.FK ccTLD DNS lack of topological and server diversity (Update #11)

Update #11: 23rd October 2019

Following communication with the Falkland Island Regulator, I am pleased to be able to announce that the work required to add diversity to the ,FK ccTLD is well underway by Sure.

There has been a recent delay because the decision was taken to undertake this work simultaneously with the increase in satellite capacity that is planned to take place in December 2019.

“It made practical sense for all the changes to be made together. Sure network engineers are in the process of building and testing a tertiary name server with diversity that satisfies IANA’s requirements.  This server will be online in the next few weeks.”

I would agree that this seems to be a sensible technical approach to take, so I and Falkland Island consumers and businesses, look forward to implementation before Christmas 2019.

Good news that this important issue, that has been outstanding for several years, is at long last being resolved. Well done.

Update #10: 1st October 2019

I have just sent this email to the Falkland Island Communications Regulator and the Administrator of the .FK ccTLD domain.

Attn: Falkland Islands Communication Regulator.

I am writing in regard to the identified issue concerning the lack of network diversity for the DNS server used for hosting the .FK country-code Top-Level Domain (ccTLD).  The consequences of this have been well documented on the OpenFalklands.com blog and have been acknowledged by yourself.

In an email dated 1st of August 2019 IANA, the organisation responsible for global management of ccTLDs, stated that a commitment had been made by the .FK domain Administrator to the effect: “The latest update we received recently indicates they have plans to address the issue in the next two months”.

I understand from IANA that they have not yet received a recent progress update from the .islands  but have now followed up with their contacts.

As the quoted time period has now expired, I would welcome an update as to the date when acceptable diversity will be restored on the islands.

I look forward to receiving your reply and to finally getting this highly delayed and important issue resolved.

I have posted this email on OpenFalklands.com this morning.

Kind regards

Chris Gare on behalf of OpenFalklands.com.

Update #9: 1st August 2019

We are now getting close to the end of the country code Top Level Domain (ccTLD) saga having received an email from IANA, the USA body responsible for managing ccTLDs worldwide. IANA set the rules that governments and their subcontractors must follow to ensure the functional integrity of the Internet.

IANA’s email can be seen below (my bold markup):

“Thank you for your patience.

We are aware of the situation with .FK and their contacts are keeping us updated on their plans and progress to add network diversity. The latest update we received recently indicates they have plans to address the issue in the next two months.

Additional guidance regarding network diversity of nameservers was already provided to .FK at the time of the requested changes.

At the time this change was made in the root zone, IANA made a determination on an exception basis based on the information provided at the time to complete a root zone change request and a commitment from the TLD Operators to address the network diversity issue as quickly as possible.

If and when registries submit updates to their Root Zone Delegation record, all new updates go through the technical checks to ensure they meet the current checks at that time. We look forward to receiving a new root zone change request from the .FK administrators.

Best regards,

IANA Services Specialist”

So there we have it, there has been a recent commitment by the ‘operators’ of the fk ccTLD that topological diversity will be added within two months. By my reckoning, that means that it will be achieved by the end of September 2019. This is good news.

This situation has existed for a number of years and the reasons that led to this will never be fully known as all dialogue has, until recently, been held behind closed doors. But at least we now know that all will be corrected to the technical satisfaction of IANA by the end of September.

This really has been a mountain created out of a molehill.

Update #8: 29th July 2019

On the evening of the 25th July, an open question MLA public meeting was held in Stanley, Falkland Islands as announced below:

“Members of the Legislative Assembly will be holding a public meeting on Thursday 25th July 2019 at 5pm in the Court and Assembly Chamber, Town Hall. This will be an open session and will be broadcast live.”

Picture credit: FITV

A written question was submitted concerning the fk ccTLD issue and was submitted before the response by the Regulator that can be found in update #7 below or now on the Regulator’s web site.

“I have been following the ongoing discussion on OpenFalklands about the open complaint that has been raised with Sure. This is concerned with a very serious issue of no geographic resilience for the .FK domain DNS server as it is located on the Falkland Islands. I understand that if there is a satellite outage the .FK based web sites could be inaccessible by the rest of the world and .FK emails from overseas may be discarded.

