On Sun, 7 Dec 2003, Iljitsch van Beijnum wrote: > On 6-dec-03, at 23:04, Dean Anderson wrote: > > >> I don't think this stealth business is a very good idea. If you want a > >> root servers somewhere, use anycast. That means importing BGP problems > >> into the DNS, which is iffy enough as it is. > > > That seems to argue against anycast... > > If there were 65 actual root servers, I would very much prefer the > situation where I could contact each and any one of those, rather than > a subset of 13 that are chosen by a protocol that was NOT designed for > this. (Selecting the "best" path is pretty much an after thought in > BGP: the RFC doesn't even bother giving suggestions on how to do this.) > But the DNS protocol has problems supporting 65 (or 45 or even 25) > individual root server addresses, it's either no more than around 13 > individual servers or a larger number of anycasted ones. I don't need any more than 13, and I would, were I director of some country's telecom, much prefer that I had several within my borders. So that argues for at least 3 * 190, or about 600+ root servers worldwide (large countries like the US and China having more than 3). Anycasting probably isn't going to easily scale that large, and requires more complexity, which makes thinks much harder at the lower end. Also, anycasting doesn't work for TCP. > I don't have a problem with some controlled anycasting, but the root > operators shouldn't go overboard. For instance, the .org zone is only > served by two addresses, which are then anycast. There have been > reports from people who were unable to reach either of these addresses > when there was some kind of reachability problem. The people managing > the .org zone are clearly lacking in responsibility by limiting the > number of addresses from which the zone is available without any good > reason. A much larger number of root servers also tends to avoid this problem, and localize problems. As someone pointed out, it is fast becoming the case that no one has enough knowledge of what's happening to understand the problems. Obviously, the solution is to make sure that problems are localized, and can be partitioned without bringing down the global or national infrastructure. > The situation that must be avoided is where all or most root servers > seem to be in the same location from a certain viewpoint, as a BGP > black hole towards that location will then make them all unreachable. I > would prefer it if several root servers weren't anycast at all, just to > be on the safe side. I agree. It is easy to create a blackhole, or even a DDOS on an anycast address. It is much harder to DDOS 600 IP addresses spread through some 200 countries. > > Its the same "deal" as distributing the "official" root nameserver > > updates. Some people don't pay attention to this until they can't get > > nameservice to work. Its a problem, but it isn't made better or worse. > > The difference is that official root servers are updated through the > official channels, which I have no reason to distrust. Having a stealth > root server means you can't listen to the real root servers anymore > (because then you'd have a 13/14th chance of learning the list of > official root servers and forgetting about the stealth one when a > resolver starts) which is a big fat single point of failure. Err, no. The "root servers", from the point of view of a person in a given country, is the list given by the countries' telecom authority. Just like the SS7 point codes for that country. There is no reason to distrust the FCC. For the United States, they are the "official authority" The official contents of the root zone is controlled by an international commission. This would be distributed to the root server operators by some agreed channel: FTP, Certified Letter, Diplomatic pouch, or carrier pidgeon ;-) The root zone is not very big. It probably could be distributed by carrier pidgeon. Exaggeration and humor aside, distribution is not a big problem. > >> So I have to trust these fake roots a 100%: > > > They aren't exactly fake. They are just not listed by the "dig . ns" > > query, so they aren't technically authoritative. Though, I suppose they > > could be--I'm just assuming they aren't. > > Ok, let's not debate the word "fake". > > > As far as trust goes, since they > > are run by your government, yes, you can trust them. > > Their intentions, maybe. Their DNS operating prowess, I don't think so. Oh please. Root server operation is not that difficult. The government is responsible to find someone to run it competently. But if their operators are incompetent, they only affect that country. They would not be able to affect other countries by their incompetence. Other countries do not trust the US (to run things competently, fairly, whatever) The solution (if possible) is to distribute the responsibilty to each country, so that mal intent or simple incompentence by another country can't affect their infra-structure, and so that they can de-peer with that country if they please. And years later, if they reconnect, then things should just work. (Cuba is a good example--Phone service to the US was disconnected, and later reconnected). My proposal meets these objectives. Anycasting does not. > You missed the point in one of my previous messages: there is no > officially supported way to do zone transfers for the root. This can > stop working at any time. Well, there is obviously some (perhaps private) agreement amoung the current operators on how to update the contents of the root. This is but a formality, since the root isn't large, and it changes infrequently. > >> I think what we need to really solve this is a redesign of the DNS, as > >> the way it is now it breaks a fundamental design principle of the > >> internet: when two nodes have reachability, they should be able to > >> communicate, regardless of what else is (un)reachable. (I'm not > >> volunteering, though.) > > > I agree completely, but I don't think anything needs to change other > > than > > management of existing services. > > How is that agreeing with my point that we need a redisign (if we want > to solve this)??? I agree that a fundamental design principle is that when two nodes have reachability, they should be able to communicate, regardless of what else is (un)reachable. We do not need to redesign DNS to achieve this. All we need to do is change the management of its operation. --Dean