ietf
[Top] [All Lists]

Re: national security

2003-12-06 16:23:43
On 6-dec-03, at 23:04, Dean Anderson wrote:

I don't think this stealth business is a very good idea. If you want a
root servers somewhere, use anycast. That means importing BGP problems
into the DNS, which is iffy enough as it is.

That seems to argue against anycast...

If there were 65 actual root servers, I would very much prefer the situation where I could contact each and any one of those, rather than a subset of 13 that are chosen by a protocol that was NOT designed for this. (Selecting the "best" path is pretty much an after thought in BGP: the RFC doesn't even bother giving suggestions on how to do this.) But the DNS protocol has problems supporting 65 (or 45 or even 25) individual root server addresses, it's either no more than around 13 individual servers or a larger number of anycasted ones.

I don't have a problem with some controlled anycasting, but the root operators shouldn't go overboard. For instance, the .org zone is only served by two addresses, which are then anycast. There have been reports from people who were unable to reach either of these addresses when there was some kind of reachability problem. The people managing the .org zone are clearly lacking in responsibility by limiting the number of addresses from which the zone is available without any good reason.

The situation that must be avoided is where all or most root servers seem to be in the same location from a certain viewpoint, as a BGP black hole towards that location will then make them all unreachable. I would prefer it if several root servers weren't anycast at all, just to be on the safe side.

(And some IPv6 roots wouldn't be bad either.)

But for a small network island just having a single set of resolvers and
make sure those have all the needed information isn't a huge deal.
Obviously such a place doesn't have a huge number of ISPs so the number
of DNS servers will be quite limited in the first place.

Its the same "deal" as distributing the "official" root nameserver
updates.  Some people don't pay attention to this until they can't get
nameservice to work.  Its a problem, but it isn't made better or worse.

The difference is that official root servers are updated through the official channels, which I have no reason to distrust. Having a stealth root server means you can't listen to the real root servers anymore (because then you'd have a 13/14th chance of learning the list of official root servers and forgetting about the stealth one when a resolver starts) which is a big fat single point of failure.

So I have to trust these fake roots a 100%:

They aren't exactly fake. They are just not listed by the "dig . ns"
query, so they aren't technically authoritative. Though, I suppose they
could be--I'm just assuming they aren't.

Ok, let's not debate the word "fake".

As far as trust goes, since they
are run by your government, yes, you can trust them.

Their intentions, maybe. Their DNS operating prowess, I don't think so.

Since these zones
don't change much, they can be updated by zone transfers,

You missed the point in one of my previous messages: there is no officially supported way to do zone transfers for the root. This can stop working at any time.

or by other official distribution.

Which I don't think there is either.

I think what we need to really solve this is a redesign of the DNS, as
the way it is now it breaks a fundamental design principle of the
internet: when two nodes have reachability, they should be able to
communicate, regardless of what else is (un)reachable. (I'm not
volunteering, though.)

I agree completely, but I don't think anything needs to change other than
management of existing services.

How is that agreeing with my point that we need a redisign (if we want to solve this)???