From: Miles Fidelman [mailto:mfidelman@civicnet.org]
Sent: Friday, March 16, 2001 5:38 AM
> > > At some point cooperation has to yield to due process -
at least that's
> > the history of society to date. Unless there's a major
change to the
> > Internet infrastructure, we need DNS to function
reliably, and that
> > requires that the root nameservers behave the way they're
supposed to.
>
> I don't see any problem with anything you have said. I think the
> difficulty comes when I tell you that the root servers I
choose to use are
> operating fine, and you attempt to tell me that I have to
use yours.
For the Internet to work, at least with currently accepted
DNS standards,
everyone has to use the same root servers. Otherwise things
can rapidly
degenerate into chaos. The whole point of law and due process is that
a duly authorized somebody has to have the authority to insist that
everyone use the same root servers.
Two problems; Who does the authorization? ... and US Constitution.
There is also the not-so-small problem of global enforcement, of such a
draconian measure.
I'm not unsympathetic to folks paying for heldesks. But, you're gonna get
those calls anyway. You may even be getting them now. Is this any different
than lusers asking why their machine doesn't work ... during a blackout?
You've been living in the regulated side of the telco business far too long.
well... there are international bodies that handle other
telecommunications matters
OK here's an idea, everybody:
Since new.net (and others) seem to want to blatantly ignore the standards set forth by the IETF, ICANN, and others, why don't we "bend" the standards and stack the deck in our own favor? Let's all make our own DNS servers authoritative for "new.net." And, to prevent people from finding out the IP addresses and getting to new.net that way, either blackhole the routes, or add host routes on your LAN that points to some www server/page that points out why what new.net is doing is a Bad Thing.
We need new TLDs in order to support the growth of the internet. However, we don't need to do it the way new.net is, and they need to be nipped in the bud.
Jeff
well... there are international bodies that handle other
telecommunications matters
And one of the primary reasons the Internet exists in the open and
transparent form it does today is because those bodies (CCITT->ITU-T etc.)
have not been involved in most of the research and engineering.
On the other hand, the 'net is now so ubiquitous that maybe maturity brings
that level of self-interest based regulation.
Peter
Well, we're on the right track here. At least new.net's attempt is
starting to be classified as an outage. 
-c
Since new.net is a perfectly legitimate domain under the
rules that you support, I think black holing that domain
or their routes would be a Bad Idea.
You could however make your nameservers authoritative for
every 1,2,3 and 4 character TLD not in the standard root.zone
to prevent private TLD leakage into your network (from any
source).
As an experiment I created a named.conf stub that can be
appended to a regular named.conf file and a sample generic
zone file that can be used once for all of the private TLD's:
http://kl.net/tld/
(the sample zone file is called 'a' to minimize the size
of the named.conf file).
Unfortunately, it's 58 Megs so it wouldn't be practical
to use on all but the beefiest nameservers.
Perhaps there should be an RFC for "private TLD" namespace like
RFC1918.
KL
Jeff Workman wrote:
Two problems; Who does the authorization? ... and US Constitution.
There is also the not-so-small problem of global enforcement, of such a
draconian measure.
well... there are international bodies that handle other
telecommunications matters
known for agility, rapid advancement of customer perceived service, low
overhead, and other great social goods.
Since new.net (and others) seem to want to blatantly ignore the standards set forth by the IETF, ICANN, and others, why don't we "bend" the standards and stack the deck in our own favor? Let's all make our own DNS servers authoritative for "new.net." And, to prevent people from finding out the IP addresses and getting to new.net that way, either blackhole the routes, or add host routes on your LAN that points to some www server/page that points out why what new.net is doing is a Bad Thing.
Send us all a postcard from prison, OK:
4. Stability of the root zone and criminal consequences
It should be recognized that in the United States, altering DNS
records to the detriment of a pre-existing organization is covered
under federal computer fraud statute, 18 United States Code, Section
1030[6]. As a result, criminal convictions have resulted from the
alteration of DNS information[7]. Most countries now have similar
laws.
http://www.ietf.org/internet-drafts/draft-higgs-root-defs-00.txt
[7] U.S. vs. Kashpureff (NY)
http://www.usdoj.gov/criminal/cybercrime/kashpurepr.htm
We need new TLDs in order to support the growth of the internet. However, we don't need to do it the way new.net is, and they need to be nipped in the bud.
So instead of wasting energy making the case against you for the prosecution, why don't you use that energy productively in this situation? New.net already know this. They don't yet know how to go about it.
Best Regards,
Simon Higgs
Stoned koala bears drooled eucalyptus spit in awe as Simon Higgs exclaimed:
4. Stability of the root zone and criminal consequences
It should be recognized that in the United States, altering DNS
records to the detriment of a pre-existing organization is covered
under federal computer fraud statute, 18 United States Code, Section
1030[6]. As a result, criminal convictions have resulted from the
alteration of DNS information[7]. Most countries now have similar
laws.
I don't recall saying squat about modifying the root zone. I was
referring to local nameservers that are under your (or my) administrative
control. Tell me how this is any different than "content filtering"
packages that are in use today (X-Stop comes to mind.) Sure, the
underlying mechanism is different, but the result is the same. User tries
to access a site that is administratively prohibited, and is redirected to
a local web page explaining to them why. Are we going to prosecute all of
these organizations now?
If it's *my* DNS server running on *my* equipment using *my* bandwidth,
then I can do whatever I want to with it, right? Just as long as I don't
try any cache poisoning foo or otherwise propagate my authoritative
'new.net' zone to other DNS servers that aren't under my administrative
control.