I understand that currently the Communications Regulator is responsible for overall management of the .FK domain and that Sure handle the day-to-day management of the DNS server. I am not aware that Sure or the Regulator have made any public statement acknowledging the issue or informed customers if and when it will be resolved.

I would like to ask MLA Spink what the current situation is and what plan is in place to correct this situation which has been ongoing for a number of years and appears to be have been missed or ignored by all that have immediate responsibilities for Falkland Islands telecoms.”

MLA Spink answered the question which may be heard here.

Audio credit: FITV

OpenFalklands’ comments

The phrase “the issue is currently under discussion and those discussions are commercial and therefore in confidence” was used. It has been admitted that there is a lack of a Service Agreement between Falkland Islands Government and Sure South Atlantic to manage the fk ccTLD DNS infrastructure, but this would be a remarkably simple outsourcing Agreement. Users of the Internet are just interested in information about what is going to being done and by when; not contractual minutiae.

The MLA’s closing comment – “we would expect to see some resolution in coming months”, supports the conclusion that for whatever reason little has been achieved in the nine months since the issue came to the Regulator’s attention.

The IANA “waiver” was only temporary expediency and the issue could have been promptly dealt with by the end of 2018. We are, after all, only talking about a straightforward technical issue that every other ccTLD stakeholder has been managing perfectly happily for over thirty years. This is not a political issue.

Let’s hope with this recent publicity and focus on the issue, it can be sorted out in a few weeks rather than a few months. You have my support and I hope regular public updates will be provided to show progress made.

A trip down DNS memory lane

In June 1997, the first ccTLD Administration Contact was the Falklands Islands Government, with the Technical Contact being U-Net in the UK. When U-Net was sold to Via Networks, an IANA redelegation of the domain was made in January 2005 to change the Falkland Islands Development Corporation (FIDC) to be the new Administrative Contact, while Horizon-Cable & Wireless was named as the Technical Contact.

Multiple IANA changes were completed affecting Administrative and Technical Contacts on the 10th September 2014 by IANA, but no details are available. There does not seem to be any other IANA redelegations until it was last updated on the 6th October 2018 to the current Administration and Technical Contacts.

On the 5th October 2018, name server changes were requested and withdrawn for European based DNS servers – EURO-NS1.CW.NET, EURO-NS2.CW.NET. These were based in Germany so would be the old C&W Global Network ccTLD DNS servers which are now owned by Vodafone. This confirms that C&W Falkland Islands did have topological diversity at one time.

Who is affected by the lack of topological and domain diversity?

To bring us up to date, all the 79 Falkland Islands’ .co.fk domains/email users and who hosts them can be found here. As would be expected, many of the domain names are now unused.

As a point of interest, I was intrigued as to why the Falkland Islands Community School, https://www.secondary.ac.fk as it is hosted in Japan of all places. The route followed from the UK is New York, Chicago, Santa Clara, and on to Tokyo! The reason is that Amazon is used as the hoster. This is not exactly the best location for a Falkland Islands’ web site as the overall latency would be approaching 900mS!

Update #7: 19th July 2019

I have received an exceeding prompt reply to yesterday’s email to the Communication Regulator. It presented a comprehensive overview of the current situation in regard to the state of the FK TLD and DNS issue and I would thank her for that frankness. My views follow.

Dear Chris

Since October 2018, I have been fully aware of the network diversity issue and have been working with Sure on the matter. IANA is aware of this and has provided the Falkland Islands with a waiver to the network diversity requirement.  I am fully aware of the IANA technical rules, the significance of these and the need to meet these, as any competent domain manager should. IANA provided the waiver to these technical rules in October 2018 in order for a robust solution to be identified and implemented. This was to provide time to identify a solution that is compatible with the Falkland Islands domain allocation policy and the wider electronic communications objectives. I would have been able to provide you with this information should you have contacted me directly to confirm the situation, as the person with statutory oversight for the administration of the domain.

