The chances of a frustrated isp being unable to resolve things during a DDoS
attack and the root operators not already knowing about it are a lot lower
than the chances that the root operators will be deluged with mail from
frustrated ISPs who can't figure out why queries originating in RFC1918
space don't get answered.
And remember - Paul Vixie has shown that 10% of the inbound traffic at
c.root-server.net is bogus rfc1918 sourced. Making the addresses public
will serve as a DDoS vector against the root operators....
> If the roots are once again under attack - how will the root server
> operators be contacted by a frustrated isp who can't resolve.
as valdis points out, 12 operators getting e-mail from 12,000 frustrated isp's
is probably not the best way to do this kind of notification. as to who the
root server operators are, http://root-servers.org/ has a list. valdis writes:
And remember - Paul Vixie has shown that 10% of the inbound traffic at
c.root-server.net is bogus rfc1918 sourced. Making the addresses public
will serve as a DDoS vector against the root operators....
moreover, duane wessels came to eugene last week to tell us that only 2.1%
of the queries hitting F-root were valid. there's got to be a way to make
that better.
here's a question. is your authoritative name server set up properly? by
that i mean: (1) is recursion disabled, and is it listed only in NS RR's,
never in resolv.conf or dhcpd.conf files? (2) is fetch-glue disabled (or
if not, does your firewall permit F-root to answer your sysqueries?)
"For example, one bad release of popular domain software drove averages
to over five times the normal load for extended periods. At present, we
estimate that over 50% of all root server traffic could be eliminated by
improvements in various resolver implementations to use less aggressive
retransmission and better caching."
Mockapetris P., Dunlap K.; Development of the Domain Name System,
Proceedings of SIGCOMM '88, Computer Communication Review Vol 18, No 4,
August 1988.