DNS Monitoring Service for TLD Administrators Service description

Daniel Karrenberg,
Ruud de Kooter,
Henk Uijterwaal
RIPE NCC

Document ID: ripe-342
Date: 22 February 2005

1. Introduction

The Domain Name System (DNS) is a hierarchical and distributed
database that translates domain names into IP addresses. Almost every
application on the Internet uses DNS; it is a key element in the
Internet infrastructure. At the top of the DNS hierarchy, there are
thirteen root servers, known as a.root to m.root. These are located at
various places all over the world.

For the DNS service to work properly, two things are essential: the
server machines should be working correctly and the clients using the
server should be able to reach it through the network. Monitoring the
latter is difficult, as the clients can be thousands of kilometres and
a few dozen network hops away.

The RIPE NCC has offered the Test Traffic Monitoring (TTM) Service as
a membership service since late 2000. For the TTM service, we
installed measurement probes (called Test Boxes or TBs) at sites all
over the world. The operators of these sites are usually referred to
as "Test Box Hosts''. The original idea was to use these TBs to
measure performance between sites hosting a TB. In early 2003, it
became clear that the boxes could also be used to monitor the
performance of other services, for example DNS. We developed software
to carry out these measurements, giving sites hosting Test Boxes an
overview of the connectivity to each of the root servers. This feature
is called DNSMON.

By grouping the data collected for DNS by root server, instead of by
TB, it is possible to obtain an overview of the connectivity of the
root server itself. While this may not be of interest to the Test Box
Hosts, it is very interesting to the operator of the root server. It
provides an overview of the connectivity of their server measured from
more than 100 locations. By combining the data with topology
information it can give a strong indication of the location of a
connectivity problem. We also realised that this technique was not
limited to the root servers but that we could also apply it to TLD
servers. The ccTLD community expressed strong interest in doing
this. This resulted in the development of the DNSMON service.

DNSMON provides a comprehensive, objective and up-to-date overview of
the quality of the service offered by high-level DNS
servers. Currently these are the root servers and some interested TLD
administrators' servers. DNSMON is built on top of the TTM
infrastructure. The service has already been running in test mode for
several months. The RIPE NCC will offer this as a production service
in early 2005.

The main users of the DNSMON data will be

    * the Test Box Hosts,
    * the operators of the root servers and TLD servers,
    * the Internet community in general.

In the first two cases, the users of the data will often rely on it
for their daily operations and will need technical support for the
service. The RIPE NCC will incur additional costs to provide this
support and will need to recover these costs. This generates certain
expectations for the quality, reliability and support of the DNSMON
service.

In case of the Test Box Hosts, a formal agreement [RIPE297] describing
the responsibilities and obligations of both parties exists. As DNSMON
is another instance of a network performance related measurement,
RIPE297 covers the DNSMON service as well and there is no need to sign
a new contract with the TB Hosts. This paper meets the need for a
similar document for TLD Administrators.

The outline of the remainder of this document is as follows: Section 2
contains an informal overview of the service and explains what a TLD
Administrator can expect when subscribing to the service in plain
language. Section 3 and the appendices contain the text of the
contract that will have to be signed when a TLD Administrator
subscribes to the DNSMON service.  2. Global description of the
service

There are two components in the DNSMON setup:

   1. The Test Boxes. These monitor the DNS servers by sending queries to them.
  
   2. The central machine that collects the data from the Test Boxes
      generates plots and presents them to the users.

Only the central machine is under the direct control of the RIPE NCC
in this set up. The RIPE NCC aims to ensure that this machine is
always working correctly.

The TB hosts, not the RIPE NCC own and operate the TBs. If a TB is
down, it will not collect data. In this case, the central machine will
be unable to present data from this particular TB. The RIPE NCC
monitors the performance of the TBs, notifying any problems on a daily
basis. Fixing problems requires effort from the host. It is reasonable
to expect that sites hosting a TB would respond to such requests - as
they are interested in the data and pay the RIPE NCC a fee for
collecting it. This, however, is beyond the control of the RIPE NCC.