So instead of wasting energy making the case against you for the
prosecution, why don't you use that energy productively in this situation?
New.net already know this. They don't yet know how to go about it.
Why doesn't new.net start sending me monthly paychecks? Since they're
*all* about money, then if I am going to help them get their business off
the ground, then where's mine?
Jeff
[OFF THE RECORD, UNOFFICIAL] I see an administrative nightmare
in allowing anyone to create their own t gTLD and it would cause a
security problem beyond comprehension. I believe everyone must
come together on this and move to the next level and decide an what
gTLD'S will be allowable and acceptable by everyone without as much
as a whimper.
I can see from the last 600 emails that this has really touched a sore spot,
once the agreement on the gTLD's has been reached then it will have to
be presented to ICANN. If you must rant at me please do it privately
not on the NANOG list, this would serve no useful purpose and I
would wind up losing a potentially valuable human source of information.
I am simply wanting to diffuse the current rant and get to a level where
this can be worked out for everyone's benefit and that no one is king
of the hill, and to eliminate any jealousy.
Jeff Workman wrote:
If it's *my* DNS server running on *my* equipment using *my* bandwidth,
then I can do whatever I want to with it, right?
Good punt. But you're returning data owned elsewhere (like someone else's A record). If you are responsible for returning accurate data to a public audience, and it's not your data to alter, then you are liable for the consequences. If you want to run a different .COM in private (i.e. no public audience and no consequences), go right ahead.
Why doesn't new.net start sending me monthly paychecks? Since they're
*all* about money, then if I am going to help them get their business off
the ground, then where's mine?
Go ask them. (626) 229-7800.
Best Regards,
Simon Higgs
TLD Finder Tools (collision avoidance tools) are available for people to see which TLDs are already "in play":
ORSC have a Top Level Domain Finder which queries the ORSC root zone:
http://tldfind.open-rsc.org/
Planet Communications & Computing Facility (PCCF - who run the .GOD registry) have a TLD Finder which queries multiple roots:
http://www.pccf.net/cgi-bin/root-servers/whereis-tld?+
Best Regards,
Simon Higgs
And this, I think, is the most salient operational point made so far in
this discussion.
Many thanks.
Simon Higgs wrote:
On Sunday, March 18, 2001 8:12 AM (AEST)
TLD Finder Tools (collision avoidance tools) are available for people to
see which TLDs are already "in play":
ORSC have a Top Level Domain Finder which queries the ORSC root zone:
http://tldfind.open-rsc.org/
Planet Communications & Computing Facility (PCCF - who run the .GOD
registry) have a TLD Finder which queries multiple roots:
http://www.pccf.net/cgi-bin/root-servers/whereis-tld?+
AlterNIC's newest tool
http://www.alternic.org/tldfinder.html
Best Regards,
Simon Higgs
You too
Patrick Corliss
the collisions dont seem to be being avoided
Checking (AlterNIC) nameserver ny.alternic.org for .SHOP
SHOP. in ns BERK.SERV.NIC.INFO
Checking (NEWNET) nameserver ns0.newdotnet.net for .SHOP
SHOP. in ns UDNS1.NEWDOTNET.NET
Checking (NS) nameserver ns.autono.net for .SHOP
SHOP. in ns ALLADIN.DDS.NL
See - you open it up and it all falls apart
These "finder tools" are bobbins, they just query against a botched
together list of servers.
.. also ORSC sounds techie friendly - it has the word open in so it must
be good - but c'mon theres no difference between it and new.net or
whoever? having said that maybe it would be better than icann.. only
problem is who has to give them the authority and make everyone abide by
it?
Steve
the collisions dont seem to be being avoided
Checking (AlterNIC) nameserver ny.alternic.org for .SHOP
Checking (NEWNET) nameserver ns0.newdotnet.net for .SHOP
Checking (NS) nameserver ns.autono.net for .SHOP
See - you open it up and it all falls apart
These "finder tools" are bobbins, they just query against a botched
together list of servers.
The tools are designed to find the existing collisions and prevent future collisions. So there's nothing wrong with the tools. They're working! The result, as you correctly point out, is that the "botched together list of servers" are now visible to everyone and will need to be fixed somehow. That is the entire point of making the tools available.
.. also ORSC sounds techie friendly - it has the word open in so it must
be good - but c'mon theres no difference between it and new.net or
whoever?
I wouldn't put any money down on that bet. ORSC is a non-profit Delaware corp., and it's only product is a published root zone which it gives away for free. New.net is a for-profit/VC-funded registry/registrar operation. Not quite the same thing at all.
having said that maybe it would be better than icann.. only
problem is who has to give them the authority and make everyone abide by
it?
You do, along with everyone else that has control over where their DNS points (per RFC2826).
Steve
>
> On Sunday, March 18, 2001 8:12 AM (AEST)
>
> > TLD Finder Tools (collision avoidance tools) are available for people to
> > see which TLDs are already "in play":
> >
> > ORSC have a Top Level Domain Finder which queries the ORSC root zone:
> > http://tldfind.open-rsc.org/
> >
> > Planet Communications & Computing Facility (PCCF - who run the .GOD
> > registry) have a TLD Finder which queries multiple roots:
> > http://www.pccf.net/cgi-bin/root-servers/whereis-tld?+
> >
>
> AlterNIC's newest tool
> http://www.alternic.org/tldfinder.html
>
Best Regards,
Simon Higgs
>having said that maybe it would be better than icann.. only
>problem is who has to give them the authority and make everyone abide by
>it?
You do, along with everyone else that has control over where their DNS
points (per RFC2826).
100% agree, now we just have to get everyone on nanog to reach the same
conclusion! 
Steve