Photo Op: You too can have your picture taken with a.root-servers.net
I don't whether to laugh or cry. Its just a computer. http://www.washtech.com/news/netarch/13672-1.html If you destroyed the copy of the US Constitution in the National Archives in Washington DC, would that mean the end of the US Government? If someone broke into NARA and scribbled a new amendment on the tail of the parchment, would the US Government be bound to follow what ever he wrote on the Constitution? No, of course not. The Root Zone files aren't unique historical documents, and there is nothing special about the copy on a.root-servers.net. If a tornado blew through Verisign's offices tomorrow, would it mean the end of the Internet? No. If someone corrupted Verisign's files, would that mean we have to follow the bogus records? No, we'd clean them up. Or more likely, the other operators would rollback their zone files to the previous known good copy. Would it disrupt our operations. Yes. Would it be irrecoverable? No. The root files are important business records, and I expect the custodian to take reasonable precautions appropriate for their value. Do I expect to see machine-gun nests outside Verisign's office? No. a.root-servers.net is just a piece of hardware. If it was destroyed, we've got more. http://www.sms800.com/ http://www.dtc.org/
However, do not forget that only Verisign operates the .com, .net, and .org name servers. While it seems that the government meeting yesterday was focused on physical security, which as pointed out below, is somewhat a moot point given the physical diversity of the multiple gtld-servers.net boxes, we can't forget about the network security of these machines. IIRC, Verisign operates every gtld-servers.net server, and as such, I'm presuming that they feature very similar software builds. As such, a security exploit found on one of them could potentially be present on all of them. If such an exploit were to be found and used, the results could be catastrophic for anyone with servers (or trying to access servers) in the .com, .net and .org namespaces. Does Verisign use the same hardware and OS on all of these servers, or are the vendors distributed? -Chris On Wed, Nov 14, 2001 at 01:03:14AM -0500, Sean Donelan wrote:
I don't whether to laugh or cry. Its just a computer.
http://www.washtech.com/news/netarch/13672-1.html
If you destroyed the copy of the US Constitution in the National Archives in Washington DC, would that mean the end of the US Government? If someone broke into NARA and scribbled a new amendment on the tail of the parchment, would the US Government be bound to follow what ever he wrote on the Constitution? No, of course not.
The Root Zone files aren't unique historical documents, and there is nothing special about the copy on a.root-servers.net. If a tornado blew through Verisign's offices tomorrow, would it mean the end of the Internet? No. If someone corrupted Verisign's files, would that mean we have to follow the bogus records? No, we'd clean them up. Or more likely, the other operators would rollback their zone files to the previous known good copy.
Would it disrupt our operations. Yes. Would it be irrecoverable? No. The root files are important business records, and I expect the custodian to take reasonable precautions appropriate for their value. Do I expect to see machine-gun nests outside Verisign's office? No. a.root-servers.net is just a piece of hardware. If it was destroyed, we've got more.
-- --------------------------- Christopher A. Woodfield rekoil@semihuman.com PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
Interestingly, this revolving photo op with the A root name server has been going on for several years. To those who are not very technical, there is something uniquely reassuring about the idea that the internet has a "center" or a "brain". It is difficult to say why, but I speculate that the idea that the internet is easier to cripple or destroy helps government officials sleep at night, because it maintains the illusion of control. Distributed systems are much harder to control, and are disconcerting to those who's task is control of systems rather than their perpetuation. - Daniel Golding
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Sean Donelan Sent: Wednesday, November 14, 2001 1:03 AM To: nanog@merit.edu Subject: Photo Op: You too can have your picture taken with a.root-servers.net
I don't whether to laugh or cry. Its just a computer.
http://www.washtech.com/news/netarch/13672-1.html
If you destroyed the copy of the US Constitution in the National Archives in Washington DC, would that mean the end of the US Government? If someone broke into NARA and scribbled a new amendment on the tail of the parchment, would the US Government be bound to follow what ever he wrote on the Constitution? No, of course not.
The Root Zone files aren't unique historical documents, and there is nothing special about the copy on a.root-servers.net. If a tornado blew through Verisign's offices tomorrow, would it mean the end of the Internet? No. If someone corrupted Verisign's files, would that mean we have to follow the bogus records? No, we'd clean them up. Or more likely, the other operators would rollback their zone files to the previous known good copy.
Would it disrupt our operations. Yes. Would it be irrecoverable? No. The root files are important business records, and I expect the custodian to take reasonable precautions appropriate for their value. Do I expect to see machine-gun nests outside Verisign's office? No. a.root-servers.net is just a piece of hardware. If it was destroyed, we've got more.
