ietf
[Top] [All Lists]

Re: Root Server DDoS Attack: What The Media Did Not Tell You

2002-11-23 10:19:41
joe, this makes no sense to me - the cacheing mechanisms are essentially
doing what you suggest. That's one of the reasons the system is resilient.
But you need to invalidate the cache to deal with changes to the binding
of domain name and IP address. Simply mirroring everything doesn't improve
things, in my estimation. In fact, trying to mirror everything everywhere
has a massive update problem. Cacheing spreads the update process over time.

The USG doesn't actually run the root server (although some of the root
servers are in fact housed at USG supported laboratories). The Dept of
Commerce in effect delegates the actual operation to the root server operators. 
 

The issue is less the size of the file than the problem of updating many 
copies of it reliably. The root server operators find it a challenge to
assure that even the modestly sized root zone file is correctly distributed
to all root servers accurately and in a timely fashion. 

At 09:10 AM 11/23/2002 -0500, Joe Baptista wrote:
To survive a sustained DDOS attack against the roots, the best solution
an ISP has is to run its own system and eliminate any dependence on the US
government for basic internet services. It would also be prudent for other
primary namespaces like .com. Unfortunately, though, it would require a
considerable amount of resources -- the .com zone file alone is well over
a gigabyte in size. But the root file is very manageable and can easily
be run on an ISP's local domain name servers.

Vint Cerf
SVP Architecture & Technology
WorldCom
22001 Loudoun County Parkway, F2-4115
Ashburn, VA 20147
703 886 1690 (v806 1690)
703 886 0047 fax



<Prev in Thread] Current Thread [Next in Thread>