Spain was offline

Martin_Hannigan2 · September 1, 2006, 6:11am

Date: Thu, 31 Aug 2006 08:50:29 -0400

>From: Joe Abley <jabley@ca.afilias.info>
>Subject: Re: Spain was offline
>

[ SNIP ]

>You seem to be suggesting that ISPs run stealth slaves for these
>kinds of zones. This may have been a useful pointer for ISPs in days
>gone by, but I think today it's impractical advice.

How so? Anyone can get a zone and turn up [a-m] on-net
and outperform (response and uptime) many of the existing
instances of root servers. I'm quite confident it would work
as designed.

Where's Dean Anderson when you need him?

-M<

Joe_Abley1 · September 1, 2006, 4:37pm

The root servers are easy; the zone is tiny and the update frequency is miniscule.

We were talking about TLD servers.

Joe

Martin_Hannigan2 · September 1, 2006, 5:47pm

I can't get a TLD zone? But back to the root servers. Are you
agreering with me that if I announce F and I root's netblocks
inside of my own network that everyone would be ok with that?

C'mon Joe, straight answer on that one.

-M<

Joe_Abley1 · September 1, 2006, 6:36pm

I can't get a TLD zone?

*You* can do anything, Marty! You are the man!

But back to the root servers. Are you
agreering with me that if I announce F and I root's netblocks
inside of my own network that everyone would be ok with that?

I'm not involved with policy at ISC or RIPE, but I would expect that if someone hijacked their netblocks they would have something to say about it.

C'mon Joe, straight answer on that one.

That's as straight as it gets

Joe

Martin_Hannigan2 · September 1, 2006, 7:07pm

I can't get a TLD zone?

*You* can do anything, Marty! You are the man!

Well, let's rephrase that. Anyone can't get a TLD zone?
And no, you are the man.

But back to the root servers. Are you
agreering with me that if I announce F and I root's netblocks
inside of my own network that everyone would be ok with that?

I'm not involved with policy at ISC or RIPE, but I would expect that
if someone hijacked their netblocks they would have something to say
about it.

C'mon Joe, straight answer on that one.

That's as straight as it gets

Thanks! Much appreciated.

What could F or I do if an operator were advertising
those blocks internally? Consider them no different than
blackholes. It's the same concept.

The point is that there's little reason to believe that
this couldn't be done by any operator or other entity
(OpenDNS?) technically, legally and legitimately.

[ Note: F and I are just the simple examples. ]

Joe_Abley1 · September 1, 2006, 7:50pm

Well, let's rephrase that. Anyone can't get a TLD zone?

While there are many smaller TLD zones that don't get updated very often and which have wide-open AXFR to all and sundry, I'm betting that the majority of zones that people on this list care about either update sufficiently rapidly that zone synchronisation is non-trivial, or have zone transfer restrictions in place, or both.

What could F or I do if an operator were advertising
those blocks internally? Consider them no different than
blackholes. It's the same concept.

If you want an answer worth reading, then ask ISC or RIPE. I'm sure this is something that has occurred to them to think about.

I could pontificate about the freedom of individual operators to do whatever they please versus the wider issue of coherence and consistency in the DNS, but it'd just be so much Friday-afternoon noise.

Joe

Martin_Hannigan2 · September 1, 2006, 8:53pm

Well, let's rephrase that. Anyone can't get a TLD zone?

While there are many smaller TLD zones that don't get updated very
often and which have wide-open AXFR to all and sundry, I'm betting
that the majority of zones that people on this list care about either
update sufficiently rapidly that zone synchronisation is non-trivial,
or have zone transfer restrictions in place, or both.

Good information. Thanks.

What could F or I do if an operator were advertising
those blocks internally? Consider them no different than
blackholes. It's the same concept.

If you want an answer worth reading, then ask ISC or RIPE. I'm sure
this is something that has occurred to them to think about.

I could pontificate about the freedom of individual operators to do
whatever they please versus the wider issue of coherence and
consistency in the DNS, but it'd just be so much Friday-afternoon noise.

Now I'm disappointed because I know you have some likely
excellent thoughts on this topic regardless of who you are
working for, or have worked for, but I completely understand.

Thanks, I enjoyed it.

