Date: Thu, 31 Aug 2006 08:50:29 -0400 From: Joe Abley <jabley@ca.afilias.info> Subject: Re: Spain was offline
[ SNIP ]
You seem to be suggesting that ISPs run stealth slaves for these kinds of zones. This may have been a useful pointer for ISPs in days gone by, but I think today it's impractical advice.
How so? Anyone can get a zone and turn up [a-m] on-net and outperform (response and uptime) many of the existing instances of root servers. I'm quite confident it would work as designed. Where's Dean Anderson when you need him? -M< -- Martin Hannigan (c) 617-388-2663 Renesys Corporation (w) 617-395-8574 Member of Technical Staff Network Operations hannigan@renesys.com
On 1-Sep-2006, at 02:11, Martin Hannigan wrote:
You seem to be suggesting that ISPs run stealth slaves for these kinds of zones. This may have been a useful pointer for ISPs in days gone by, but I think today it's impractical advice.
How so? Anyone can get a zone and turn up [a-m] on-net and outperform (response and uptime) many of the existing instances of root servers.
The root servers are easy; the zone is tiny and the update frequency is miniscule. We were talking about TLD servers. Joe
At 12:37 PM 9/1/2006, Joe Abley wrote:
On 1-Sep-2006, at 02:11, Martin Hannigan wrote:
You seem to be suggesting that ISPs run stealth slaves for these kinds of zones. This may have been a useful pointer for ISPs in days gone by, but I think today it's impractical advice.
How so? Anyone can get a zone and turn up [a-m] on-net and outperform (response and uptime) many of the existing instances of root servers.
The root servers are easy; the zone is tiny and the update frequency is miniscule.
We were talking about TLD servers.
I can't get a TLD zone? But back to the root servers. Are you agreering with me that if I announce F and I root's netblocks inside of my own network that everyone would be ok with that? C'mon Joe, straight answer on that one. :) -M< -- Martin Hannigan (c) 617-388-2663 Renesys Corporation (w) 617-395-8574 Member of Technical Staff Network Operations hannigan@renesys.com
On 1-Sep-2006, at 13:47, Martin Hannigan wrote:
I can't get a TLD zone?
*You* can do anything, Marty! You are the man! :-)
But back to the root servers. Are you agreering with me that if I announce F and I root's netblocks inside of my own network that everyone would be ok with that?
I'm not involved with policy at ISC or RIPE, but I would expect that if someone hijacked their netblocks they would have something to say about it.
C'mon Joe, straight answer on that one. :)
That's as straight as it gets :-) Joe
At 02:36 PM 9/1/2006, Joe Abley wrote:
On 1-Sep-2006, at 13:47, Martin Hannigan wrote:
I can't get a TLD zone?
*You* can do anything, Marty! You are the man! :-)
Well, let's rephrase that. Anyone can't get a TLD zone? And no, you are the man. :)
But back to the root servers. Are you agreering with me that if I announce F and I root's netblocks inside of my own network that everyone would be ok with that?
I'm not involved with policy at ISC or RIPE, but I would expect that if someone hijacked their netblocks they would have something to say about it.
C'mon Joe, straight answer on that one. :)
That's as straight as it gets :-)
Thanks! Much appreciated. What could F or I do if an operator were advertising those blocks internally? Consider them no different than blackholes. It's the same concept. The point is that there's little reason to believe that this couldn't be done by any operator or other entity (OpenDNS?) technically, legally and legitimately. [ Note: F and I are just the simple examples. ] -- Martin Hannigan (c) 617-388-2663 Renesys Corporation (w) 617-395-8574 Member of Technical Staff Network Operations hannigan@renesys.com
On 1-Sep-2006, at 15:07, Martin Hannigan wrote:
Well, let's rephrase that. Anyone can't get a TLD zone?
While there are many smaller TLD zones that don't get updated very often and which have wide-open AXFR to all and sundry, I'm betting that the majority of zones that people on this list care about either update sufficiently rapidly that zone synchronisation is non-trivial, or have zone transfer restrictions in place, or both.
What could F or I do if an operator were advertising those blocks internally? Consider them no different than blackholes. It's the same concept.
If you want an answer worth reading, then ask ISC or RIPE. I'm sure this is something that has occurred to them to think about. I could pontificate about the freedom of individual operators to do whatever they please versus the wider issue of coherence and consistency in the DNS, but it'd just be so much Friday-afternoon noise. Joe
At 03:50 PM 9/1/2006, Joe Abley wrote:
On 1-Sep-2006, at 15:07, Martin Hannigan wrote:
Well, let's rephrase that. Anyone can't get a TLD zone?
While there are many smaller TLD zones that don't get updated very often and which have wide-open AXFR to all and sundry, I'm betting that the majority of zones that people on this list care about either update sufficiently rapidly that zone synchronisation is non-trivial, or have zone transfer restrictions in place, or both.
Good information. Thanks.
What could F or I do if an operator were advertising those blocks internally? Consider them no different than blackholes. It's the same concept.
If you want an answer worth reading, then ask ISC or RIPE. I'm sure this is something that has occurred to them to think about.
I could pontificate about the freedom of individual operators to do whatever they please versus the wider issue of coherence and consistency in the DNS, but it'd just be so much Friday-afternoon noise.
Now I'm disappointed because I know you have some likely excellent thoughts on this topic regardless of who you are working for, or have worked for, but I completely understand. Thanks, I enjoyed it. :) /me back to lurk -- Martin Hannigan (c) 617-388-2663 Renesys Corporation (w) 617-395-8574 Member of Technical Staff Network Operations hannigan@renesys.com
Joe Abley wrote:
Well, let's rephrase that. Anyone can't get a TLD zone?