Whilst this may appear to be a technical issue there are wider sensitive strategic matters that I have had to consider. Whilst this correspondence is not the place to go into that in detail I will summarise; there is no formal (commercial) contract between FIG and Sure for the technical administration of the domain and it does not fall within the Sure licence. There have been multiple missed opportunities to formalise the relationship between FIG and Sure, starting from when the Regulator post was first created under the Telecommunications Ordinance in 2010, through the drafting of the Communications Ordinance and Sure licence, and most recently it was omitted from the advice provided to Regulatory Services in 2016 as to the implications of the Communications Ordinance.

Formalising the structure for management and administration of the .fk domain is well overdue particularly when this is considered within the context of the strategic political importance of the .fk domain for the Falkland Islands. Whilst there is a need to fix the technical issue I also have to ensure, as any competent domain manager should, that the .fk domain administration is robust both now and in the future and properly serves the interests of the Falkland Islands. Blacklisting is a serious consequence of mismanagement, something that afflicted the Falkland Islands previously and has been rectified in recent years. This has the potential to impact on the islands far more widely than a short satellite outage, and has to be considered within any action taken to rectify the issue of network diversity.

IANA is fully aware of the timescales for a solution. A full report will be submitted to EXCO when the matter has been resolved which will be recommended for publication, however it will be up to EXCO as to whether any matters require redaction due to the political sensitivities of the .fk domain (as noted above).

Kind Regards

Susannah

Susannah Nightingale
Regulator

I am pleased to understand that this issue has been on the Regulator’s agenda since October 2018 which is now nine months ago. I fully comprehend the political, organisational, contractual, technical and commercial issues that may be involved in providing a solution. However, in spite of all those concerns, ccTLD management is, in reality, a standard procedure that has worked well for over 30 years within the Internet technical community.

Let’s not understate the impact of a lack of DNS diversity as it affects every FK domain email being sent to the island, it adds a significant and unpredictable latency for web site lookups and creates an additional unneeded traffic load on the satellite that just adds to congestion. This is happening every minute of every day, every week, every month and every year.

I’m also pleased to hear that IANA has provided a temporary waiver. The core technical philosophy of the Internet that enables it to work is based on a peer-to-peer willingness to cooperate without bureaucracy. The lack of topological diversity not only affects the Falkland Islands DNS service but impacts in real-time every other DNS server around the world that needs to use the FK ccTLD. There is a significant DNS service performance knock-on ripple effect as any competent Internet engineer knows.

I would urge – maybe even demand that all the stakeholders involved – Falkland Island Government, Communications Regulator and Sure South Atlantic – put overt bureaucracy and consequential delay aside and provide a technical solution now that satisfies IANA’s rules. Nine months is long enough to wait. It is not challenging. Even St Helena has done it. Paperwork, cost centre and approval can be sorted out later.

I have been brought up throughout my marketing career to believe that it is “better to beg forgiveness than ask permission” and that philosophy really needs to be adopted today in this serious matter. We look forward to further public announcements as progress is made.

Update #6: 18th July 2019

I’m sorry to have to say that I have not received any acknowledgement of my July 9th and 16th emails from Sure South Atlantic Customer Services, so I have sent the following email to the Communications Regulator.

Note: Interestingly, the FK ccTLD was first registered by the FIDC in 1997.

Attn: Falkland Islands Communication Regulator.

I raised a Complaint with Sure South Atlantic in regard to the operation of the FK ccTLD on an open basis as the subject is exceedingly important to the correct functioning of the Internet service in the Falkland Islands. My Complaint has been ignored in a most casual manner for such a serious operational issue and follow-up emails ignored.

This email is not an escalation of the Complaint as I am not asking for Complaint adjudication from the regulation department at this time.

The focus of the Complaint is concerned with the correct management and running of the islands’ FK country-code Top-Level Domain or ccTLD. The lack of topological diversity the country Domain Name Servers (DNS) leads to non-accessibility of websites (including .gov.fk) that use the FK ccTLD and the possibility of abandoned ccTLD emails when the Falkland Islands’ satellite suffers from an outage as occurred in April.