When subscribing to the DNSMON service, a TLD Administrator can expect:

   1. As many TBs as possible will be used to monitor the servers of
      that TLD during a given time period.

   2. Early access to the data. The TLD Administrators will have
      access to the data as soon as it is collected, the public will
      only have access to the data after two hours. This gives the TLD
      Administrator an opportunity to solve problems. TLD
      Administrators will also have posting rights to a mailing list,
      used to inform the public of problems, solutions and
      work-rounds.

   3. Help desk support. In case of a problem, the TLD Administrator
      will be able to contact the RIPE NCC who will try to resolve the
      problem with the service as soon as possible. In addition, when
      "unusual" effects are seen in the data, the RIPE NCC will help
      the TLD Administrator to investigate them.

The RIPE NCC incurs additional costs to offer these services. These
costs will be charged to the TLD Administrators. A TLD Administrator
using this service and hosting a TB, will not have to pay a service
fee for the TB.

The RIPE NCC will include the servers of a TLD in the service if that
TLD Administrator asks for it. Servers of a TLD may be included even
if the TLD Administrator does not ask for it. The hosts of the TBs
located inside a TLD may also ask for the TLD servers to be
monitored. A TLD Administrator that did not ask for its servers to be
monitored will not have access to the services listed above.

As the DNSMON service is built on top of the TTM infrastructure, the
data disclosure policy for the TTM service also applies to DNSMON. The
current version of this policy can be found in document RIPE300. This
policy specifically means that:

    * A TLD administrator can show all results of the DNSMON service
      to their customers.

    * The TLD administrators, the TB hosts and the RIPE NCC can freely
      show all results at a RIPE Meeting.

    * A TLD administrator can only show results of the DNSMON service
      related to its domain to the general public without peer
      review. Similarly a TB host can only show results obtained by
      the TB at its site to the general public.

For all other publications, a draft of the publication has to be
circulated amongst the participating sites for review before
publication. It is recommended that the data is published as
anonymously as possible.

Subscribing to this service generates certain expectations from both
sides and results in the transfer of money. In order to formalise the
relationship and to ensure that both sides understand their
obligations, it is proposed to sign a "DNS Monitoring Service
Agreement". The text of this document is included in the next
section. The service will start after both sides have signed this
agreement.  

3. DNS Monitoring Service Agreement

Note: This section and the appendices contain the text of the formal
agreement between the TLD Administrators and the RIPE NCC. When the
former decides to use the service, a separate contract will be drawn
up for both parties to sign. The text of this contract will be
identical to section 3 and the appendices of this document, with names
and dates filled out.

[TLD Administrator + address + postal code + city + country]

From here on referred to as "the TLD Administrator", and

The Reseaux IP Europeens Network Coordination Centre
Singel 258
1016 AB Amsterdam
The Netherlands,

From here on referred to as "the RIPE NCC".

Whereas:

The RIPE NCC has developed a service to monitor the performance of DNS
servers called DNSMON. This service is described Appendix A.

The TLD Administrator wishes to use this monitoring service and wants
to obtain early access to the data collected by the DNSMON service
along with a help desk for this service. This is described in detail
in Appendix C.

The RIPE NCC membership requires receiving partial financial
compensation for the operation of the DNSMON monitoring of the NN TLD
from the TLD administrator.

3.1. Definitions

   a. TLD Administrator: The organisation(s) responsible for the
      registry of a Top Level Domain, as recorded by the IANA.

   b. TTM service: Test Traffic Measurements Service, as described in
      RIPE Documents 209 and 297.

   c. Test Box/TB: probes monitoring the DNS servers by sending
      queries to DNS servers and analyzing the results

   d. DNSMON: A service monitoring the performance of DNS servers
      designated by TLD Administrators, the RIPE NCC or the TB hosts,
      by the TBs. The results are collected and published in graphical
      form on

      http://dnsmon.ripe.net.

      These results will be made available to TLD Administrators and
      the general public.

   e. Software: Software as specified in Annex A to be used for
      DNSMON, including any upgrades.

