[ga] more bad news on GFW poisoning of ICANN i.root server

[Joe Baptista <baptista@xxxxxxxxxxxxxx>]

The Great FireWall of China has been poisoning the DNS for about a year. Roy
Arends a senior researcher at Nominet confirmed the issue was investigated a
year ago - http://bit.ly/c2SqBm - so if Nominet knowns I'm sure ICANN knows.
The matter has been treated for the last year as an internal issue. There is
a paper circulating at ICANN that contains according to Arends some fairly
controversial conclusions.

wow ... that ICANN has been keeping this under wraps for a year. Where's the
integrity? Where's the security?

Again I stress the only way to ensure absolute DNS security and keep
yourself safe is to run your own root. I've been saying that for years. I
think current events prove the point.

And if your going to hand over your root DNS function to someone outside
your organization - make sure you can trust them or John Palmer's "Xennt
(ed) posse of engineers" may just up and take your wallet as you surf and
turf. Credibility is key. Someone like OpenDNS is a credible provider.

Or you can even use IANA data to populate your own root services. Just pick
up the root via FTP or AXFR. Available fresh every morning.

Todays lesson is ... for the world to continue to depend on the ICANN US
roots is clearly technical suicide. One major concern of mine all these
years is that it only takes one root to hijack large portions of the
Internet. I've proven the theory myself that using root as a means of
surveillance or attack can be very effective. The only solution is to get
root out of the equation and in the control of users.

anyway ... thats my two cents :)