On Sun, 7 Dec 2003, Iljitsch van Beijnum wrote:
On 6-dec-03, at 23:04, Dean Anderson wrote:
I don't think this stealth business is a very good idea. If you want a
root servers somewhere, use anycast. That means importing BGP problems
into the DNS, which is iffy enough as it is.
That seems to argue against anycast...
If there were 65 actual root servers, I would very much prefer the
situation where I could contact each and any one of those, rather than
a subset of 13 that are chosen by a protocol that was NOT designed for
this. (Selecting the "best" path is pretty much an after thought in
BGP: the RFC doesn't even bother giving suggestions on how to do this.)
But the DNS protocol has problems supporting 65 (or 45 or even 25)
individual root server addresses, it's either no more than around 13
individual servers or a larger number of anycasted ones.
I don't need any more than 13, and I would, were I director of some
country's telecom, much prefer that I had several within my borders. So
that argues for at least 3 * 190, or about 600+ root servers worldwide
(large countries like the US and China having more than 3). Anycasting
probably isn't going to easily scale that large, and requires more
complexity, which makes thinks much harder at the lower end.
Also, anycasting doesn't work for TCP.
I don't have a problem with some controlled anycasting, but the root
operators shouldn't go overboard. For instance, the .org zone is only
served by two addresses, which are then anycast. There have been
reports from people who were unable to reach either of these addresses
when there was some kind of reachability problem. The people managing
the .org zone are clearly lacking in responsibility by limiting the
number of addresses from which the zone is available without any good
reason.
A much larger number of root servers also tends to avoid this problem, and
localize problems. As someone pointed out, it is fast becoming the case
that no one has enough knowledge of what's happening to understand the
problems. Obviously, the solution is to make sure that problems are
localized, and can be partitioned without bringing down the global or
national infrastructure.
The situation that must be avoided is where all or most root servers
seem to be in the same location from a certain viewpoint, as a BGP
black hole towards that location will then make them all unreachable. I
would prefer it if several root servers weren't anycast at all, just to
be on the safe side.
I agree. It is easy to create a blackhole, or even a DDOS on an anycast
address. It is much harder to DDOS 600 IP addresses spread through some
200 countries.
Its the same "deal" as distributing the "official" root nameserver
updates. Some people don't pay attention to this until they can't get
nameservice to work. Its a problem, but it isn't made better or worse.
The difference is that official root servers are updated through the
official channels, which I have no reason to distrust. Having a stealth
root server means you can't listen to the real root servers anymore
(because then you'd have a 13/14th chance of learning the list of
official root servers and forgetting about the stealth one when a
resolver starts) which is a big fat single point of failure.
Err, no. The "root servers", from the point of view of a person in a given
country, is the list given by the countries' telecom authority. Just like
the SS7 point codes for that country. There is no reason to distrust the
FCC. For the United States, they are the "official authority"
The official contents of the root zone is controlled by an international
commission. This would be distributed to the root server operators by
some agreed channel: FTP, Certified Letter, Diplomatic pouch, or carrier
pidgeon ;-) The root zone is not very big. It probably could be
distributed by carrier pidgeon. Exaggeration and humor aside, distribution
is not a big problem.
So I have to trust these fake roots a 100%:
They aren't exactly fake. They are just not listed by the "dig . ns"
query, so they aren't technically authoritative. Though, I suppose they
could be--I'm just assuming they aren't.
Ok, let's not debate the word "fake".
As far as trust goes, since they
are run by your government, yes, you can trust them.
Their intentions, maybe. Their DNS operating prowess, I don't think so.
Oh please. Root server operation is not that difficult. The government is
responsible to find someone to run it competently. But if their operators
are incompetent, they only affect that country. They would not be able to
affect other countries by their incompetence.
Other countries do not trust the US (to run things competently, fairly,
whatever) The solution (if possible) is to distribute the responsibilty
to each country, so that mal intent or simple incompentence by another
country can't affect their infra-structure, and so that they can de-peer
with that country if they please. And years later, if they reconnect,
then things should just work. (Cuba is a good example--Phone service to
the US was disconnected, and later reconnected). My proposal meets these
objectives. Anycasting does not.
You missed the point in one of my previous messages: there is no
officially supported way to do zone transfers for the root. This can
stop working at any time.
Well, there is obviously some (perhaps private) agreement amoung the
current operators on how to update the contents of the root. This is but
a formality, since the root isn't large, and it changes infrequently.
I think what we need to really solve this is a redesign of the DNS, as
the way it is now it breaks a fundamental design principle of the
internet: when two nodes have reachability, they should be able to
communicate, regardless of what else is (un)reachable. (I'm not
volunteering, though.)
I agree completely, but I don't think anything needs to change other
than
management of existing services.
How is that agreeing with my point that we need a redisign (if we want
to solve this)???
I agree that a fundamental design principle is that when two nodes have
reachability, they should be able to communicate, regardless of what else
is (un)reachable. We do not need to redesign DNS to achieve this. All we
need to do is change the management of its operation.
--Dean