While there are many smaller TLD zones that don't get updated very often and which have wide-open AXFR to all and sundry, I'm betting that the majority of zones that people on this list care about either update sufficiently rapidly that zone synchronisation is non-trivial, or have zone transfer restrictions in place, or both.
It has been some years since I had to worry about these issues wearing a Nominet hat, but I would say that for majority of well-managed TLD operators, data mining is a very serious concern. There have various incidents in the past where squatters, scammers or spammers have made strenuous efforts to reverse-engineer registry data for their own ends. Sometimes even significant technical prevention is not enough, and legal remedy is also required. Restricting AXFRs is only the most entry-level counter-measure against such abuses. My understanding is that best TLD registry practice is to only allow AXFRs to boxes which are either under control of or contract to the registry, or at the very least to a 3rd parties with whom a restricted redistribution agreement is in place. Keith
On 01.09 13:47, Martin Hannigan wrote:
I can't get a TLD zone? But back to the root servers. Are you agreering with me that if I announce F and I root's netblocks inside of my own network that everyone would be ok with that?
C'mon Joe, straight answer on that one. :)
Straight answer: No. Exercises: Who is responsible if this set-up fails? Who is responsible if it lies? Who is likely to get blamed for any failures? Would this require explicit consent from all customers subject to such treatment? Would this require a possibility for each custoemr to opt out of such a scheme? And - ah yes - what particular problem does such a set-up solve? Daniel helps operating K helped create nsd measures dns
I can't get a TLD zone? But back to the root servers. Are you agreering with me that if I announce F and I root's netblocks inside of my own network that everyone would be ok with that?
Who is responsible if this set-up fails?
Who is responsible if it lies?
Who is likely to get blamed for any failures?
Would this require explicit consent from all customers subject to such treatment?
Would this require a possibility for each custoemr to opt out of such a scheme?
Aren't all of these questions private issues between the private network operator and their customers? The same thing applies to companies who use IP addresses inside their private networks that are officially registered to someone else. This is a fairly common practice and yet it rarely causes problems on the public Internet. Since Internet network operators are generally not regulated in how they operate their IP networks, it seems to me that the people who say that it is not proper to announce root netblocks in a private network are really calling for network regulation by an external authority.
And - ah yes - what particular problem does such a set-up solve?
It seemed to me to be a theoretical question not intended to solve a particular problem. However, theoretically, a network that sources a lot of DDoS traffic to root servers could do this to attract the traffic to their local copy of the root server in order to analyze it. Theoretically, this is something that would be enabled by the hypothetical situation described above. --Michael Dillon
On Mon, Sep 04, 2006 at 12:07:02PM +0100, Michael.Dillon@btradianz.com wrote:
I can't get a TLD zone? But back to the root servers. Are you agreering with me that if I announce F and I root's netblocks inside of my own network that everyone would be ok with that?
Who is responsible if this set-up fails?
Who is responsible if it lies?
Who is likely to get blamed for any failures?
Would this require explicit consent from all customers subject to such treatment?
Would this require a possibility for each custoemr to opt out of such a scheme?
Aren't all of these questions private issues between the private network operator and their customers? The same thing applies to companies who use IP addresses inside their private networks that are officially registered to someone else. This is a fairly common practice and yet it rarely causes problems on the public Internet.
I agree (and hence disagree with Daniel) - all networks are privately operated, and it is up to their admins to do whatever they wish providing a) their actions are limited to their borders (dont announce the netblocks to other asns) b) their customers get what they pay for - if you start meddling with things like redirecting dns not founds to your page - your customers should understand that before they buy this consitutes operating a private company and a private consumer agreement.. so whats the issue? this may not be technical utopia but we live in a commercial world.. Steve
On Mon, 04 Sep 2006 12:05:01 +0200, Daniel Karrenberg said:
Would this require explicit consent from all customers subject to such treatment?
Would this require a possibility for each custoemr to opt out of such a scheme?
Anybody from Earthlink want to answer that one? :)
At 06:05 AM 9/4/2006, Daniel Karrenberg wrote:
On 01.09 13:47, Martin Hannigan wrote:
I can't get a TLD zone? But back to the root servers. Are you agreering with me that if I announce F and I root's netblocks inside of my own network that everyone would be ok with that?
C'mon Joe, straight answer on that one. :)
Straight answer: No.
Exercises:
Who is responsible if this set-up fails?
Who is responsible if it lies?
Who is likely to get blamed for any failures?
The burden is already on the provider. The providers answer the call when these things break or perform badly.
Would this require explicit consent from all customers subject to such treatment?
I don't think so. There's no guarantee that an internal route facing a customer is "RIPE K ROOT". Peers may feel differently, but I wouldn't advocate exporting (unless they did and perhaps would pay me for better access to the application). That's different. [ snip ] -M< (thanks for operating K, it is one of the better ones from my measurements but that's part of the problem now isn't it? Consistency in some areas.) -- Martin Hannigan (c) 617-388-2663 Renesys Corporation (w) 617-395-8574 Member of Technical Staff Network Operations hannigan@renesys.com
participants (7)
-
Daniel Karrenberg -
Joe Abley -
Keith Mitchell -
Martin Hannigan -
Michael.Dillon@btradianz.com -
steve@telecomplete.co.uk -
Valdis.Kletnieks@vt.edu