"VeriSign Moves DNS Server To Boost Security"
In an effort to protect the Internet from future hacking attacks, VeriSign (Nasdaq: VRSN - news) has moved one of the Net's root servers to an undisclosed physical and virtual location. http://story.news.yahoo.com/news?tmpl=story2&cid=620&ncid=738&e=9&u=/nf/2002 1108/bs_nf/19918 Funny read. Signed, Gil
It's kept under Vice-President Cheney's bed. You can't get more undisclosed than that. - Daniel Golding On Fri, 8 Nov 2002, Gil Cohen wrote:
In an effort to protect the Internet from future hacking attacks, VeriSign (Nasdaq: VRSN - news) has moved one of the Net's root servers to an undisclosed physical and virtual location.
http://story.news.yahoo.com/news?tmpl=story2&cid=620&ncid=738&e=9&u=/nf/2002 1108/bs_nf/19918
Funny read.
Signed, Gil
On Fri, 8 Nov 2002, Daniel Golding wrote:
It's kept under Vice-President Cheney's bed. You can't get more undisclosed than that.
From tha archives, "J" was only supposed to be at NSI for a temporary
From my limited understanding of the data, Hong Kong appears to be the most technically sound location for a new root server. Asia-Pacific rim is heavly dependant on "M" now. Yes, a lot of A-P traffic is exchanged on
The Verisign delima, do they bus the politicians to undisclosed location "A" to have their pictures taken with a root server; or to undisclosed location "J" for their photo-op? period before moving to a different location (and organization), much like "L" and "M" moved to LINX and WIDE after a brief period at ISI and NSI. The real question isn't why "J" has moved a few miles to a different Verisign building, but where in the world should "J" move? the west coast of the US. But HK is probably the second most central telcomm location for the regiona. South America, Africa, Russia, India have lots of people, but aren't very central network-wise. Root servers need to be able to serve the world, not just a local region or country.
The real question isn't why "J" has moved a few miles to a different Verisign building, but where in the world should "J" move?
i have been pushing bejing for a few years. except it would be nice to have built some operational understanding and trust with those folk first, perhaps by asking them to secondary arpa for a while. randy
Would that be in front of, or behind Big Red (firewall)? Seriously...would their policies affect the integrity of the root zone server files? At 15:43 -0800 11/8/02, Randy Bush wrote:
The real question isn't why "J" has moved a few miles to a different Verisign building, but where in the world should "J" move?
i have been pushing bejing for a few years. except it would be nice to have built some operational understanding and trust with those folk first, perhaps by asking them to secondary arpa for a while.
randy
-- David Diaz dave@smoton.net [Email] pagedave@smoton.net [Pager] Smotons (Smart Photons) trump dumb photons
On Fri, 8 Nov 2002, David Diaz wrote: : :Would that be in front of, or behind Big Red (firewall)? : :Seriously...would their policies affect the integrity of the root :zone server files? Rhetorical question? :) Obviously, such a move would be unrealistic if subjective filtering could affect the viability of J. I'm sure the powers that be in that region would understand that. I'm partial to Randy's thoughts regarding trust; though, Hong Kong would seem, for many (albeit political) reasons to be a better/simpler choice. IMHO, of course. : :At 15:43 -0800 11/8/02, Randy Bush wrote: :>> The real question isn't why "J" has moved a few miles to a different :>> Verisign building, but where in the world should "J" move? :> :>i have been pushing bejing for a few years. except it would be :>nice to have built some operational understanding and trust with :>those folk first, perhaps by asking them to secondary arpa for a :>while. :> :>randy
The real question isn't why "J" has moved a few miles to a different Verisign building, but where in the world should "J" move?
i have been pushing bejing for a few years. except it would be nice to have built some operational understanding and trust with those folk first, perhaps by asking them to secondary arpa for a while.
China! I agree. Bejing or Hong Kong is a toss-up.
The real question isn't why "J" has moved a few miles to a different Verisign building, but where in the world should "J" move?
i have been pushing bejing for a few years. except it would be nice to have built some operational understanding and trust with those folk first, perhaps by asking them to secondary arpa for a while.
China! I agree. Bejing or Hong Kong is a toss-up.
placement is the easy issue. as mr bush has been taught, the hard part is selecting an appropriate, compatable operational organization. RIPE and WIDE both filled that role. --bill
From tha archives, "J" was only supposed to be at NSI for a temporary period before moving to a different location (and organization), much like "L" and "M" moved to LINX and WIDE after a brief period at ISI and NSI.
The real question isn't why "J" has moved a few miles to a different Verisign building, but where in the world should "J" move?
