[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: Ben Stern <bstern@electromagnetic.net>
Cc: Bill Woodcock <woody@pch.net>, Bill Manning <bmanning@ISI.EDU>, Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, dnsop@cafax.se
From: Brad Knowles <brad.knowles@skynet.be>
Date: Sun, 3 Nov 2002 00:04:44 -0600
In-Reply-To: <20021101161958.T9158@electromagnetic.net>
Sender: owner-dnsop@cafax.se
Subject: Re: DoS and anycast 

At 4:19 PM -0500 2002/11/01, Ben Stern wrote:

>  I obviously cannot speak for other major ISPs, and am speaking here as an
>  individual, not as a representative of AS2548, but I do not see anything
>  obviously stopping various national carriers from anycasting the root, other
>  than a) lack of obvious contacts at the roots, and b) lack of perceived
>  authority. [0] [1]

	I don't trust them to do the job right.  Even if they should, by 
some miracle, manage to get a suitable copy of the current root zone, 
I wouldn't trust them to be able to properly anycast that to anyone 
else.  I wouldn't trust them to be able to provide that information 
to their own recursive/caching customers.  And once they set that 
stuff up, there'd be no way to get them to stop.

	If you want to go the anycast root route, I think we'd be better 
off selecting a few underperforming root nameservers, and then find 
contacts at the IP address registries (RIPE, APNIC, JPNIC, etc...) 
and see if we can find someone suitable there to provide the proper 
routing and nameservice.  I'd trust them more than I would anyone at 
most major ISPs.  I know a guy at AOL that I'd trust to do the 
nameservice side correctly, but I'm not sure I'd trust the networking 
guys to avoid screwing things up.


	Then there's the issue of current DNS UDP truncation at the 
roots.  There's no way this would fit into ~500 bytes:

% dig @a.root-servers.net. . any +vc

; <<>> DiG 8.3 <<>> @a.root-servers.net. . any +vc
; (1 server found)
;; res options: init usevc recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40904
;; flags: qr aa rd; QUERY: 1, ANSWER: 14, AUTHORITY: 13, ADDITIONAL: 13
;; QUERY SECTION:
;;      ., type = ANY, class = IN

;; ANSWER SECTION:
.                       6D IN NS        A.ROOT-SERVERS.NET.
.                       6D IN NS        H.ROOT-SERVERS.NET.
.                       6D IN NS        C.ROOT-SERVERS.NET.
.                       6D IN NS        G.ROOT-SERVERS.NET.
.                       6D IN NS        F.ROOT-SERVERS.NET.
.                       6D IN NS        B.ROOT-SERVERS.NET.
.                       6D IN NS        J.ROOT-SERVERS.NET.
.                       6D IN NS        K.ROOT-SERVERS.NET.
.                       6D IN NS        L.ROOT-SERVERS.NET.
.                       6D IN NS        M.ROOT-SERVERS.NET.
.                       6D IN NS        I.ROOT-SERVERS.NET.
.                       6D IN NS        E.ROOT-SERVERS.NET.
.                       6D IN NS        D.ROOT-SERVERS.NET.
.                       1D IN SOA       A.ROOT-SERVERS.NET. 
NSTLD.VERISIGN-GRS.COM. (
                                         2002110201      ; serial
                                         30M             ; refresh
                                         15M             ; retry
                                         1W              ; expiry
                                         1D )            ; minimum


;; AUTHORITY SECTION:
.                       6D IN NS        A.ROOT-SERVERS.NET.
.                       6D IN NS        H.ROOT-SERVERS.NET.
.                       6D IN NS        C.ROOT-SERVERS.NET.
.                       6D IN NS        G.ROOT-SERVERS.NET.
.                       6D IN NS        F.ROOT-SERVERS.NET.
.                       6D IN NS        B.ROOT-SERVERS.NET.
.                       6D IN NS        J.ROOT-SERVERS.NET.
.                       6D IN NS        K.ROOT-SERVERS.NET.
.                       6D IN NS        L.ROOT-SERVERS.NET.
.                       6D IN NS        M.ROOT-SERVERS.NET.
.                       6D IN NS        I.ROOT-SERVERS.NET.
.                       6D IN NS        E.ROOT-SERVERS.NET.
.                       6D IN NS        D.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET.     5w6d16h IN A    198.41.0.4
H.ROOT-SERVERS.NET.     5w6d16h IN A    128.63.2.53
C.ROOT-SERVERS.NET.     5w6d16h IN A    192.33.4.12
G.ROOT-SERVERS.NET.     5w6d16h IN A    192.112.36.4
F.ROOT-SERVERS.NET.     5w6d16h IN A    192.5.5.241
B.ROOT-SERVERS.NET.     5w6d16h IN A    128.9.0.107
J.ROOT-SERVERS.NET.     5w6d16h IN A    198.41.0.10
K.ROOT-SERVERS.NET.     5w6d16h IN A    193.0.14.129
L.ROOT-SERVERS.NET.     5w6d16h IN A    198.32.64.12
M.ROOT-SERVERS.NET.     5w6d16h IN A    202.12.27.33
I.ROOT-SERVERS.NET.     5w6d16h IN A    192.36.148.17
E.ROOT-SERVERS.NET.     5w6d16h IN A    192.203.230.10
D.ROOT-SERVERS.NET.     5w6d16h IN A    128.8.10.90

;; Total query time: 236 msec
;; FROM: XXXXXXX to SERVER: a.root-servers.net.  198.41.0.4
;; WHEN: Sun Nov  3 00:03:02 2002
;; MSG SIZE  sent: 17  rcvd: 662

-- 
Brad Knowles, <brad.knowles@skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.
Home | Date list | Subject list