In fact, no one “owns” ccTLDs and that includes the Falkland Islands Government or the Communications Regulator. Global management of ccTLDs is undertaken by a US organisation called Internet Assigned Numbers Authority or IANA. They describe their role as:

The DNS Root Zone
The root is the upper-most part of the DNS hierarchy, and involves delegating administrative responsibility of “top-level domains”.

IANA also do not own ccTLDs but are responsible for their global management. IANA assigns local operators of ccTLDs and maintains their Technical and Administrative details in their  Database. This database shows that the operation of the .ccTLD DNS server is currently assigned to the Falkland Islands Government.

More importantly, IANA maintains the binding standards (their wording) that assignees must adhere to to ensure the correct operation of DNSs thus reflecting the importance of this service to the efficient day-to-day running of the Internet.

With the creation of the Communications Regulator role, the administration of ccTLD passed to that office. Clearly, governments do not manage Country ccTLD DNS infrastructure and operation of the DNS infrastructure is outsourced to a commercial organisation to undertake this task. To quote IANA on this matter:

The delegation process results in the “NS” records being placed in the DNS root zone to make the domain active in the domain name system. 

The IANA Delegation Record can be found here. The Administrative Contact for the ccTLD is registered as the Communications Regulator and the Technical Contact is the IP Networks Manager, Sure Falkland Islands. The IANA records were updated on the 6th October 2018.

These two parties are therefore jointly responsible to ensure the correct operation of the ccTLD DNS system and hence are obligated to ensure that IANA’s binding technical rules are followed. The IANA rules that are knowingly being broken and are the subject of my Complaint are:

Network diversity
The name servers must be in at least two topologically separate networks. A network is defined as an origin autonomous system in the BGP routing table. The requirement is assessed through inspection of views of the BGP routing table.

Minimum number of name servers
There must be at least two NS records listed in a delegation, and the hosts must not resolve to the same IP address.

Name server reachability
The name servers must answer DNS queries over both the UDP and TCP protocols on port 53. Tests will be conducted from multiple network locations to verify the name server is responding,

There is a formal IANA complaints procedure that can be followed, but I have no wish to initiate that process as it would be potentially embarrassing for all stakeholders. This would inevitably involve a request to change the ccTLD Technical contact.

I would rather request that Sure South Atlantic or the Communications Regulator issue a public acknowledgement of the issue stating that corrective action will be taken and the timescales of how long this will take.

Regards.

Chris Gare

As part of the open complaint process, this email has been posted on OpenFalklands.

CC: Sure South Atlantic Customer Services

Update #5: 16th July 2019

As I have not had an acknowledgement from Sure South Atlantic Customer Services of my 9th July email, I have just sent the following email to Customer Services.

Hello xxxxxxx

On Tuesday July 9th I emailed a response to your email dated 2nd July regarding my Complaint concerning the lack of geographic diversity for the Falkland Islands .FK Domain Name Server managed by Sure South Atlantic on the behalf of FIG / Regulator.

The email requested escalation of the Complaint to Step 2 of the published Complaints Procedure.

I have not yet received a reply to that email. Sure’s Code of Practice states that “Your complaint escalation will be acknowledged within 3 working days” and it is now been one full week since my request.

I am sure there must is a practical reason for overlooking a timely acknowledgement, so I look forward to hearing from the company shortly.

As this is an open Complaint, so I have copied this email to www.OpenFalklands.com

Kind regards and thank you for your attention.

Chris Gare

Update #4: 9th July 2019

Interestingly, this update has attracted the most page-views of all my OpenFalklands posts bar one with several hundred page views. Update! It is now my most popular update/post!

I have just received the following reply from Sure South Atlantic to my complaint concerning the lack of geographic diversity for the .FK domain.

This is my response emailed this morning to Sure South Atlantic Customer Service.

Dear  xxxxxxx

Thank you for your prompt reply to my recent open complaint – it’s appreciated.

