ICANN, National Registrars Still Feuding

← Back to Stories (view on slashdot.org)

ICANN, National Registrars Still Feuding

Posted by ryuzaki0 on Tuesday January 15, 2002 @05:59AM from the icann-refuses-to-do-its-sole-job dept.

Damalloch writes: "The BBC website has this story about the EU's concern over ICANN's refusal to make guarantees about root server stability. Domain name registrars such as Nominet are threatening to withhold payment of ICAAN's fees unless something is done to reassure them. So far ICAAN has remained stubborn because of the huge lawsuit potential if a root server were to go down but with the possibility of having their income reduced, they might just be convinced to do something."

8 of 175 comments (clear)

Min score:

Reason:

Sort:

Well yes, but... by johnburton · 2002-01-15 06:05 · Score: 5, Interesting

But if one server went down wouldn't the requests just go to the other root servers instead? Isn't that how DNS works?

So presumably they've got decent machines and power supplies and connections for each server. And so the chance of one going down is quite low. The chance of enough of them going down at the same time to cause disaster has to be vanishingly small. If it's too big, add a few more servers.

Unless they include the possibility of them being hacked I suppose. But then they could just use several different operating systems and name server software to hugely reduce the chances.

I'm not sure I'm convinced that this is really the reason they won't give any guarantees, it seems like a reasonably safe thing to do to me.

--
Sig is taking a break!
Run their own? by hogsback · 2002-01-15 06:05 · Score: 2, Interesting

What are the obstacles to Nominet, say, running their own root server.

They must already have bandwidth and physical security ... what else would they need?

More redundency, especially outside the US, can only be a good thing, right?

--
Hogsback
1. Re:Run their own? by Anonymous Coward · 2002-01-15 06:08 · Score: 1, Interesting
  
  What are the obstacles to Nominet, say, running their own root server ?
  Configuring every DNS on the planet to know about it ...
What's new? by zeiche · 2002-01-15 06:17 · Score: 2, Interesting

Looks like another example of a company that does not want to guarantee services they have accepted payment for. Nothing new here.
What a joke... by Rev.LoveJoy · 2002-01-15 06:50 · Score: 3, Interesting

So a couple years ago Jon Postel (RIP) can rediredct all authoritative root server queries to his lab PC and the internet is no worse for the ware, but ICANN, with substantially more resources, redundant locations and dozens of authoritative root server, cannot guarantee that some subset of them will always been online?
Huh?
What did I miss? We all have to meet requirements, whether your a 5 nines shop (god help you) or not with respect to uptime and service availability. Why should ICANN be any different?
Cheers,
-- RLJ
Some points to think about by cluge · 2002-01-15 06:55 · Score: 3, Interesting

Most people realize that the root servers can be taken down. There have been several articles about this very concept (see http://www.theregister.co.uk/content/archive/22851 .html for example).

Given the nature of how DNS works, and how the root servers are run, how can ICANN guarantee anything? (it can't) If they do provide some sort of guarantee then haven't they added a financial incentive for someone to DOS the root servers?

The Europeans are asking for something that cannot be delivered (currently), and if they get it the chances increase that someone will DOS the servers for some financial gain. (i.e. your server went down, I now don't have to pay you x dollars). If I was ICANN I wouldn't want to sign an agreement. It may be time for ICANN to change the way it does business, and the "ad hoc" nature that the root servers are maintained may have to change. DNS the protocol itself needs to be very carefully looked at as well.

--
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
My suggestions regarding DNS stability/security... by karl.auerbach · 2002-01-15 10:28 · Score: 2, Interesting

I wrote a document about some simple steps that could be taken to improve DNS security before ICANN's meeting last November.

http://www.cavebear.com/rw/steps-to-protect-dns. ht m

Don't let the fact of 12 or 13 servers lul one into a sense of security - they are all fed data from the same source, and if that source is corrupted, then all the root servers will be corrupted. And that's not a hypothetical - the entire .com top level domain disappeared for a few hours in 2000. (Most people didn't notice this because of the damping provided by DNS caching, but it would have become really bad had the situation continued for a few more hours.)

Also, because all of the root servers run a nearly common code base, they are potentially vulnerable to a common weakness.

In addition, one need not bring down a server to take it off-line, an attacker need merely saturate the network in the vicinity of a target server so that no good traffic can get through. An even scarier notion is that of corruption of Internet routing so that packets flowing to DNS server addresses are forwarded out router interface null0.
Re:Once every 3 hours, I think by PapaZit · 2002-01-15 11:39 · Score: 3, Interesting

At the few places I've worked, the policy's always been that TTL = expected worst-case response time from the networking group plus a fudge factor.

So, if DNS goes down at 10:00pm on a Friday, people (who have the addresses cached) can still get to the machines until the hung-over networking crew logs in to check things out the next morning.

They'd bump the TTL way down, on the other hand, when major machine moves were planned.

--
Forward, retransmit, or republish anything I say here. Just don't misquote me.