lookup.icann.org/lookup?q=sanctions-beacon.com&t=a '''sanctions-beacon.com''']
  
Each will be set up to host the necessary responders, on two different independent network connections, using IP addresses not in any of our beacon IP address blocks. We will presumably need to get TLS certs for them as well.  Because these should be blocked by name ''and not'' by number, we will also host positive beacons on the same servers (which should be visible, although resources identified by the beacon domains should ''not'' be visible).  Depending upon the decision of the policy group on the matter of [[Policy:More Specific Domains|more specific domain names]], we may also want to host separate beacons on more-specific subdomains, c.f. http://more-specific.sanctions-beacon.net.
+
Each will be set up to host the necessary responders, on two different independent network connections, using IP addresses not in any of our beacon IP address blocks. We will presumably need to get TLS certs for them as well.  Because these should be blocked by name ''and not'' by number, we will also host positive beacons on the same servers (which should be visible, although resources identified by the beacon domains should ''not'' be visible).  Depending upon the decision of the policy group on the matter of [[Policy:More Specific Domains|more specific domain names]], we may also want to host separate beacons on more-specific subdomains, c.f. http://more-specific.sanctions-beacon.net. We may also need two other ("negative") domains, to host on the same IP addresses as these, which should '''not''' be blocked, to make sure that it's the domain, not the IP, that's being blocked.
  
 
{{plainlist|
 
{{plainlist|

Revision as of 09:42, 18 April 2022

The design of the beacon which will be used to verify operation and reach of the program is currently underway on the mailing list, and will be described here when it reaches stable consensus. It is intended to allow independent verification of IPv4 and IPv6 routing and domain name resolution, and to be robust against orthogonal DNSSEC validation errors.

Generally, our goal is to use two of each type of beacon, on independent and unrelated infrastructure, with one strobing on a one-hour period.

Domain Beacon

As of March 27, 2022, we have two domain name beacons. They are:

sanctions-beacon.net
sanctions-beacon.com

Each will be set up to host the necessary responders, on two different independent network connections, using IP addresses not in any of our beacon IP address blocks. We will presumably need to get TLS certs for them as well. Because these should be blocked by name and not by number, we will also host positive beacons on the same servers (which should be visible, although resources identified by the beacon domains should not be visible). Depending upon the decision of the policy group on the matter of more specific domain names, we may also want to host separate beacons on more-specific subdomains, c.f. http://more-specific.sanctions-beacon.net. We may also need two other ("negative") domains, to host on the same IP addresses as these, which should not be blocked, to make sure that it's the domain, not the IP, that's being blocked.

IPv4 Beacon

As of April 11, 2022, we've received the two independent IPv4 /24 beacon subnets for which we performed an 8.4 inward transfer. They are:

IPv6 Beacon

As of April 7, 2022, we've received the two independent IPv6 /48 beacon subnets that we applied for. They are:

ASN Beacon

As of April 5, 2022, we've received both the 16-bit and 32-bit beacon ASNs we requested. They are: