False information: CEO of Versign facts are wrong

http://news.com.com/2008-7347-5092590.html

Quotes Stratton Sclavos:
"The DDOS (distributed denial-of-service) attacks last October on the root
system--hey, there are 13 global copies of that, and they're all
operating. It should scare people that nine of the 13 went down. It's time
for the Internet infrastructure to go commercial. On the core services of
the infrastructure, it's time to pull the root servers away from
volunteers who run them out of a university or lab or some other level.
That's going to be an unpopular decision."

This factoid has been proven false multiple times, in multiple forums over
the last year. Its incredible that a CEO of a company that claims DNS
expertise wouldn't know this was false. One particular "internet
security" company was PINGing the root servers, and some of the root
server operators turned off ping. The root servers themselves were
unaffected (except maybe one operated by the US Military).

Historically, the only wide-spread failures have been due to NSI operators
screwing up the COM or NET zone files. Historically, the other network
operators have needed to pick up the load when NSI fell down.

NSI controls two root servers. Perhaps its time to split those up among
different organizations. There is no reason why NSI must operate any
root name severs. NSI moved all the COM and NET zones to seperate GTLD
servers controlled SOLELY by NSI years ago.

This factoid has been proven false multiple times, in multiple forums over
the last year. Its incredible that a CEO of a company that claims DNS
expertise wouldn't know this was false. One particular "internet
security" company was PINGing the root servers, and some of the root
server operators turned off ping. The root servers themselves were
unaffected (except maybe one operated by the US Military).

It might be a matter of interpretation. According to
http://d.root-servers.org/october21.txt:

   2.1. Some root name servers were unreachable from many parts of the
   global Internet due to congestion from the attack traffic delivered
   upstream/nearby. While all servers continued to answer all queries they
   received (due to successful overprovisioning of host resources), many
   valid queries were unable to reach some root name servers due to attack-
   related congestion effects, and thus went unanswered.

While I'm not trying to act as Sclavos' apologist, I think you have to
be careful about how you respond to this particular claim of his. You
can't dismiss it out-of-hand. Misleading? Yes. Flat out false? You'd
have to be more convincing.

Methinks that one comment is going to make them even more hated then
Microsoft or SCO (who both rank right up there with being universally
despised on the Internet).

They are digging themselves a grave thats a few miles deep. Lets hope ICANN
sees this and makes the right decision on how to deal with this growing
problem.

I'm going to play journalist for a while and make some calls. I'll let you
know what kind of 'official' statements I can drag out of these idiots.

Can Sclavos prove that the same thing did not happen to Verisign's
root servers?

bye,
ken emery

Sean,

Historically, the only wide-spread failures have been due to NSI operators
screwing up the COM or NET zone files. Historically, the other network
operators have needed to pick up the load when NSI fell down.

NSI controls two root servers. Perhaps its time to split those up among
different organizations. There is no reason why NSI must operate any
root name severs. NSI moved all the COM and NET zones to seperate GTLD
servers controlled SOLELY by NSI years ago.

Hmmm. Let's see.

Verisign spreads its public relations message aggressively among the
media, and those countering their errors talk on nanog, or equivalent.

In case no one has noticed, Versign has been quite successful in getting
the media to cast the issues (eg., "prevention of innovation") in terms
that Verisign is promoting.

Discussion on nanog might feel good, but it does not affect the public
relations campaign that Verisign is conducting.

d/

> http://d.root-servers.org/october21.txt:
>
> 2.1. Some root name servers were unreachable from many parts of the
> global Internet due to congestion from the attack traffic delivered
> upstream/nearby. While all servers continued to answer all queries they
> received (due to successful overprovisioning of host resources), many
> valid queries were unable to reach some root name servers due to attack-
> related congestion effects, and thus went unanswered.
>
> While I'm not trying to act as Sclavos' apologist, I think you have to
> be careful about how you respond to this particular claim of his. You
> can't dismiss it out-of-hand. Misleading? Yes. Flat out false? You'd
> have to be more convincing.

Can Sclavos prove that the same thing did not happen to Verisign's
root servers?

no. first, because it's impossible to prove a negative. second and moreso,
because rob thomas and other public root server monitors showed congestion
and loss toward a-root and j-root during that attack, depending on where they
were coming from. that was true of all 13 server addresses, and the question
is one of impact and degree, not one of 9 vs 13.

but that's not even relevant. a ddos is as much an attack on its roads than
on its destination. if there's a DS3 bottleneck somewhere between a querier
and a responder, and if that DS3 has to carry more than ~45Mbits/second of
ddos traffic due to the placement of attacking drones, then that querier is
going to experience congestion and loss toward that responder. it makes no
difference how much money is spent on the endpoints, there's no way to
upgrade OPN's (other people's networks). that's why ultradns, and nominum
before that, and several root server operators, are using anycast routing.
(and even with anycast there can still be path congestion/loss, but those
effects will be more isolated than without anycast.)

by casting robustness in terms of investment, sclavos in his interview
blurred three important points. first, that point-source investment cannot
scale as well as multipoint investment -- i'm sure that more money is spent
on f-root than on j-root, it's just that there are now 15 companies worldwide
doing the paying, and we don't have a way to account for it. secondly, there
have been many cases where less total investment in a root name server has
led to higher observed robustness -- so investment isn't a direct issue.
finally, sclavos described their investment in their gtld servers and then
acted as if this investment had been solely for the benefit of their a-root
and j-root servers, which is not the case at all.

all in all a most disappointing exposition.

I'm going to play journalist for a while and make some calls.

Ok, first part of my mission is a success. I spoke with a Jim Hock from
Bite Communications (Verisign's PR firm), very nice conversation, started
out with Verisign's concerns, then we spoke a little bit on the issues
people have brought up here. He will be comminicating with me over the next
week or so, as well as putting me in touch with some technical people there.
So here is where I need your guys help.

Put together a list of questions, comments, etc that you feel are
appropriate (about the general issues of verisign, its implementation of
sitefinder, its handling of the root servers, and other things of
importance) in an e-mail to me and send it off. I'll compile a list of
questions and pose them to the people I talk to. Don't worry, unless you
ask me to, I won't mention who these questions are from.

I'm not siding with Verisign on this issue - not by far. But one thing that
I discussed with my admins today was the need for better communication
between Verisign and the tech community. Thus, I'm going to put aside my
misgivings about the past with them and try to hopefully open a worthwhile
dialog between everyone who wants to be heard. Verisign has admitted they
made mistakes in their handling of the issue, and it sounds like they want
to try to do things right this time.

ICANN has a job to do, and I'm sure they will do the right thing, but there
is a rift forming between the community and Verisign, and thats not going to
help the situation at all. You all may not like me, or agree with me, but
this is hopefully an oppertunity where you can get some of your voices heard
outside of an official process like the SECSAC, and that might result in a
better understanding on both sides.

I will of course keep everyone who wants to know up on how things are going
and what I talk about with them, and you are all welcome to comment to me
about anything. The worst that can happen is that we get nowhere with
talking and everyone is still divied with nothing accomplished. But, heres
to hoping that something good might come out of this.

oops!

vixie@vix.com (me) wrote:

... that's why ultradns, and nominum
before that, and several root server operators, are using anycast routing.

i meant "ultradns, and nominum before they sold their dns ops biz to ultradns"

obviously ultradns was doing it before nominum was doing it.

sorry rodney. sloppy editing.