Re: [ga] Re: Root server traffic

[Joe Baptista <baptista@xxxxxxxxxxxxxx>]

Andy Gardner wrote:

> This proves that CNNIC HAS added extra TLD's running parallel  
> alongside the "approved" ICANN root.
> Why has ICANN never said anything about this?
They can't.  Its an embarrassment to have to tell the world the chinese 
are running an experimental root.  Thats all they can say when it comes 
to that BCP-3 Jefsey keeps going on about.  But that would cause the 
china to be insulted since the china national tld system is no 
experiment and something the chinese are very proud of.  It is in full 
production.  As is many  other tld systems out there.  And of course 
ICANN can't call that an alternative root.  So ICANN who have known 
about this situation for years just ignores the chinese.
> I understand that many ISP's outside China have added them as well,  
> to cater for the Chinese people in their community? Tiscali?
Tiscali was my client through UNIDT (now UnifiedRoot), INAIC and the 
Public Root.   I was the one who activated those tlds.  At the time I 
was involved they were pointing to the INAIC root.  Tiscali now uses the 
root provided by UnifiedRoot. UnifiedRoot dropped the chinese national 
TLDs some time ago.  So Tiscali no longer sees them.
What is very strange in all of this is that I heard from i-dns that they 
carry only two of the chinese tlds.  Thats all they have agreements with 
the chinese government.  The other one they can't carry on the i-dns root.
The root I produce, the public root, an open root is fully inclusive and 
sees all the chinese national tlds - as well as the national tlds of 
numerous other countries.  Not complete but growing as we run tests to 
automate the system.
> Verisign's "Global Digital Brand Management Services" actually  
> announced they were selling these TLD's in their news bulletin...
> http://gnso.icann.org/mailing-lists/archives/council/msg02929.html
>
> which was later edited to remove the evidence that they were TLD's.  
> Quickly swept under the carpet.
Of course.  They are walking a very thin line carrying chinese national 
tlds.  Alot of people are carrying them.
Basically heres how it works for Verisign.  They are making mega buck 
with ICANN playing make believe ICANN is in charge while they do 
business with the chinese.  More mega buck.  Thats all Verisign cares 
for.  But these are potentially dangerous mistresses who are at odds 
with each other.
> What with the Arabic split root as well, it's clear that IDN TLD's  
> have been tested for quite some time already, so why the need to re- 
> test them again?
The leaders were i-dns.  with the chinese and arabs following closely 
thereafter.  Why the need to retest them?  ICANN is in need of a face 
lift and introducing IDNs is the way.  They already know they work so 
they launch them and take all the credit for testing them.  Its what 
ICANN does best - bullshit.
> Add to that, ICANN's iTLD test breaking the "no variants allowed"  
> rule requested by the CJK community (which Verisign follows) one must  
> wonder just what the hell is going on here.
People want to make money on IDN TLDs and they are pushing ICANN to get 
its act together.  Its a lousy test too.  If they really wanted to run a 
test they could give away permanent test tlds.  Instead one of the 
largest root systems in town has set up numerous tlds and pointed them 
more or less to one place.
> Can any country run a spilt root now?
Lots of them already do.  Turkey which I was involved in under INAIC has 
a number of its own turkish tlds.   They have banks, and large 
corporations that run their own tlds.  Bulgaria - i think thats the 
country was originally tested via the cesidianroot and now is on the 
i-dns system.  Lots of ISPs and countries use i-dns.  The arabs have 
their own closed system between a few countries.  Not all of the arab 
countries participate.
People are not waiting for ICANN.  Innovation marches past the dead 
dinosour that is ICANN.
But the real question is - where do these roots send their trash - i.e. 
error traffic at the root server?  I'm not sure I known all the answers 
- but as far as the chinese are concerned they send their trash right 
back to ICANN where it belongs.  And I think that is very appropriate 
and totally cute of the chinese.  The errors created by ICANN or users 
are send back to ICANN by the china root.  Its really cool.  If the 
china root is queried for a tld it does not know, they just ship it to 
ICANN, they respond NOERROR and then pass the error or ICANN TLD on to 
the ICANN root servers, which then responds NXDOMAIN or NOERROR 
depending on ICANN.
Example - if we ask the china root for a non existent domain - like the 
ICANN-ROOT-IS-A-TRASH-CAN  or a real ICANN TLD we get this (I'll use the 
trash TLD can example for this test).
$ dig @a.dns.cn. ICANN-ROOT-IS-A-TRASH-CAN. NS

; <<>> DiG 9.2.3 <<>> @a.dns.cn. ICANN-ROOT-IS-A-TRASH-CAN. NS
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13

