<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [ga] Re: Security and stability of the DNS (Was: Question about Making Choices
Dear Karl,
all this is very good.
But did you run a fair evaluation/simulation of a blunt defnitive
stop of the root server system?
A part from the NSA stopping being fed with root loggers what would
be the real impact on the Internet?
Have we any figure of ISPs/Extranets having not stored a copy of the
root file somewhere?
The speed of ICANN in accepting the updates of ccTLD secondaries
(some having had to wait for several months) shows that the
timeliness is not considered as critical. So, apart from a few
foolish ISP getting quickly back a copy, or if this is during a WE
and people not being at their desk what would be the real impact? I
suppose the story would be on TV everywhere with "how to survive a
root collapse" being explained. May be ftp.internic.net might be a
little buzy, but what would the impact be?
Also, you impose obligations to the root servers. What is their return?
- RIPE says they are an association of Members beneiftting from the
root server system and there fore the cost is part of the yearly fee.
- US Gov. machines are paid by the access of real time important
source of intelligence.
- for Verisign it is part of their cooperation agreement
What about the others?
Apart from Postel, Kaspurchef, and Verisign are there some other
attempts to temper with the root system?
jfc
At 19:49 21/11/2006, Karl Auerbach wrote:
Stephane Bortzmeyer wrote:
On Sat, Nov 18, 2006 at 08:59:53PM -0800,
Karl Auerbach <karl@xxxxxxxxxxxx> wrote a message of 42 lines which said:
So far the net (and ICANN) have been lucky. But do we really want
the technical stability of the net to continue to depend on sheer luck?
You are quite harsh. Many *people* are obligated to do their work
well. ISC employees (who manage F-root) have to work well or they are
fired. Verisign employees (who manage A-root and J-root) are in a
similar position. AFNIC employees (who manages ".fr") are accountable
to their management, too.
But neither ISC nor Verisign or any other operator of a root-layer
server is obligated by anything beyond moral compunction to meet any
kind of service standards. Their employees might answer to the
company, else be discharged, but that does not mean that the company
is a responsible actor or that it's interests and actions are
designed for long-term internet stability. Nor does it mean that
the company can be held accountable if it acts in a way that does,
or is unreasonably likely to, cause internet instability.
Indeed, certain operators, particularly those run by the United
States military and other arms of the US government are sworn to a
purpose that can conflict with what most of us perceive as the
stability of the internet. For example, the servers operated by the
US military can be (and indeed may already be) used either to gather
information about perceived enemies (remember, this is a government
that gathers vast information even about its own citizens) or
engages in a kind of information warfare, or is prepared to so
engage, against perceived enemies.
And other root operators, such as Verisign, have financial
obligations to their owners. Verisign is not presently prevented
from selling preferential resolution services, nor is it prevented
from mining the query stream to create a near real-time feed of
marketing data about "what's hot and what's not".
And ISC may or may not have the assets to recover from a human or
natural disaster.
I have published on several occasions a set of service-level
obligations to which root server operators ought to legally and
enforceable commit themselves.
(I'll attach the list at the end of this note.)
As I have said many times, the current root servers have, so far,
done a stellar job. But history has taught us again and again and
again that stability requires that we build upon institutions and
not upon mortal people.
It really matters little if operators form a guild (such as the OARC
you mention) - unless there are clear standards of performance and
means through which the public can require adherence to those standards.
It is this absence of standards of performance coupled with a lack
of means to demand and obtain adherence to those standards.
For the root servers, these standards would be largely consistent
with what they do today - the standards would primarly ensure the status quo.
But in all areas of interent governance we tend to refrain from
thinking about measurable, objective standards of performance. For
example, as (and if) VOIP becomes a telephone replacement to the
degree that it becomes a critical infrastructure, we will need to
find ways to obligate providers to work together to provide
assurances (not gurantees) of end-to-end packet flows that are
adequate to sustain a usable VOIP conversation.
Here's my list of root server requirements: (from
http://www.cavebear.com/cbblog-archives/000192.html - the formatting
got a bit mangled during the cut-paste into Thunderbird.)
Servers must be operated to ensure high availability of
individual servers, of anycast server clusters, and of network access paths.
Root zone changes should be propagated reasonably quickly as
they become available.
User query packets should be answered with dispatch but
without prejudice to the operator's ability to protect itself
against ill formed queries or queries that are obviously intended
to cause harm or overload.
User query packets should be answered accurately and without
manipulation that interferes with the user's right to enjoy the
end-to-end principle and to be free from the undesired introduction
of intermediary proxies or man-in-the-middle systems.
Operators should coordinate with one another to ensure
reasonably consistent responses to queries made to different root
servers at approximately the same time.
There should be no discrimination either for or against any
query source.
Queries should be given equal priority no matter what name
the query is seeking to resolve.
There should be no ancillary data mining (e.g. using the
queries to generate marketing data) except for purposes of root
service capacity planning and protection.
The operator must operate its service to be reasonably robust
against threats, both natural and human.
The operator must demonstrate at reasonable intervals that it
has adequate backup and recovery plans. Part of this demonstration
ought to require that the plans have been realistically tested.
The operator must demonstrate at reasonable intervals that it
has adequate financial reserves and human resources so that should
an ill event occur the operator has the capacity (and obligation) to recover.
Obligations go two-ways. The oversight body should ensure that
there is wide and free dissemination of the root zone file so that
people, entities, and local communities can cache the data and, when
necessary, create local temporary DNS roots during times of
emergency when those local communities are cut-off from the larger
part of the internet.
--karl--
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|