To:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Cc:
dnsop@cafax.se
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Sun, 3 Nov 2002 11:54:54 -0600
In-Reply-To:
<200211031338.WAA15689@necom830.hpcl.titech.ac.jp>
Sender:
owner-dnsop@cafax.se
Subject:
Re: DoS and anycast
At 10:38 PM +0859 2002/11/03, Masataka Ohta wrote: >> I don't trust them to do the job right. > > That's why every ISP should run anycast root servers by itself > not relying on ones run by adjacent ISPs. No. Not at all. That is why *NONE* of them should be doing anycast root. None of them are likely to get it right, and the more of them doing it, the more risk there is that it will get screwed up. Since they would be advertising this accessibility to anyone who accepts their route announcements, they could take down large chunks of the 'net. Under no circumstances whatsoever should Joe Random ISP be running anycast root. The only people who should be running anycast root are the people we know and trust to do the job right, and where we can be reasonably sure that the organization will continue to have the necessary skills & talents to do the job if/when that person (or group of people) may move on. Moreover, these people should be the ones that we actively solicit to perform this task. > You are saying that, even if you securely retreive some address > from DNS, you do not trust the networking guys connect you to > a host of the address. Yup. Moreover, while I would trust this one guy to do the DNS side correctly, I don't know that I'd trust anyone else there to do the same. So, if/when he left, there might not be a good person to replace him in this task. > Then, there is no point of secure DNS. Absolutely not. I don't know where you get this concept of twisting someone's words and then twisting their conclusions to support your own half-baked ideas, but you are, yet once again, absolutely and completely wrong. The point of using a cryptographically secure DNS is that the packets could pass through any number of untrusted paths, and the data would remain protected. At least, we'd be likely to survive any unintentional damage caused. If there were an active attack, they might be able to compromise your idea of what the keys should be, and do a man-in-the-middle attack on all signed data (modifying the data, substituting their keys, and then re-signing on the fly), but that would take a fair amount of work. I imagine the Chinese government could do it, but I don't imagine that there are too many other groups out there that could. >> Then there's the issue of current DNS UDP truncation at the >> roots. There's no way this would fit into ~500 bytes: > > Sounds like you never took a look at "anycast". Anycast requires that the data fit into a single UDP packet, which cannot be more than 512 bytes long. TCP does not anycast. Therefore, given that the DNS requires that we re-query with TCP any truncated DNS response, we need to eliminate the source of the truncation before we can reasonably expect to anycast the UDP. > With UDP without truncation, we can run millions of root servers. Sure. But we do have truncation, so we can't do this. We have to eliminate the truncation first. Moreover, we wouldn't want to run millions of root servers anyway. There aren't a million people (or a hundred thousand, or ten thousand, or a thousand) people on the 'net that I would trust to run an anycast root, and there aren't even that many people I'd trust to run the network for an anycast root. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++) #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.