3.2. Start of the agreement

   a. The DNSMON Service Agreement between the RIPE NCC and a TLD
      Administrator shall come into effect by means of an offer and an
      acceptance.
   
   b. The TLD Administrator shall send the RIPE NCC at least two hard
      copies of this agreement, with the appropriate sections filled
      out, signed by an authorised representative of the TLD
      Administrator, as well as an extract from the Commercial Trade
      Register or similar document proving the TLD Administrator's
      business with the national authorities. (The latter is not
      necessary for TLD Administrators who are already RIPE NCC
      customers for TTM or Registration Services.) When the documents
      arrive at the RIPE NCC, a representative of the RIPE NCC shall
      sign the documents and return at least one copy to the TLD
      Administrator. The RIPE NCC shall not commence the provision of
      the DNSMON service until a signed version of the agreement has
      been received by the RIPE NCC.

3.3. Scope of the Agreement

   a. The RIPE NCC will monitor the authoritative DNS servers serving
      the NN TLD and servers designated by the TLD Administrator.

   b. Upon signing this agreement, the TLD Administrator acknowledges
      and accepts that it has obtained the right to use and the
      obligation to pay for the DNSMON service in accordance with this
      agreement, as specified further in Annex B.

   c. Upon signing this agreement, the RIPE NCC acknowledges that it
      has to provide the DNSMON service to the TLD Administrator, as
      specified further in Annex A and C. If the RIPE NCC cannot
      provide the service it will not charge the service fee for the
      period that the service was not available, see Annex A for
      details.

   d. The TLD Administrator can designate the servers, serving the NN
      TLD, to be monitored by the RIPE NCC. An initial list will be
      provided with this agreement (see Annex D); this list can be
      changed at any time with at least three full working days
      notice. The RIPE NCC will confirm any changes to this list
      during this period.

   e. The TLD Administrator and the RIPE NCC will designate
      administrative, technical and billing contacts for the execution
      of this agreement, as further specified in Annex C.

   f. The RIPE NCC and the TLD Administrator shall follow the
      operational procedures described in this Agreement and as
      further specified in Annex C.

   g. The RIPE NCC will offer e-mail help desk support to the TLD
      Administrator as further specified in Annex C.

   h. The RIPE NCC provides facilities to announce and communicate
      technical issues to technical contacts of the TLD Administrator
      as further specified in Annex C.

3.4. Changing the agreement

All changes and amendments to this agreement have to be agreed upon by
both parties before they come into effect. When this agreement is
changed, the RIPE NCC will send the modified text to the TLD
administrator.

3.5. Management, maintenance and support

The DNSMON Service is operated and maintained under the sole
administrative control of the RIPE NCC, including software upgrades,
software configuration and system administration.

The RIPE NCC will first present any plans for the DNSMON service for
discussion in the RIPE DNS Working Group. The same working group can
be used by the TLD Administrators to provide feedback on the services
and suggestions for improvements. The RIPE NCC will, in its annual
activity plan, announce the final plan for the service for the next
calendar year.

3.6. Assignment

The parties shall not assign, transfer, charge or deal in any manner
with this agreement or any rights under it, without prior written
consent of the other party.

3.7. Confidentiality and Publicity

   a. Without prejudice to subsections (b) to (e), each party shall
      treat as private the other party's confidential
      information. Confidential information includes any information
      relating to the service and any information imparted by the
      other party as being confidential. Confidential information
      shall not include information that has become public knowledge
      other than through violation of this duty of confidentiality.

   b. The RIPE NCC will publish the results of the monitoring of the
      authoritative DNS servers serving the domain(s) of the TLD
      administrator and the servers designated by the TLD
      administrator to the general public.

   c. Both the TLD Administrator and the RIPE NCC may publish the data
      collected by the DNSMON server and make statements about the
      data (written or oral, press releases and interviews
      included). All public statements about the data will be subject
      to the data disclosure policy as described in document
      RIPE300. The DNSMON data is considered to be part of the TTM
      data.

   d. Each party shall inform the other party about (public domain)
      publications that use the DNSMON data.

   e. The RIPE NCC will provide a technical description of the service
      that can be used by the TLD Administrator in public statements.