These is something singularly unnerving about the following statement: "What cheers us about this kind of visit is the fact that the kind of security measures we have in place are getting better and better known," VeriSign Director of Public Policy Michael Aisenberg told Newsbytes. Not "the kind of security measures we have in place increasingly assure our customers of integrity..." but advertising your security measures for their own sake can only have negative security ramifications. Deepak Jain AiNET -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Daniel Golding Sent: Wednesday, November 14, 2001 11:04 AM To: Sean Donelan; nanog@merit.edu Subject: RE: Photo Op: You too can have your picture taken with a.root-servers.net Interestingly, this revolving photo op with the A root name server has been going on for several years. To those who are not very technical, there is something uniquely reassuring about the idea that the internet has a "center" or a "brain". It is difficult to say why, but I speculate that the idea that the internet is easier to cripple or destroy helps government officials sleep at night, because it maintains the illusion of control. Distributed systems are much harder to control, and are disconcerting to those who's task is control of systems rather than their perpetuation. - Daniel Golding
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Sean Donelan Sent: Wednesday, November 14, 2001 1:03 AM To: nanog@merit.edu Subject: Photo Op: You too can have your picture taken with a.root-servers.net
I don't whether to laugh or cry. Its just a computer.
http://www.washtech.com/news/netarch/13672-1.html
If you destroyed the copy of the US Constitution in the National Archives in Washington DC, would that mean the end of the US Government? If someone broke into NARA and scribbled a new amendment on the tail of the parchment, would the US Government be bound to follow what ever he wrote on the Constitution? No, of course not.
The Root Zone files aren't unique historical documents, and there is nothing special about the copy on a.root-servers.net. If a tornado blew through Verisign's offices tomorrow, would it mean the end of the Internet? No. If someone corrupted Verisign's files, would that mean we have to follow the bogus records? No, we'd clean them up. Or more likely, the other operators would rollback their zone files to the previous known good copy.
Would it disrupt our operations. Yes. Would it be irrecoverable? No. The root files are important business records, and I expect the custodian to take reasonable precautions appropriate for their value. Do I expect to see machine-gun nests outside Verisign's office? No. a.root-servers.net is just a piece of hardware. If it was destroyed, we've got more.
On Wed, 14 Nov 2001, Deepak Jain wrote:
Not "the kind of security measures we have in place increasingly assure our customers of integrity..." but advertising your security measures for their own sake can only have negative security ramifications.
Yes and no. Las Vegas casinos regularly show off their security to visitors. There have been several Discovery Channel shows giving details how casino security works. Like most things, security is a multi-disciplinary activity. And deterance does play a small role. The problem is when your PR people start engaging in puffery and the deterance becomes a challenge. Discussing security is good, because we can all learn something. But I wouldn't issue a challange, directly or indirectly. We take reasonable precautions, have contigency plans for things which we didn't cover.
Heck. I can take you to places in LA where you can get your picture taken with pretty much anyone. The quartet of Marilyn, Fidel, yourself & a grunion is a very popular pose. I 'spect there is a place here where you could get your foto with all the rootservers, stacked nicely in a single rack. (do you really think they'd let you near the actual hardware?) --bill
Its my understanding that the pictures with Root Server A were always the actual box. Deepak Jain AiNET Hopefully, I am just being niave. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of bmanning@vacation.karoshi.com Sent: Wednesday, November 14, 2001 4:20 PM To: deepak@ai.net Cc: Daniel Golding; Sean Donelan; nanog@merit.edu Subject: Re: Photo Op: You too can have your picture taken with a.root-servers.net Heck. I can take you to places in LA where you can get your picture taken with pretty much anyone. The quartet of Marilyn, Fidel, yourself & a grunion is a very popular pose. I 'spect there is a place here where you could get your foto with all the rootservers, stacked nicely in a single rack. (do you really think they'd let you near the actual hardware?) --bill
On Wed, 14 Nov 2001, Daniel Golding wrote:
Interestingly, this revolving photo op with the A root name server has been going on for several years. To those who are not very technical, there is something uniquely reassuring about the idea that the internet has a "center" or a "brain". It is difficult to say why, but I speculate that the idea that the internet is easier to cripple or destroy helps government officials sleep at night, because it maintains the illusion of control. Distributed systems are much harder to control, and are disconcerting to those who's task is control of systems rather than their perpetuation.