From my limited understanding of the data, Hong Kong appears to be the most technically sound location for a new root server. Asia-Pacific rim is heavly dependant on "M" now. Yes, a lot of A-P traffic is exchanged on the west coast of the US. But HK is probably the second most central telcomm location for the regiona. South America, Africa, Russia, India have lots of people, but aren't very central network-wise. Root servers need to be able to serve the world, not just a local region or country.
patience grasshopper. :) pushing "J" to a distinctly different broadcast domain is the first step to pushing that instance elsewhere. pre-ICANN, things moved fairly quickly as compared to post-ICANN. --bill
Perhaps we shouldn't be saying "post-ICANN" as we're in "ICANN age" now, if they were to be gone, it then be "post-ICANN" and things might even move faster (or not at all :) ... But seriously are there any volunteers there to run root name servers in Europe and Asia or are people now expecting to get paid to it through ICANN contract. We do need root name server for every continent and perhaps something like "official mirror" should be considered where somebody would run nameserver with complete mirror of all zones that root name server would have but it would not be considered "official root" name server (but ISPs in its region would know about and us it). Are other regions ever considered something like this to ease load on current root servers or perhaps as a first step to having root server there?
patience grasshopper. :) pushing "J" to a distinctly different broadcast domain is the first step to pushing that instance elsewhere. pre-ICANN, things moved fairly quickly as compared to post-ICANN. --bill
On Fri, 08 Nov 2002 18:44:09 PST, william@elan.net said:
server (but ISPs in its region would know about and us it). Are other regions ever considered something like this to ease load on current root servers or perhaps as a first step to having root server there?
Given the numbers presented on http://www.nanog.org/mtg-0210/wessels.html, I suspect that the actual location won't matter. As both Wessels and Vixie have demonstrated, if we wanted to cut the load 30% real fast, we'd implement 1918 filtering. We wanted to cut the load 98%, we'd fix all the OTHER stupidity. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
But seriously are there any volunteers there to run root name servers in Europe and Asia or are people now expecting to get paid to it through ICANN contract.
last time i was offically detailed to care about such things the volunteer list was over 100. (circa 1998). can't say who would want to get paid for it.
We do need root name server for every continent and perhaps something like "official mirror" should be considered where somebody would run nameserver with complete mirror of all zones that root name server would have but it would not be considered "official root" name server (but ISPs in its region would know about and us it). Are other regions ever considered something like this to ease load on current root servers or perhaps as a first step to having root server there?
why on every continent? this way lies madness. look to topology. and your mirroring proposal (see otha-sans internet-draft) has some serious flaws wrt data integrity that really need to be addressed first. that code is slowly coming.
patience grasshopper. :) pushing "J" to a distinctly different broadcast domain is the first step to pushing that instance elsewhere. pre-ICANN, things moved fairly quickly as compared to post-ICANN.
--bill
Hi Everyone, We have a customer who needs to be able to identify unused tails throughout their large Cisco-based network. What are the groups thoughts regarding a bullet-proof set of characteristics that could be used to 'discover' unused tails? (using SNMP queries and/or telnet/ssh access to the devices) I guess clocking would be a good start...... regards, Matthew.
It won't be long till most of us on NANOG will know where geographically it's located. The network community is not that big, and thanks to the various trade related conferences fairly closely knit, that if you really wanted to know, someone at verisign will tell you which building it's in. Secrecy of where it's located isn't really going to stop the ddos attacks, most packeters know how to do a traceroute, and slam the routers a few hops in front of host. And it's kind of hard to run into a data center with a bucket full of water anyways, even if you knew which data center and rack it was located in. Sameer
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Gil Cohen Sent: Friday, November 08, 2002 2:09 PM To: NANOG Subject: "VeriSign Moves DNS Server To Boost Security"
In an effort to protect the Internet from future hacking attacks, VeriSign (Nasdaq: VRSN - news) has moved one of the Net's root servers to an undisclosed physical and virtual location.
http://story.news.yahoo.com/news?tmpl=story2&cid=620&ncid=738&e=9& u=/nf/2002 1108/bs_nf/19918
Funny read. Signed, Gil
Thus spake "Gil Cohen" <gcohen@saturnbandwidth.net>
In an effort to protect the Internet from future hacking attacks, VeriSign (Nasdaq: VRSN - news) has moved one of the Net's root servers to an undisclosed physical and virtual location.
Maybe I'm missing something... J's "virtual location" aka IP address is now available from every DNS server in the world, not to mention the public announcement that VeriSign made to various lists. How is this undisclosed? S
Stephen Sprunk wrote:
Thus spake "Gil Cohen" <gcohen@saturnbandwidth.net>
In an effort to protect the Internet from future hacking attacks, VeriSign (Nasdaq: VRSN - news) has moved one of the Net's root servers to an undisclosed physical and virtual location.
Maybe I'm missing something... J's "virtual location" aka IP address is now available from every DNS server in the world, not to mention the public announcement that VeriSign made to various lists. How is this undisclosed?
And how does it help anybody if a root server's address is made secret? Wouldn't an off-line backup be just as useful and cheaper to implement? -- David
On Mon, 11 Nov 2002 09:39:25 CST, Stephen Sprunk <ssprunk@cisco.com> said:
Maybe I'm missing something... J's "virtual location" aka IP address is now available from every DNS server in the world, not to mention the public announcement that VeriSign made to various lists. How is this undisclosed?
You know that, and think it's silly. I know that, and think it's silly. But it keeps the CEOs from getting distracted from their "management by buzzword" path. Something Is Being Done, and It's All OK Now.
participants (14)
-
Barry Raveendran Greene
-
bmanning@vacation.karoshi.com
-
Brian Wallingford
-
Daniel Golding
-
David Charlap
-
David Diaz
-
Gil Cohen
-
Matt Duggan
-
Randy Bush
-
Sameer R. Manek
-
Sean Donelan
-
Stephen Sprunk
-
Valdis.Kletnieks@vt.edu
-
william@elan.net