ietf
[Top] [All Lists]

Re: national security

2003-12-05 15:29:03
On 5-dec-03, at 17:16, Dean Anderson wrote:

Indeed, this is what they do when the agree to put the "national" root
nameservers in their own nameserver root configs.  It is far easier to
have per-country stealth root slaves than it is to make every nameserver
the stealth slave of every other domain in that country.

I don't think this stealth business is a very good idea. If you want a root servers somewhere, use anycast. That means importing BGP problems into the DNS, which is iffy enough as it is. But for a small network island just having a single set of resolvers and make sure those have all the needed information isn't a huge deal. Obviously such a place doesn't have a huge number of ISPs so the number of DNS servers will be quite limited in the first place.

Yet a stealth root is comparably easy:
You just tell your nameserver operators to configure in the IP addresses
for your national root servers, instead of the "official" root servers.

So I have to trust these fake roots a 100%: not only that they don't change the root zone, but also that they're always up to date and never down. Tall order. An official anycast setup is much better: updates are done the way they should be (last year when I wrote an article I checked this: there is no policy anywhere on access to the root zonefile. You can download it through FTP or even do a zone transfer in a few places, but nothing official) and when your local root clone is down there should be at least 12 others elsewhere.

Indeed, it is probably sensible for ISPs to do the same. This would keep things working internally in the event of an effective isolation due to a
DOS attack, for example.

I think what we need to really solve this is a redesign of the DNS, as the way it is now it breaks a fundamental design principle of the internet: when two nodes have reachability, they should be able to communicate, regardless of what else is (un)reachable. (I'm not volunteering, though.)

I've been in a situation where root servers where unavailable for the better part of a day, and it's pretty frustrating to see your resolver cache disappear over tiem so you can no longer reach places to which you still have connectivity.




<Prev in Thread] Current Thread [Next in Thread>