To:
dnsop@cafax.se
From:
Harald Tveit Alvestrand <Harald@Alvestrand.no>
Date:
Sun, 11 Jul 1999 02:00:09 +0200
Sender:
owner-dnsop@cafax.se
Subject:
Results of inconsistencies in reused-address servers
We're digging into a rathole wrt server placement, methinks. I think the administration of these servers sharing an address may be more important than their placement. Consider one possible failure mode. (I'm using extreme examples because they stick more easily in the mind...) - Iran and Iraq each have a root name server, sharing an address, and maintained by a local agency. They go to war. Out of spite, Iran deletes .iq from its copy of the nameserver; Iraq deletes .ir from its copy in retaliation. BGP routing may carry either copy to Azerbadjan; which one is seen may vary as links come up and down. Confusion will result. Other variants of reasons for inconsistency are criminal malice by operators, breaks in system security (hacking), and (the most probable reason) operator stupidity. The only possible remedies (that I can see) that the rest of the world can take to minimize the damage from such a problem are either to firewall off the relevant part using routing reconfiguration (a complex process) or to delete the address from the list of root name servers; this will delete the WHOLE cluster, not just the ones involved in the problem. My conclusion: At any point in the network, all copies of a shared-address nameserver that CAN be made visible by the routing system MUST be bound together administratively in such a fashion that the risk of inconsistency is minimal, and the responsibility for maintianing consistency is well defined. One such binding is having them all managed by one organization; other forms of binding are possible. (ICANN is, as far as I can understand, attempting to create a similar form of binding between the root server operators; as far as I can tell, the current binding has the form of a "gentlemen's agreement".....) Note that the previous discussion, outside of the examples, has not used the terms "country" or "ISP"; I believe the problem is independent of where the country borders or ISP boundaries are on the network topology map. Harald A -- Harald Tveit Alvestrand, Maxware, Norway Harald.Alvestrand@maxware.no