/me back to lurk

Keith_Mitchell · September 1, 2006, 10:34pm

Joe Abley wrote:

Well, let's rephrase that. Anyone can't get a TLD zone?

While there are many smaller TLD zones that don't get updated very often
and which have wide-open AXFR to all and sundry, I'm betting that the
majority of zones that people on this list care about either update
sufficiently rapidly that zone synchronisation is non-trivial, or have
zone transfer restrictions in place, or both.

It has been some years since I had to worry about these issues wearing a
Nominet hat, but I would say that for majority of well-managed TLD
operators, data mining is a very serious concern. There have various
incidents in the past where squatters, scammers or spammers have made
strenuous efforts to reverse-engineer registry data for their own ends.
Sometimes even significant technical prevention is not enough, and legal
remedy is also required.

Restricting AXFRs is only the most entry-level counter-measure against
such abuses. My understanding is that best TLD registry practice is to
only allow AXFRs to boxes which are either under control of or contract
to the registry, or at the very least to a 3rd parties with whom a
restricted redistribution agreement is in place.

Keith

Daniel_Karrenberg · September 4, 2006, 10:05am

Straight answer: No.

Exercises:

Who is responsible if this set-up fails?

Who is responsible if it lies?

Who is likely to get blamed for any failures?

Would this require explicit consent from all customers
subject to such treatment?

Would this require a possibility for each custoemr to opt out
of such a scheme?

And - ah yes - what particular problem does such a set-up solve?

Daniel

helps operating K
helped create nsd
measures dns

michael.dillon1 · September 4, 2006, 11:07am

> I can't get a TLD zone? But back to the root servers. Are you
> agreering with me that if I announce F and I root's netblocks
> inside of my own network that everyone would be ok with that?

Who is responsible if this set-up fails?

Who is responsible if it lies?

Who is likely to get blamed for any failures?

Would this require explicit consent from all customers
subject to such treatment?

Would this require a possibility for each custoemr to opt out
of such a scheme?

Aren't all of these questions private issues between
the private network operator and their customers?
The same thing applies to companies who use IP addresses
inside their private networks that are officially
registered to someone else. This is a fairly common
practice and yet it rarely causes problems on the
public Internet.

Since Internet network operators are generally not regulated
in how they operate their IP networks, it seems to me that
the people who say that it is not proper to announce root
netblocks in a private network are really calling for network
regulation by an external authority.

And - ah yes - what particular problem does such a set-up solve?

It seemed to me to be a theoretical question not intended
to solve a particular problem. However, theoretically, a
network that sources a lot of DDoS traffic to root servers
could do this to attract the traffic to their local copy
of the root server in order to analyze it. Theoretically,
this is something that would be enabled by the hypothetical
situation described above.

--Michael Dillon

Stephen_J_Wilcox1 · September 4, 2006, 11:31am

I agree (and hence disagree with Daniel) - all networks are privately operated, and it is up to their admins to do whatever they wish providing

a) their actions are limited to their borders (dont announce the netblocks to other asns)

b) their customers get what they pay for - if you start meddling with things like redirecting dns not founds to your page - your customers should understand that before they buy

this consitutes operating a private company and a private consumer agreement.. so whats the issue? this may not be technical utopia but we live in a commercial world..

Steve

Valdis_Kletnieks · September 4, 2006, 7:07pm

Anybody from Earthlink want to answer that one?

Martin_Hannigan2 · September 5, 2006, 1:26am

>
> I can't get a TLD zone? But back to the root servers. Are you
> agreering with me that if I announce F and I root's netblocks
> inside of my own network that everyone would be ok with that?
>
> C'mon Joe, straight answer on that one.

Straight answer: No.

Exercises:

Who is responsible if this set-up fails?

Who is responsible if it lies?

Who is likely to get blamed for any failures?

The burden is already on the provider. The providers
answer the call when these things break or perform badly.

Would this require explicit consent from all customers
subject to such treatment?

I don't think so. There's no guarantee that an
internal route facing a customer is "RIPE K ROOT".
Peers may feel differently, but I wouldn't advocate
exporting (unless they did and perhaps would pay me for
better access to the application). That's different.

[ snip ]

-M<

(thanks for operating K, it is one of the better ones from my
measurements but that's part of the problem now isn't it? Consistency
in some areas.)