Slashdot Mirror
ICANN, National Registrars Still Feuding
Damalloch writes: "The BBC website has this story about the EU's concern over ICANN's refusal to make guarantees about root server stability. Domain name registrars such as Nominet are threatening to withhold payment of ICAAN's fees unless something is done to reassure them. So far ICAAN has remained stubborn because of the huge lawsuit potential if a root server were to go down but with the possibility of having their income reduced, they might just be convinced to do something."
..no link to the root server? how can we /. it?
this was a joke.
The Kruger Dunning explains most post on
But if one server went down wouldn't the requests just go to the other root servers instead? Isn't that how DNS works?
So presumably they've got decent machines and power supplies and connections for each server. And so the chance of one going down is quite low. The chance of enough of them going down at the same time to cause disaster has to be vanishingly small. If it's too big, add a few more servers.
Unless they include the possibility of them being hacked I suppose. But then they could just use several different operating systems and name server software to hugely reduce the chances.
I'm not sure I'm convinced that this is really the reason they won't give any guarantees, it seems like a reasonably safe thing to do to me.
Sig is taking a break!
What are the obstacles to Nominet, say, running their own root server.
They must already have bandwidth and physical security
More redundency, especially outside the US, can only be a good thing, right?
Hogsback
Firstly and foremost because it's a U.S. entity who pretends to be an international entity and the Internet quit being a U.S. entity a long time ago.
I suspect that China will be the first to set up its own root DNS servers and start issuing non-ICANN-approved domain names, probably in competition with ICANN and Versign. Other's will soon follow. Soon every big ISP both in the U.S. will see the need to have its own root DNS server. Of course there will be some cooperation required between the different DNS roots if their customers are going to be happy. Hopefully, this new cooperation will end the monopoly ICANN has over the administration of the Internet, leaving unsportsman like players like Versign standing out in left field, wondering why nobody is tossing them the ball anymore.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Almost every time anyone looks for a webpage these root servers are consulted.
Surely this cannot be true... Don't DNS servers cache address resolutions?
I Heart Sorting Networks
It sounds as if all that's required is a standard Service Level Agreement. The kind of thing that's standard through most big corporates, and has a clause along the lines of "we guarantee 99.5% uptime, if service drops below this we pay £x.xx per quarter percent below.".
It seems that it's the refusal to provide something like this, rather than technical worries, that are underlying this dispute.
Cheers,
Ian
If ICANN can't legally hold accountable the people running the root servers, then there's no way they'd provide any guarantees to anyone. That much makes sense.
Furthermore, the root servers (again, from the article, don't flame me if I'm missing a nuance or two) don't really DO much. They just tell you where to go to get info for each of the top-level domains. Not exactly a whole lot to running one of these other than keeping it from crashing.
My question, though, is why is anyone worried about a root server crashing? There are 13 of 'em. Wouldn't your DNS server ask someone else if the "preferred" root server suddenly went Tango Uniform? Are there backup root servers out there to jump in? Ways to route around the damage, as it were?
What I still find amazing is that ICANN hasn't managed to take full physical and financial control of all the root servers. When I was in school, I remember thinking it was cool that we had one of the root servers (terp) in my building. It was amazing to see how a loose group of unrelated institutions had somehow set up a reliable, workable, DNS system.
In fact, it sounds like this is still the case, somewhat. Do these root server operators have ANY contractual controls on what they do? If not, then why the hell can't we just get THEM to add new top level domains? Screw ICANN. The servers don't belong to them, they belong to the people running 'em. As long as the guys running the roots don't point
And, if they were to do this, could ICANN even stop them? They'd have to repoint all the root.hints files across the entire globe, wouldn't they?
Or is this the kind of Chaos that the EU is afraid of?
Looks like another example of a company that does not want to guarantee services they have accepted payment for. Nothing new here.
Man, it would really hit the fan. That would gaurentee that the WTO would take over the domain names.
The Kruger Dunning explains most post on
A faulty version of software was released. And yes the fault was buried waaay down in a giant case or if/elseif statement. Normally no big deal, right? Just roll back. But they had things set up so that any machine connected to another would poll it for the version of software it had. If what it connected to had a newer version, it would download that and then hand it off to all its fellows. So by the time the bad code triggered and they realized they had a problem it had already spread virus-like across the whole network. Going back to the older version one one machine was futile because as soon as it booted up it would connect to other machines and download the flawed software.
They had to eventually take their old version, give it a new, higher number, and then compile and release that. So that that 'feature' once again became a feature and not a bug. Many lessons to be learned.