;; QUESTION SECTION:
;ICANN-ROOT-IS-A-TRASH-CAN.     IN      NS

;; AUTHORITY SECTION:
.                       266088  IN      NS      J.ROOT-SERVERS.NET.
.                       266088  IN      NS      K.ROOT-SERVERS.NET.
.                       266088  IN      NS      L.ROOT-SERVERS.NET.
.                       266088  IN      NS      M.ROOT-SERVERS.NET.
.                       266088  IN      NS      A.ROOT-SERVERS.NET.
.                       266088  IN      NS      B.ROOT-SERVERS.NET.
.                       266088  IN      NS      C.ROOT-SERVERS.NET.
.                       266088  IN      NS      D.ROOT-SERVERS.NET.
.                       266088  IN      NS      E.ROOT-SERVERS.NET.
.                       266088  IN      NS      F.ROOT-SERVERS.NET.
.                       266088  IN      NS      G.ROOT-SERVERS.NET.
.                       266088  IN      NS      H.ROOT-SERVERS.NET.
.                       266088  IN      NS      I.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET.     352488  IN      A       198.41.0.4
B.ROOT-SERVERS.NET.     352488  IN      A       192.228.79.201
C.ROOT-SERVERS.NET.     352488  IN      A       192.33.4.12
D.ROOT-SERVERS.NET.     352488  IN      A       128.8.10.90
E.ROOT-SERVERS.NET.     352488  IN      A       192.203.230.10
F.ROOT-SERVERS.NET.     352488  IN      A       192.5.5.241
G.ROOT-SERVERS.NET.     352488  IN      A       192.112.36.4
H.ROOT-SERVERS.NET.     352488  IN      A       128.63.2.53
I.ROOT-SERVERS.NET.     352488  IN      A       192.36.148.17
J.ROOT-SERVERS.NET.     352488  IN      A       192.58.128.30
K.ROOT-SERVERS.NET.     352488  IN      A       193.0.14.129
L.ROOT-SERVERS.NET.     352488  IN      A       199.7.83.42
M.ROOT-SERVERS.NET.     352488  IN      A       202.12.27.33

;; Query time: 240 msec
;; SERVER: 203.119.25.1#53(a.dns.cn.)
;; WHEN: Fri Nov 23 18:43:07 2007
;; MSG SIZE  rcvd: 462

Its funny they send everything including the trash to ICANN, but of 
course ICANN does not realize its a trash can - so it responds accordingly.
Is it any surprise the error rate at the ICANN root is so high.  I think 
not.
cheers
joe baptista

> On Nov 23, 2007, at 10:00 AM, Joe Baptista wrote:
>
> > The point here is that these are still fully functional tlds.
> >
> > Technical example here. If we query the china root for the TLD
> > XN--55QX5D. - which represents one of the chinese TLDs we get this:
> >
> > $ dig @a.dns.cn. XN--55QX5D. NS
> >
> > ; <<>> DiG 9.2.3 <<>> @a.dns.cn. XN--55QX5D. NS
> > ;; global options: printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
> > ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
> >
> > ;; QUESTION SECTION:
> > ;XN--55QX5D. IN NS
> >
> > ;; ANSWER SECTION:
> > XN--55QX5D. 7200 IN NS cdns3.cnnic.net.cn.
> > XN--55QX5D. 7200 IN NS cdns4.cnnic.net.cn.
> > XN--55QX5D. 7200 IN NS cdns5.cnnic.net.cn.
> > XN--55QX5D. 7200 IN NS hawk2.cnnic.net.cn.
> >
> > ;; ADDITIONAL SECTION:
> > cdns3.cnnic.net.cn. 600 IN A 210.52.214.86
> > cdns4.cnnic.net.cn. 600 IN A 61.145.114.120
> > cdns5.cnnic.net.cn. 600 IN A 61.139.76.55
> > hawk2.cnnic.net.cn. 600 IN A 159.226.6.185
> >
> > ;; Query time: 290 msec
> > ;; SERVER: 203.119.25.1#53(a.dns.cn.)
> > ;; WHEN: Fri Nov 23 10:42:49 2007
> > ;; MSG SIZE rcvd: 184
> >
> > The response is NOERROR. Thats means to any expert that the TLD  does in
> > fact exist. No amount of ICANN buffunery is ever going to change that.
> > Because if we ask the ICANN servers the same question we get:
> >
> > $ dig @a.root-servers.net. XN--55QX5D. NS
> >
> > ; <<>> DiG 9.2.3 <<>> @a.root-servers.net. XN--55QX5D. NS
> > ;; global options: printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41
> > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;XN--55QX5D. IN NS
> >
> > ;; AUTHORITY SECTION:
> > . 86400 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2007112300
> > 1800 900 604800 86400
> >
> > ;; Query time: 60 msec
> > ;; SERVER: 198.41.0.4#53(a.root-servers.net.)
> > ;; WHEN: Fri Nov 23 10:46:53 2007
> > ;; MSG SIZE rcvd: 103
> >
> > And NXDOMAIN means in ICANN speak a bogus domain. It does not exist at
> > ICANN.

--
Joe Baptista                                www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive,
Representative & Accountable to the Internet community @large.
----------------------------------------------------------------
 Office: +1 (202) 517-1593
    Fax: +1 (509) 479-0084

begin:vcard
fn:Joe Baptista
n:Baptista;Joe
org:PublicRoot Consortium
adr:;;963 Ford Street;Peterborough;Ontario;K9J 5V5 ;Canada
email;internet:baptista@xxxxxxxxxxxxxx
title:PublicRoot Representative
tel;fax:+1 (509) 479-0084 
tel;cell:+1 (416) 912-6551
x-mozilla-html:FALSE
url:http://www.publicroot.org
version:2.1
end:vcard