Re: who are the root server operators?
On Mon, 04 Nov 2002 12:32:06 EST, Joe Baptista said:
If the roots are once again under attack - how will the root server operators be contacted by a frustrated isp who can't resolve.
The chances of a frustrated isp being unable to resolve things during a DDoS attack and the root operators not already knowing about it are a lot lower than the chances that the root operators will be deluged with mail from frustrated ISPs who can't figure out why queries originating in RFC1918 space don't get answered. And remember - Paul Vixie has shown that 10% of the inbound traffic at c.root-server.net is bogus rfc1918 sourced. Making the addresses public will serve as a DDoS vector against the root operators.... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
If the roots are once again under attack - how will the root server operators be contacted by a frustrated isp who can't resolve.
as valdis points out, 12 operators getting e-mail from 12,000 frustrated isp's is probably not the best way to do this kind of notification. as to who the root server operators are, http://root-servers.org/ has a list. valdis writes:
And remember - Paul Vixie has shown that 10% of the inbound traffic at c.root-server.net is bogus rfc1918 sourced. Making the addresses public will serve as a DDoS vector against the root operators....
moreover, duane wessels came to eugene last week to tell us that only 2.1% of the queries hitting F-root were valid. there's got to be a way to make that better. here's a question. is your authoritative name server set up properly? by that i mean: (1) is recursion disabled, and is it listed only in NS RR's, never in resolv.conf or dhcpd.conf files? (2) is fetch-glue disabled (or if not, does your firewall permit F-root to answer your sysqueries?) -- Paul Vixie
On 4 Nov 2002, Paul Vixie wrote:
And remember - Paul Vixie has shown that 10% of the inbound traffic at c.root-server.net is bogus rfc1918 sourced. Making the addresses public will serve as a DDoS vector against the root operators....
moreover, duane wessels came to eugene last week to tell us that only 2.1% of the queries hitting F-root were valid. there's got to be a way to make that better.
"For example, one bad release of popular domain software drove averages to over five times the normal load for extended periods. At present, we estimate that over 50% of all root server traffic could be eliminated by improvements in various resolver implementations to use less aggressive retransmission and better caching." Mockapetris P., Dunlap K.; Development of the Domain Name System, Proceedings of SIGCOMM '88, Computer Communication Review Vol 18, No 4, August 1988.
participants (3)
-
Paul Vixie
-
Sean Donelan
-
Valdis.Kletnieks@vt.edu