In message <5F40C962-FF7E-4197-BBA5-5E891104B17C@puck.nether.net>, Jared Mauch writes:
On Feb 15, 2012, at 5:36 PM, George Bakos wrote:
As I hadn't seen it discussed here, I'll have to assume that many NANOGers haven't seen the latest rant from Anonymous: =20 "To protest SOPA, Wallstreet, our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun, On March 31, the Internet will go Black.=20 In order to shut the Internet down, one thing is to be done. Down the 13 root DNS servers of the Internet. Those servers are as follow:" =20 http://pastebin.com/XZ3EGsbc =20 13 servers. Sshhhhh! Don't anybody mention anycast - it's a secret.
As is TCP, which requires a 3-way handshake, oh and the 41 day TTL on = the . zone
2 day TTL on the served data pointing to the com zone, so any = well-behaved server should only touch the root once every ~172800 = seconds.
This means the activity would have to be sustained and unmitigated for = many hours (days) to have a significant impact.
- Jared
Or just slave the root zone. 1 million root servers is more robust than the hundred or so we have today and given the root is signed you can verify the answers returned. One can have your own, offical, F root server instance if you want. A number of ISP already have one. I think a number of the other root server operators do something similar. One can hijack one of the official address and replace the A and AAAA records with local address. This one does cause issues for any one wanting to lookup the hijacked address. One can use static-stub in named and simlar mechanisms in other nameservers to send root zone traffic to a local instance. On can use multiple views, match-recursive and forwarder zones in forward first mode to validate answer from the other view using tsig to reach the other view. You can also us this to get AD set on answers from your local zones. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org