3.8. Liability; Indemnification

   a. The TLD Administrator shall be liable for all aspects of its use
      of the DNSMON service offered by the RIPE NCC.

   b. The TLD Administrator shall indemnify and protect the RIPE NCC
      from and against any damages and expenses, including related
      legal fees that may result from a third party claiming
      compensation for loss or damage caused in whole or in part by
      non-performance or any act or omission by the TLD Administrator
      or its employees.

   c. In no event does the DNSMON service provide a guarantee with
      respect to the performance of any DNS servers. The RIPE NCC
      shall not be liable for any damage caused by reduced or
      non-performance of DNS servers or by any acts or omissions by
      the TLD Administrator in consequence of RIPE NCC performing
      DNSMON services.

   d. The RIPE NCC shall not accept liability for:
          
      * mutilation or loss of DNSMON Data or other data during
      transmission or when stored on TLD Administrator's computers;
  
      * the results and consequences of analysis of DNSMON Data
        undertaken by the RIPE NCC;

      * the consequences of any modification or adaptation to the Test
        Box or Software made by a Test Box Host or from the
        combination of the Test Box or Software with hardware or
        software other than that prescribed in the Hardware and
        Software Requirements in RIPE297.

   e. The RIPE NCC shall not be liable for any damage caused by a Test
      Box, the DNSMON Software or any failure to meet any of its
      obligations under this Agreement, except where such damage or
      failure is due to a grossly negligent or wilful act or omission
      by the RIPE NCC managing personnel.
   
   f. In no event shall the RIPE NCC be liable for indirect damages,
      including damage to the TLD Administrator's business or loss
      of profits.

   g. In no event shall the liability of the RIPE NCC in connection
      with this Agreement exceed the Service Fee invoiced in respect
      of the calendar year in which the damage first occurred. The
      maximum shall apply per event or series of connected events
      resulting in such liability.

   h. Without prejudice to any other provision in this Article, the
      RIPE NCC shall not be liable for damage as a result of a failure
      to meet any obligation under this Agreement if such failure is
      due to circumstances for which the RIPE NCC is not considered
      accountable according to law, contract or trade custom. The RIPE
      NCC in any event shall not be accountable for failures to
      perform resulting from interruptions or improper functioning of
      power or telecommunication services facilities.

3.9. Termination

   a. This Agreement shall be valid as from the date of signature
      including the information to be filled in by the TLD
      Administrator in Annex A and C.
   
   b. Each party may terminate this Agreement

         I. By giving thirty days written notice. This must be sent by
            registered post with advice of delivery;

        II. With immediate effect upon written notice to the other
            party (by registered post with advice of delivery) in the
            event of a substantial breach by either party of any
            obligation under the Agreement which is irremediable or
            which is not remedied within a reasonable period of time,
            following written notice requesting it be remedied;

       III. With immediate effect upon written notice that the other
            party has filed or plans to file for bankruptcy or be
            declared bankrupt or plans to apply for a suspension of
            payment or order the liquidation of its organisation in
            any manner whatsoever.

   c. The RIPE NCC may terminate this agreement if the TLD
      Administrator does not pay the service fee according to the
      procedure described in Annex B.

   d. Any payments or credits outstanding upon termination remain due.

   e. Upon termination, each party shall ensure that all confidential
      information and software belonging to the other party (in
      whatever medium it is recorded or held) is returned, deleted or
      destroyed in accordance with the other party's written
      instructions.

   f. Upon termination, the RIPE NCC ensures availability of data for
      two years, though data may be removed from publicly accessible
      web and ftp sites.

3.10. Variation of Terms

   a. In the event that any of the terms of the agreement (including
      Annexes) is determined by any competent authority to be invalid,
      unlawful or unenforceable, such term will be removed from the
      remaining terms which continue to be valid to the fullest extent
      permitted by Dutch law.

   b. The "RIPE NCC Standard Terms and Conditions" (document
      RIPE321) apply. In the event that there is a conflict between
      this document and the RIPE NCC Standard Terms and Conditions,
      the agreements in this document take precedence.

3.11. Applicable law; jurisdiction

   a. The agreement shall be governed exclusively by Dutch law.

   b. The competent court in Amsterdam shall have exclusive
      jurisdiction in all matters relating to the agreement.

   c. However, in the event of non-payment of the service fee, the
      RIPE NCC shall have the right to bring proceedings before the
      competent court in Amsterdam or the competent court in the seat
      of the TLD Administrator."