The "F" root server, located at the Internet Software Consortium offices in Redwood City, California, is fitted with eight gigabytes of Ram and handles over 272 million domain queries per day.
I challenge us to slashdot it!
Imperium et libertas
Autocracy and freedom
http://www.cisco.com/public/sw-center/sw_download_ guide/dnsfaq.html gives a list of root servers and their IP Addresses, as well as some good information about the basics of DNS.
http://www.isi.edu/in-notes/rfc2870.txt talks about the requirements for a root server. From this:
1.1 The Internet Corporation for Assigned Names and Numbers (ICANN)has become responsible for the operation of the root servers. The ICANN has appointed a Root Server System Advisory Committee (RSSAC) to give technical and operational advice to the ICANN board. The ICANN and the RSSAC look to the IETF to provide engineering standards.
As such, it looks like ICANN is the only organization that can take responsibility of the system.
section 2.3 estimates that 2/3rds of the servers could be taken out and functionality would be maintained.
The Internet Software Consortium runs F on BIND 8.2.3 (Hrmmn... their latest release is 8.3.0 and they've noted that 8.2.5 has a security bug, and the 9 series *is* out and at the 9.2 series, does anyone else find it disconcerting that they run 8.2.3?) Does anyone know of a list of who takes care of these root servers?
This is true, to an extent. Different and widely spread organizations run the root name servers, using different OS's, hardware configurations, and network connectivity.
Concentrating and centralizing the root name servers would defeat the diversity that now exists. If one goes down, the others pick up the load. If there's a fatal hardware bug in one, it probably won't affect the servers running on different hardware. And, most of all, A single business or management failure will not disrupt root nameservice.Whoever in the EU (I suspect it's some ex-communist beaurocrat who loves centralized authority) thinks that things are bad now should read the RFC 2870, Root Name Server Operational Requirements and get a clue.
Joh Postel was the man. Why not vote for another pontificate?
Codifex Maximus ~ In search of... a shorter sig.
Huh?
What did I miss? We all have to meet requirements, whether your a 5 nines shop (god help you) or not with respect to uptime and service availability. Why should ICANN be any different?
Cheers,
-- RLJ
The root servers are what makes a sea of unconnected networks into the apparently seamless internet. What you are suggesting would fragment the internet back into separate networks. Typing slashdot.org in europe could go to their 'root' servers and be directed to whoever their root says owns that domain. While typing the same address elsewhere in the world would take you to a different site.
Pretty big change. There have been companies that set up new top level extensions (impatient with ICANN and who can blame them) and sell those addresses, but for visitors to get to those sites the visitors need to have the dns settings in their computer modified. And if ICANN eventually rolls out the new extension (and I think there is one extension that this applies to, can anyone remember? biz maybe?) you could then have two company.biz sites, and which one the browser goes to depends on which root it's querying. Man, what a mess.
Given the nature of how DNS works, and how the root servers are run, how can ICANN guarantee anything? (it can't) If they do provide some sort of guarantee then haven't they added a financial incentive for someone to DOS the root servers?
The Europeans are asking for something that cannot be delivered (currently), and if they get it the chances increase that someone will DOS the servers for some financial gain. (i.e. your server went down, I now don't have to pay you x dollars). If I was ICANN I wouldn't want to sign an agreement. It may be time for ICANN to change the way it does business, and the "ad hoc" nature that the root servers are maintained may have to change. DNS the protocol itself needs to be very carefully looked at as well.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
Kidding ... sorry. :-)
-- RLJ
The root servers should be owned by a formal co-op, owned collectively by everyone who has a domain name registered, and run by an elected board with a hired staff. This would be a "producer co-op", like Agway, the giant co-op for farmers, rather than the more common consumer co-op. This would bring together the interests of the people who need the root servers to stay up, the domain owners, and the ownership of them.
Charge for a subscription to a root DNS server. One can make money off both ends: charge the domain name holder for the reservation on your server, AND charge the end user a yearly or a per use fee for DNS resolution. The latter requires some form of micropayment, but it's probably quite workable.
The benefit to the end user is that one could subscribe to a completely Disne-fied root that would have only family-friendly sites, whereas another server would have all those wacky pr0n sites you could ask for. Somebody would probably even have a free root server out there based on his/her special interest groups.
Heck, you could even charge for translating addresses to other systems. No need to worry about foreign DNS servers - if they don't pay up, they don't get access to your root.
Some people would still get around the whole thing by just typing in the octet directly, but that would be such a small percentage that it wouldn't even matter.
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
Looking at my DNS config files, it looks like each domain can set it's own TTL (Time To Live) duration for its current settings before it needs refreshing. The default setting is 3 hours, which is what I presume everyone normally leaves it at.