I'm more annoyed at the politico's than verisign. The Department of Commerce issued a press release announcing their trip. There are more root name servers around washington dc than any where else in the world. With all the choices, if they are concerned about security why do they always go to the same place? Touring Verisign to learn about the security of the Internet is about as useful as visiting the NASDAQ marketsite near Times Square in New York City to examine the stability of the US market system. It has pretty visuals, flashing screens, and a fake button. If the politico's wanted to see how well the Internet is really protected, they would visit the non-show places. Security usually depends on your weakest link, not your fanciest show place. The "roots" are a huge distraction. Most of the problems with DNS are outside the root name servers. I have to admit ICANN was an eye-opening experience for me. The parts of DNS I care about are in relatively good shape (compared to other utilities). But there are other parts which are scary. I don't know if Darwin will prune that part of the tree in time.
(warning: former netsol employee): Politicos like flashing lights and such. When we gave VIP a-root tours at NetSol, it was so they could reach out and 'touch' the server and become one in spirit with the box. From a marketing (or lobbying!) perspective, this was a very big draw for us, and for politicos it was like going to the Vatican to experience the "laying on of hands" only in cyberspace. In some rare cases, there were some politicos that actually GOT IT and understood what the reality of things were.....but most gave things their token nod of approval as if to thank us for a catered meal and chance to get outside the Beltway away from the office for a while. There were some Senators that visited us so many times I was ready to issue them employee badges and get them a desk outside the data center - fortunately these two were the more 'informed' of the group and asked a lot of "right questions." But in the grand scheme of things - VRSN or anywhere else in any industry - seeing guards in starched shirts and being told that biometric controls prevent unauthorized access are only part of the total security picture, yet that image gives the uneducated the warm fuzzy feeling that all is secure. The equivalent is assigning the National Guard to patrol the airports, when in reality, they do little if any real good to improve the security posture there....it's just public relations. The earlier post by someone that said the DNS security issues are outside of the DC area is probably a fair statement, too. While VRSN has their own fair share of issues elsewhere, as far as the Registry side of their business goes, they have their act pretty squared away, and have been on top of things since becoming a standalone business unit. I always felt the Registry team really cared about security issues - both managers and techies - and things actually got done that led to generally-effective security and operational success. They didn't just pay it lip service. (Of course, if and how ICANN's new "anti-terror" agenda will factor in is anyone's guess.) As to why politicos go there every time, it's probably a "ceremonial" thing more than anything else - the so-called "center of the internet" isn't at AOL, MCI, or anyplace else, and besides, VRSN purports to be a security company, so why not spin that angle up in today's post-0911society? rick (former netsol employee)
From: Sean Donelan <sean@donelan.com> Date: Wed, 14 Nov 2001 19:15:16 -0500 (EST) To: Daniel Golding <dgolding@sockeye.com> Cc: nanog@merit.edu Subject: RE: Photo Op: You too can have your picture taken with a.root-servers.net
On Wed, 14 Nov 2001, Daniel Golding wrote:
Interestingly, this revolving photo op with the A root name server has been going on for several years. To those who are not very technical, there is something uniquely reassuring about the idea that the internet has a "center" or a "brain". It is difficult to say why, but I speculate that the idea that the internet is easier to cripple or destroy helps government officials sleep at night, because it maintains the illusion of control. Distributed systems are much harder to control, and are disconcerting to those who's task is control of systems rather than their perpetuation.
I'm more annoyed at the politico's than verisign.
The Department of Commerce issued a press release announcing their trip. There are more root name servers around washington dc than any where else in the world. With all the choices, if they are concerned about security why do they always go to the same place?
Touring Verisign to learn about the security of the Internet is about as useful as visiting the NASDAQ marketsite near Times Square in New York City to examine the stability of the US market system. It has pretty visuals, flashing screens, and a fake button.
If the politico's wanted to see how well the Internet is really protected, they would visit the non-show places. Security usually depends on your weakest link, not your fanciest show place.
The "roots" are a huge distraction. Most of the problems with DNS are outside the root name servers.
I have to admit ICANN was an eye-opening experience for me. The parts of DNS I care about are in relatively good shape (compared to other utilities). But there are other parts which are scary. I don't know if Darwin will prune that part of the tree in time.
participants (7)
-
bmanning@vacation.karoshi.com -
Christopher A. Woodfield -
Daniel Golding -
Deepak Jain -
Patrick Greenwell -
Richard Forno -
Sean Donelan