RIPE NCC
By: 	 	_________________________________________
Printed Name: 	_________________________________________
Company: 	_________________________________________
Title: 	  	_________________________________________


[TLD Administrator]:
By: 		_________________________________________
Printed Name: 	_________________________________________
Company: 	_________________________________________
Title:          _________________________________________


Annex A

Specification of the DNSMON service

   1. The goal of the DNSMON service is to monitor DNS servers
      selected by TLD Administrators, the RIPE NCC or the Test Box
      Hosts. After signing this document: The RIPE NCC shall make an
      effort to monitor the servers of that TLD by as many TBs as
      possible.

   2. The RIPE NCC shall make every effort to provide early access to
      the data: The TLD Administrators as soon as it is collected, the
      public after two hours. This gives the TLD Administrator an
      opportunity to solve problems. TLD Administrators will also get
      posting rights to a mailing list to inform the public of
      problems and solutions.

   3. The RIPE NCC will provide help desk support for the service: In
      case of a problem, the TLD Administrator will be able to contact
      the RIPE NCC, who will try to solve the problem with the service
      as soon as possible. When "unusual" effects are seen in the
      data, the RIPE NCC will help the TLD Administrator to
      investigate.

Software

   1. The RIPE NCC will use the DNSMON software developed in house for
      monitoring.

   2. The source code of the software for the service will be made
      available under the GNU General Public Licence ("GPL") on
      a CVS server (see http://www.gnu.org/licenses/gpl.txt for
      details).

   3. Bugs can be reported to the RIPE NCC and will be fixed in a
      timely fashion.

   4. Feature requests will be implemented by the RIPE NCC on a best
      effort basis.

Non-availability of the service

The service is considered not to be available if:

    * the number of TBs that monitors the servers of a TLD is lower
      than ten,

    * no data can be collected due to problems with the central
      machine for more than one week,
    
    * the help desk cannot respond to customer queries for more than
      three days.

In these cases, and only in these cases, the RIPE NCC will refund the
service fee for the period that the service was not available.

Technical description of the service

A technical description of the DNSMON service is available at:
http://dnsmon.ripe.net/dns-servmon/information.

Annex B: Billing scheme and procedure

The TLD Administrator shall for contribution purposes self-declare to
the RIPE NCC a category size of SMALL, MEDIUM or LARGE by stating this
in the DNSMON agreement.

Guidelines for the charging category can be the number of registered
sub-domains, the number of additional DNS servers that need to be
monitored by DNSMON and the load that is expected on the DNSMON
service team. Also the already declared size of other TLD
Administrators may be helpful.

The RIPE NCC will publish the fact that a TLD Administrator supports
the operation of DNSMON including the current self-declared category
size of a TLD Administrator on the DNSMON web site.

Only TLD Administrators in the MEDIUM and LARGE category may designate
additional DNS servers to be monitored by DNSMON during the calendar
year at any time. TLD Administrators in the SMALL category can replace
the server(s) monitored once during the year. The TLD Administrator
can request a change in category size up to 31 March. This change will
be granted unless the TLD Administrator had more DNS servers to be
monitored by DNSMON and requests to be shifted into the SMALL
category.

The DNSMON Service fees shall be as follows:

Category size		      Amount
SMALL			      EUR 2,000 per year
MEDIUM			      EUR 4,000 per year
LARGE			      EUR 6,000 per year

Note: a TLD Administrator hosting a RIPE NCC Test Box as well will not
be charged the service fee for the Test Box.  

Payment scheme

   1. The TLD Administrator shall owe the RIPE NCC the service fee
      listed above, excluding Dutch VAT or any applicable taxes,
      immediately due when the TLD Administrator concludes the
      agreement. Dutch VAT will be charged to TLD Administrators inside
      the EU unless a valid EU VAT number is provided by the TLD
      Administrator.

   2. The RIPE NCC reserves the right to update the service fee
      annually to reflect changes to the operational costs of the
      service. Changes will be announced at least one month in advance
      by e-mail to billing and technical contacts of the service.
  
   3. Invoices for the relevant financial (1/1 to 31/12) year will be
      generated and sent via e-mail and postal mail at the beginning
      of April. At the request of the TLD Administrator a copy of the
      invoice can be sent by e-mail to the contact. Payment is due 30
      days after date of invoice.