In regard to the statement, “which in any event is only available to current customers of Sure South Atlantic Limited”, I must point out that this is incorrect. As I stated in my original email, I am the proud owner of an Alcatel onetouch mobile phone bought over the customer counter in the Sure Office in Stanley in November 2017. I have also bought two pre-paid SIM cards for cash. By any definition that makes me a customer of Sure South Atlantic Limited. If not, I would ask Customer Services why I am not considered to be a customer after buying your products?

There is nothing in the Code of Practice that states that I cannot complain about an aspect of another service, though I am actually an Internet customer as well as I currently have a half-used WiFi Access card. There is no mention on the Wi-Fi Hotspot page of Sure South Atlantic’s website that these time-out like SIM cards.

In regard to the original subject of the complaint about the .FK domain, I am fully aware that Sure South Atlantic does not “own” the .FK domain. As I’m sure you are aware, the “others” you refer to is the Falkland Islands Government so .FK domains are now an accountability of the Communications Regulator.

The day-to-day management of the .FK DNS infrastructure has, for many years, has been undertaken by Sure South Atlantic as there was no resource or expertise in FIG. This may, or may not, now be undertaken on the basis of a formal outsource Agreement, but that is an irrelevance. This a technical issue that should be managed by Sure South Atlantic on an industry best-practice basis on behalf of the FICR. I am sure that any change to how the .FK is handled would need to be approved and possibly financed by FIG. However, that is not of my concern as it is a discussion between yourselves and FIG / FICR. I am only concerned that the users of the .FK domain for their email and website facilities get the best possible service which should be aligned with Sure South Atlantics ambitions.

Therefore, on the basis of my actually being a customer of Sure South Atlantic and the following Complaint procedure statement being applicable  –  “If you are unhappy with the way your complaint was handled or if it has not been resolved to your satisfaction”, I would like to escalate my complaint to Step 2 of the Complaints Procedure.

I look forward to seeing Sure South Atlantic senior management’s adjudication and a positive proposal for what actions need to be taken or have been taken to get the lack of .FK DNS geographic diversity resolved.

Kind regards

Chris Gare

Update #3: 7th July 2019

As an aside, the ‘official’ Sure Falkland islands Complaints Procedure is to be found in their ‘Code of Practice‘ as is stated on their web site and by other parties. However, if a  Google search is made using the term Sure Falkland Islands Code of Practice, an old 2013 Complaints Procedure, dated 2013, comes up in the #1 position even though there is no link to it on the web site! Sure should really get their webmaster to clear out old unlinked files as this was the same issue I found with their Mobile Roaming Partners page a few weeks back.

Update #2: 3rd July 2019

The plot below shows the delays in accessing the Falkland Islands 195.248.193.250 Domain Name Server (DNS) last night UK time (2/3rd July). It clearly shows why locating the DNS server only in the Falkland Islands is such a poor Internet engineering approach to take.

Pinging the .FK DNS

  • The graph is UK time so subtract four hours for Falkland Islands time.
  • The Y-axis is 0 to 1200ms (1.2 seconds)
  • The line across the centre of the graph is the 540mS satellite delay.
  • Starting at 18:00 local time, there is a high level of congestion on the satellite link and the access time to the .FK DNS server deteriorates considerably.
  • The red lines are when the DNS is inaccessible. FOR 30 MINUTES AROUND MIDNIGHT, DNS LOOKUP WAS NOT POSSIBLE AT ALL FOR OVERSEAS INTERNET USERS.
  • Remember, that every single time a .FK web page is accessed or an email sent to a .FK email address, the browser and email applications need to access the .FK DNS server.
  • If there is an excessive DNS lookup delay, browsers can time out and show a 404-page fault and lead to unpredictable behaviour of applications. Even overseas email reception might fail.
  • The maximum delay for any DNS lookup should normally be 10-50mS and this would be the situation if the .FK DNS was also hosted in Europe and the USA.
  • I am unable to tell what the DNS response times were like for local Falkland Island users last night, but I assume the excessive delays shown in the graph are purely down to congestion on the satellite and not an overload of the .FK DNS servers.

This graph shows exactly why hosting the .FK DNS solely in the Falkland Islands does not represent good, let alone best, practice.

Update #1: 2nd July 2019

Complaint receipt acknowledged by Sure Falkland Islands Customer Services.

