Counter: leave everything as it is. If they are willing to provide the hardware, bandwidth, and administrative costs to run root servers, they can block whoever they want. Just like if you run a web server you can block anyone from accessing it that you want. If you don't like it, start up your own root zone, there isn't anything stopping you. Not that it matters much in the big scheme of things; most modern resolvers will give preference to root servers they can actually reach. I for one am pretty happy with where E, G, and H are. Cogent and VeriSign's networks can hardly handle power cycles, let alone nuclear wars. --- Michael Damm, MIS Department, Irwin Research & Development V: 509.457.5080 x298 F: 509.577.0301 E: miked@irwinresearch.com -----Original Message----- From: Mark Borchers [mailto:mborchers@igillc.com] Sent: Friday, May 30, 2003 12:09 PM To: nanog@merit.edu Cc: stephen@sprunk.org; listuser@numbnuts.net; Mike Tancsa Subject: RE: .mil domain Suggestion: migrate the current MIL root servers to the DREN network. Thus they would be easily accessible from DoD's networks, while residining in front of any MIL filters or blackhole routers relative to the rest of the Internet.
On Fri, 30 May 2003, Mike Tancsa wrote:
At 01:15 PM 30/05/2003 -0500, Stephen Sprunk wrote:
For the same reason anyone else accepts their routes --
because they want to
be able to reach them. If they don't want to reach _you_, that's their choice.
As Sean Donelan pointed out, the fact that 2 of the root name servers are inside their network, there is more to the issue than you suggest.... I for example want people in Australia to be able to reliably lookup DNS info on my domains. The .mil people have decided to hamper this process.
I agree. The root servers should have no filtering in place to block any demographics (unless of course a given node is DoSing them).
The last time I tried to contact a .mil to report an open relay that was being abused, I was accused of being a spammer that had "hacked" their server. Since that time I reject .mil mail.
Justin
On Fri, May 30, 2003 at 01:28:01PM -0700, Mike Damm wrote:
Counter: leave everything as it is. If they are willing to provide the hardware, bandwidth, and administrative costs to run root servers, they can block whoever they want. Just like if you run a web server you can block anyone from accessing it that you want. If you don't like it, start up your own root zone, there isn't anything stopping you.
Not that it matters much in the big scheme of things; most modern resolvers will give preference to root servers they can actually reach.
I for one am pretty happy with where E, G, and H are. Cogent and VeriSign's networks can hardly handle power cycles, let alone nuclear wars.
You're either smoking the finest quality crack I've ever seen, or using the common sense of a flea on dope. RFC2870, Root Name Server Operational Requirements, quite clearly states: 2.6 Root servers MUST answer queries from any internet host, i.e. may not block root name resolution from any valid IP address, except in the case of queries causing operational problems, in which case the blocking SHOULD last only as long as the problem, and be as specific as reasonably possible. I highly doubt that the maintainers of the two .mil hosted servers are actually blocking queries from them. In fact, this is very much like saying Mr Vixie and the ISC cannot block people accessing the remainder of their network, just because they host a root name server. Yes, I think I go with the smoking crack option.
participants (2)
-
Avleen Vig -
Mike Damm