      The first reminder is sent via postal mail and e-mail 31 days
      after date of invoice. If the RIPE NCC does not receive payment
      within 60 days of the date of invoice, a second reminder
      including a late payment fee of EUR 50 is sent to the
      registry. After 90 days of non-payment the DNSMON service for
      the TLD Administrator is revoked. The DNSMON service will only
      be reinstalled after the TLD Administrator has paid all
      outstanding invoices.
   
   4. The RIPE NCC withholds the right to charge the TLD Administrator
      pro-rata for any third party expenses incurred regarding the
      agreed services.
   
   5. The TLD Administrator's obligation to perform its payment
      commitments shall commence on the day on which the DNS Monitoring
      Services Agreement is signed.  

   6. As soon as this agreement is concluded, the RIPE NCC shall send
      the TLD administrator an invoice covering the period until the end
      of the financial year.  

   7. The TLD Administrator may not postpone its payment obligations
      or offset any of its legal or financial claims against the RIPE
      NCC.

Annex C: Operations

Operational Contacts

The RIPE NCC help desk will be available by e-mail, Monday to Friday
between 10:00 and 16:00 Amsterdam time (GMT+1 or GMT+2) except for on
Dutch public holidays. A current list of public holidays is available
on the RIPE NCC website. An initial response to e-mails will be given
during the first working day after receipt of an e-mail. This response
may be by e-mail or telephone.
  	
                           RIPE NCC             <TLD Administrator>
Helpdesk/ NOC	           dnsmon@ripe.net
	 
Emergency contact	   ops@ripe.net
	 
Finance/ billing contact   finance@ripe.net
	 
TLD Technical Contact      -- 
	 

Both the RIPE NCC and the TLD Administrator will inform each other
about any changes to the operational contacts as soon as possible,
preferably before the new contact detail(s) come in to effect.
Announcements

The RIPE NCC will make a mailing list available to announce and
communicate technical issues to technical contacts of the TLD
Administrators. Technical contacts of the TLD Administrators will be
automatically subscribed to dnsmon-contact@ripe.net.

The RIPE NCC will make available a public mailing list to discuss the
results of the monitoring. Posting rights will be limited to the RIPE
NCC, technical contacts of the TLD Administrators, technical contacts
of TBs and others to be decided by the RIPE NCC. Announcements, in
regards to the monitoring service, to the public will be published to
dnsmon-user@ripe.net list.

Presentation and availability of DNSMON monitoring data

DNSMON monitoring results will be published in graphical format on

http://dnsmon.ripe.net

The RIPE NCC will make the raw data ("numbers that went into the
plots") available on its ftp server for the TLD Administrator on
request.

The RIPE NCC collects the data from the TBs with an average expected
30 minutes lag between measurement and collection. If there are
connectivity problems with a TB, this may be longer. The RIPE NCC will
update results retroactively if there are major changes. Data that
could not be collected for two weeks will not be processed.

The RIPE NCC will analyse the collected data and make the results
available to the TLD Administrator. The TLD Administrator will have
restricted access for the first two hours after the measurement,
provided the data could be collected. Unlimited access to the data
will be given two hours after the measurement, regardless whether the
data was made available for restricted access before or not.

The RIPE NCC will only check that plots have been created correctly,
it will not check the plots for any unusual events nor will it report
on such events. It is the responsibility of the TLD Administrator to
study the plots.

The RIPE NCC may make the raw data collected by the services available
to researchers for scientific and statistical analysis.

The RIPE NCC will maintain the software. Bugs will be fixed in a
timely fashion. New features will be added, depending on available
resources. The RIPE NCC will present its development plans and report
on the service during the DNS Working Group sessions held at RIPE
Meetings.

The server for the DNSMON site is monitored continuously. A backup
server for the DNSMON site is available. It will be enabled when there
is a problem with the primary server. The outage of the service will
be of the order of one hour or less. If the data on the disks of both
servers is corrupted and has to be restored from a backup tape,
restoring the service will start on the following working day and can
take up to twelve hours.

Upon termination of this contract, the RIPE NCC will ensure
availability of data for two years, though such data may be removed
from any website.  

Annex D: Initial list of servers to be monitored

Domain
	 
Date
	 
Server (Hostname)	Server (IP Address)