--On Friday, July 05, 2002 17:50:24 +0100 Simon Waters <Simon@wretched.demon.co.uk> wrote:
I would guess the "." zone probably isn't that large in absolute terms, so large ISPs (NANOG members ?) could arrange for their recursive servers to act as private secondaries of ".", thus eliminating the dependence on the root servers entirely for a large chunks of the Internet user base.
-rw-r--r-- 1 9998 213 14102 Jul 14 19:56 root.zone.gz -rw-r--r-- 1 9998 213 75 Jul 14 20:41 root.zone.gz.md5 -rw-r--r-- 1 9998 213 72 Jul 14 20:42 root.zone.gz.sig
I think the kinds of zones being handled by the gtld-servers would be harder to relocate, if only due to size, although the average NANOG reader probably has rather more bandwidth available than I do, they may not have the right kind of spare capacity on their DNS servers to secondary ".com" at short notice.
Exactly. The .com zone is large. I doubt that the average NANOG reader has a 16GB RAM machine idling just in case some kiddie wants to DoS Verisign.
All I think root server protection requires is someone with access to the relevant zone to make it available through other channels to large ISPs. There is no technical reason why key DNS infrastructure providers could not implement such a scheme on their own recursive DNS servers now, and it would offer to reduce load on both their own, and the root DNS servers and networks.
Network load is hardly the problem, except in very starved cases; a big well-used server will perhaps fill a T-1 or two.
The single limiting factor on implementing such an approach would be DNS know-how, as whilst it is probably a two line change for most DNS servers to forward to their ISPs DNS server (or zone transfer "."), many sites probably lack the inhouse skills to make that change at short notice.
This is the problem with "clever tricks"; they can be implemented by people who are "in the loop", but most others will not make it work.
In practical terms I'd be more worried about smaller attacks against specific CC domains, I could imagine some people seeing disruption of "il" as a more potent (and perhaps less globally unpopular) political statement, than disrupting the whole Internet. Similarly an attack on a commercial subdomain in a specific country could be used to make a political statement, but might have significant economic consequences for some companies. Attacking 3 or 4 servers is far easier than attacking 13 geographically diverse, well networked, and well protected servers.
Similarly I think many CC domains, and country based SLD are far more "hackable" than many people realised due to the extensive use of out of bailiwick data, as described by DJB. At some point the script kiddies will realise they can "own" a country or two instead of one website, by hacking one DNS server, and the less well secured DNS servers will all go in a week or two.
I definitely agree. ccTLDen are in very varying states of security awareness, and while I believe .il is aware and prepared, other conflict zone domains might not be... -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.