Backgound

Readers may remember that I published a blog entitled ‘Is your organisation hosting a website outside of the Falkland Islands that uses a .fk based URL? If so you had better read this! in April 2019. This described a serious Sure Falkland islands Internet engineering issue that potentially affects all overseas friends, family and business colleagues wishing to email Falkland Islands residents or look at .FK web sites.

I have not seen that any steps have been undertaken by Sure Falkland Islands to correct the issue since the blog was published which rather surprises me. I would have thought that the engineering management of the company based in the Falkland Islands and Guernsey would want to implement best engineering practices as soon as feasible? This is not an issue that should have needed to be raised by an external party.

Rather amazingly, even the official Falkland Islands Government web site, www.falklands.gov.fk, suffers from this issue!

Running the Squish DNS checker this morning shows that the problem has not been corrected.

Sqush.net DNS Traversal checker

I have therefore raised an ‘open complaint’ with Sure Falkland Islands and would suggest that if any Falkland islands’ residents wish to support this complaint they send a supporting email – or indeed complaint –  to complaints@sure.co.fk. A boilerplate email can be found at the bottom of this post.

This is the complaint sent to Sure Falkland islands.

Attn: Customer Services Team, Sure Falkland Islands.

Subject: Open complaint about non-resolution of the .FK DNS server issue.

Dear Sir/madam

Although I do not live on the Falkland Islands, I am a customer of Sure Falkland Islands having bought many Internet Wi-Fi cards, a mobile phone and SIMs from your company. I would, therefore, like to raise a formal complaint by adopting Step 1 the published Complaints Procedure by contacting Sure’s Customer Services Team..

Please acknowledge receipt of this complaint. Thank you in advance.

Nature of Complaint.

During a four-hour outage of the Islands Internet service that took place on April 30th 2019, it came to my notice that it was not possible to connect to any Falkland Islands web sites that used a .FK domain. I was so surprised by this that I immediately wrote a widely-read blog describing the nature of what I discovered.

I found that the Falkland Islands’ only Domain Name Server (DNS) server, a critical element of an Internet Service, was physically located in the Falkland islands. The extremely serious knock-on consequences of which are described in the blog. Not only that, the main and the backup servers are located in the same IP-subnet resulting in there being no DNS server resilience in case of a local server failure.

This has been previously described as “gross negligence” and ignores all the best-practice engineering standards adopted by all the world’s Internet Service Providers. Also, this implementation leads to additional DNS traffic over the islands’ satellite link and unnecessary latency in DNS lookups for overseas web browsers and email services. Even the possibility of emails being discarded.

Other Sure International companies do not have this issue as they have implemented industry-standard, best-practice, geographical DNS diversity as demonstrated by the quoted example of Sure St Helena.

This has been a long-standing issue since Sure became the monopoly telecommunications provider for the Falkland Islands and it has been two months since I brought recent public attention to this matter in my blog. There has been more than enough time to evaluate the issue and initiate corrective action.

I brought this to the attention of both Justin McPhee, CEO of Sure Falkland Islands and Ian Kelly, CEO of Sure International in an email dated 3rd May 2019.

I would like to make a formal open complaint about this issue not being resolved and would request that Sure Falkland islands make a public statement about when .FK DNS geographic diversity will be implemented to the satisfaction of its Internet and email customers.

As this is an open complaint, I have posted this email on OpenFalklands.com.

Regards

Chris Gare

Boilerplate email of support.

Please use this template to email Sure Falkland Islands. Please edit it as much as you want.

Attn: Customer Services Team, Sure Falkland Islands (Sure South Atlantic)

Subject: complaint support email regarding .FK DNS location

Dear Sir/madam

I am emailing in support of the Open Complaint recently made concerning the location of the Falkland Islands’ .FK DNS server.

I agree that this issue must be resolved by Sure Falkland Islands to ensure that all my overseas friends, family and business colleagues do not again have a problem accessing .FK web sites or risk their emails not being delivered to me if there is further satellite outage.

Regards

Copyright: August 2019, OpenFalklands

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.