Re: [ga] censorship among root servers

[Joe Baptista <baptista@xxxxxxxxxxxxxx>]

One thing this lesson has taught us is you can't have root servers in
countries that censor. And countries with root servers have the power to
screw the world just by tweaking their boarder gateways.

I've been putting together the bits and pieces of the puzzle and it does
look like a boarder gateway leaked china DNS to the world. Here is the best
analysis of what happened that I have seen to date from someone at ground
zero.

http://bit.ly/cy2sMj

According to another report I have seen this has been going on for weeks. It
has also affected more domains then just twitter youtube and facebook. And
this incident has been going on for a while. Just not a week or two but very
likely longer. And I'm beginning to suspect ICANN knew about it and the
reports of the incident were no surprise.

I've warned people for years - if you want secure DNS - run your own roots.
Thats the only solution that is fool proof and works.

This whole incident also brings up an interesting attack vector using
DNSSEC. By taking control of one root server ..  or gateway .. you could
black out entire portions of the Internet if they are DNSSEC enabled. Thats
the Bernstein DNSSEC suicide case taken to the extreme.

cheers
joe baptista

P.S. oh - one more thing this whole incident has been going on for a while.




On Sun, Mar 28, 2010 at 3:36 PM, Hugh Dierker <hdierker2204@xxxxxxxxx>wrote:

> Andy,
>
> Is it possible that this censorship and suppression of the people is a good
> thing for the rest of us?
>
> --- On *Fri, 3/26/10, Andrew McMeikan <andrewm@xxxxxxxxxxxx>* wrote:
>
>
> From: Andrew McMeikan <andrewm@xxxxxxxxxxxx>
> Subject: [ga] censorship among root servers
> To: "ga@xxxxxxxxxxxxxx" <ga@xxxxxxxxxxxxxx>
> Date: Friday, March 26, 2010, 7:17 AM
>
>
>
> I was reading
> https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005267.html
>
> which suggests that some of China's censorship is leaking but would
> seem mostly confined (i.e. not leaking to Japan)
>
> Is this the start to the end of DNS?  Implementing censorship occurs
> more aggressively as western countries embrace what was previously
> frowned on as totalitarian giving countries that already embrace
> censorship a justifiable position in more extreme censorship.
>
> If root nodes are compromised to the point that they redirect
> queries to false sites then any trust in DNS is lost.
>
> I call on everyone here to support a declaration that:
> "No censorship can be tolerated within the root servers."
> and that this supported declaration be forwarded to the ICANN board
> that they may press China to chose another way to achieve their
> internal polices than polluting a global shared resource.
>
> I trust that this is such a minimalist statement that it can receive
> unanimous support within the general assembly.  My personal views on
> censorship would like to make a much broader statement but without
> this minimal simplistic position for root server trust, I feel that
> there can be no functioning name system.
>
>
>
>
> Yours sincerely,
>
>
> Andrew McMeikan
>
>
>


-- 
Joe Baptista

www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
 Office: +1 (360) 526-6077 (extension 052)
    Fax: +1 (509) 479-0084

Personal: http://baptista.cynikal.net/