ietf
[Top] [All Lists]

Re: national security

2003-12-04 20:17:57
On 5 Dec 2003, Paul Vixie wrote:

my experience differs.  when a root name server is present it has to be
fully fleshed out, because if it isn't working properly or it falls over
due to a ddos or if it's advertising a route but not answering queries,
then any other problem will be magnified a hundredfold. 

It depends on the "problem profile" you working to avoid.

doing root name service in a half-baked way is much worse than not doing
it at all, since over time the costs of transit to a good server will be
less than the costs of error handling and cleanup from having a bad one.

This could be true, but irrelevant. It depends on the costs of transit and 
cleanup.  Transit to a remote island could be very expensive, while labor 
to cleanup any problems might be very cheap.

moreover, your statement "only the packet(s) of that country will reach the
local root server" is presumptive.  

Not necessarilly.  If the country operates a root server that is only
accessible from that country, that is, only in the preloaded in the caches
of that countries' nameservers, then the 'presumption' is true.  The list
of root nameservers is determined by the lists that are pre-loaded into
other nameservers, not by the 'dig . ns' query on a real root.  You could
have hundreds of root slaves, but only a small number of truly global root
servers without any problems at all.  This would probably be a good thing 
for the global servers.  

under error conditions where transit is leaked, such a server could end
up receiving global-scope query loads. in our current
belt-and-suspenders model, we (f-root) closely monitor our peer routing,
AND we are massively overprovisioned for "expected" loads, since a ddos
or a transit-leak can give us dramatically "unexpected" loads.

This is a feature that is specific to your anycast setup.  Simpler,
non-anycast setups wouldn't have this problem.

if you know someone who is willing to provision a "root" name server without
a similar belt and similar suspenders, then please tell them to stop.

Are all the roots doing anycast?  I've run private roots without any
problems, and have experienced significant improvements for doing so. (see
below)

on a connectivity island (which might be in the ocean or it might just be
a campus or dwelling), the way to ensure that local service is not disrupted
by connectivity breaks is to make your on-island recursive name servers
stealth slaves of your locally-interesting zones.  in new zealand for
example it was the custom for many years to use a forwarding hierarchy
where the nodes near the "top" were stealth slaves of .NZ, .CO.NZ, etc.
that way if they lost a pacific cable system they could still reach the
parts of the internet which were on the new zealand side of the break.

This assumes that you are mixing authoritative and caching nameservers. 
Something that many people (including you) advise against.

Operating a root nameserver is much easier.  Obviously, in the case of an 
island or small country that has only one connection, or perhaps one 
network center, a DDOS that affects the local root is going to affect all 
connectivity. Their only option may be to drop connectivity.  Actual war 
could have the same impact, due to broken communications line. A local 
root in each country is probably a good idea.

I've also found that when setting up non-connected laboratory networks, it
is better to have a 'lab root' server, that acts like a root, since
machines in the lab can't access real root servers.  This greatly enhances
performance in the case where a wrong, or just non-lab domainname is typed
in, since you can get an nxdomain back right away instead of waiting for a
timeout as the root servers at tried.




<Prev in Thread] Current Thread [Next in Thread>