To:
Ben Stern <bstern@electromagnetic.net>
Cc:
Bill Woodcock <woody@pch.net>, Bill Manning <bmanning@ISI.EDU>, Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, dnsop@cafax.se
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Sun, 3 Nov 2002 00:04:44 -0600
In-Reply-To:
<20021101161958.T9158@electromagnetic.net>
Sender:
owner-dnsop@cafax.se
Subject:
Re: DoS and anycast
At 4:19 PM -0500 2002/11/01, Ben Stern wrote: > I obviously cannot speak for other major ISPs, and am speaking here as an > individual, not as a representative of AS2548, but I do not see anything > obviously stopping various national carriers from anycasting the root, other > than a) lack of obvious contacts at the roots, and b) lack of perceived > authority. [0] [1] I don't trust them to do the job right. Even if they should, by some miracle, manage to get a suitable copy of the current root zone, I wouldn't trust them to be able to properly anycast that to anyone else. I wouldn't trust them to be able to provide that information to their own recursive/caching customers. And once they set that stuff up, there'd be no way to get them to stop. If you want to go the anycast root route, I think we'd be better off selecting a few underperforming root nameservers, and then find contacts at the IP address registries (RIPE, APNIC, JPNIC, etc...) and see if we can find someone suitable there to provide the proper routing and nameservice. I'd trust them more than I would anyone at most major ISPs. I know a guy at AOL that I'd trust to do the nameservice side correctly, but I'm not sure I'd trust the networking guys to avoid screwing things up. Then there's the issue of current DNS UDP truncation at the roots. There's no way this would fit into ~500 bytes: % dig @a.root-servers.net. . any +vc ; <<>> DiG 8.3 <<>> @a.root-servers.net. . any +vc ; (1 server found) ;; res options: init usevc recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40904 ;; flags: qr aa rd; QUERY: 1, ANSWER: 14, AUTHORITY: 13, ADDITIONAL: 13 ;; QUERY SECTION: ;; ., type = ANY, class = IN ;; ANSWER SECTION: . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. . 1D IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. ( 2002110201 ; serial 30M ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum ;; AUTHORITY SECTION: . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4 H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53 C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12 G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4 F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241 B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107 J.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.10 K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129 L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12 M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33 I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17 E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10 D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90 ;; Total query time: 236 msec ;; FROM: XXXXXXX to SERVER: a.root-servers.net. 198.41.0.4 ;; WHEN: Sun Nov 3 00:03:02 2002 ;; MSG SIZE sent: 17 rcvd: 662 -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++) #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.