Phillip.
Property for sale in Nice, France
Thats one that has always puzzled me? root.hints contains the list of root servers. and it doesn't have through Z in the current naming convention, so why can't be have more root servers. I mean esspecially with the price of hardware, and such being what it is, it shouldn't be that hard to set up additonal root servers. I mean if the DNS howtos of the world just included a line like, "Your root.hints now includes the ICANN servers, add these additional listings for the other servers"? I partially agree that there does need to be a central authority for all this, but I do think ICANN is handling it in the best way. There is a need for some control so that two people don't try to register the same name with different authorities, and create a conflict. However, I also think its should be a case of first come first serve on getting the names, and the trademark game should not be a consideration.
But I could be completely wrong because I so think, that DNS records should also include rudimentry routing info that helps the rest of the world find that last hop to my network since my ISP will not route for me. And I also think that DNS should have the ability to have a PORT record so when doing a DNS lookup the person looking me up can be directed to service ports within my IP so www.foo.com can live on port 8090 for instance because cable modem companies sometimes block port 80. That way when www.foo.com gets looked up the client not only gets the IP, but the port on the server to connect too, so users don't have to have stupid IPs like http://www.foo.com:8090, DNS takes care of passing the 8090 as part of the lookup reply.
I am working on the RFC for this since there doesn't seem to be one.
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
If China sets up it's own root servers, I'll be the first to have my mail server do a lookup to see if the root server of the sender exists in China to block access.
That will give me about 95% more bandwidth.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
I know, I know, what a troll...but sometimes I get so fed up...
-h-
Yes, it is about money.
If your company was administering a ccTLD and ICANN comes knocking at your door for money when they can't make any assurances of your ccTLD being served to the rest of the world, why should you pay them?
To make an analogy, ICANN is to the Internet like the UN is to an international government; they are both generally ineffective but continuously demanding an ever increasing sum of money to be able to join the party.
The simple fact is that ICANN can't... (make any assurances) because they ultimately can't step in and takeover the root servers. Otherwise, they'll find themselves in a bigger controversy. Mind you, ICANN is no stranger to controversy.
very well, the address is F.root-servers.net and I'm serious, check it!
Imperium et libertas
Autocracy and freedom
This is totally inaccurate. If you are searching for www.bbc.co.uk, your computer asks the local DNS cache (listed in /etc/resolv.conf, unless you have some retard OS). That cache then asks a root server for www.bbc.co.uk (if that information has not already been cached). This produces a referral to the .uk nameservers. The process continues for co.uk and bbc.co.uk as necessary. Note that it does not ask the closest root server, because the cache has no way to know what this is. BIND uses the "fastest" server (until it overloads from all the other BIND servers using this strategy); djbdns's dnscache picks one at random.
One way to avoid delays at the root servers is to run your own local root server, and periodically download the root zone. This shows you how to do it using the ORSC root zone, but you can do it with the standard root as well. You can AXFR it from one of the root servers. Then you tell your local cache to use your local root as the root server.
This message has been scanned for memes and dangerous content by MindScanner, and is believed to be unclean.
Unless people get smart and dump M$, it's hard for anyone to gaurantee any service. It's kind of like planning to meet someone on Burbon Street for Mardi Grass, your voice will be lost in the noise. All the resources in the world won't protect you from irresponsible net usage.
By the way, 13 is 1.08333... dozen.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
I wrote a document about some simple steps that could be taken to improve DNS security before ICANN's meeting last November.
. ht m
.com top level domain disappeared for a few hours in 2000. (Most people didn't notice this because of the damping provided by DNS caching, but it would have become really bad had the situation continued for a few more hours.)
http://www.cavebear.com/rw/steps-to-protect-dns
Don't let the fact of 12 or 13 servers lul one into a sense of security - they are all fed data from the same source, and if that source is corrupted, then all the root servers will be corrupted. And that's not a hypothetical - the entire
Also, because all of the root servers run a nearly common code base, they are potentially vulnerable to a common weakness.
In addition, one need not bring down a server to take it off-line, an attacker need merely saturate the network in the vicinity of a target server so that no good traffic can get through. An even scarier notion is that of corruption of Internet routing so that packets flowing to DNS server addresses are forwarded out router interface null0.
. .
If I read this correctly, the reason why the EU local registries don't have their own root servers, and hence control over service levels is a historical issue.
Excerpting from the Internet Software Consortium's page, linked above - and please allow me to state that such a reference is anecdotal rather than given fact,
The "one in Europe" btw was NOT Nominet or another registrar, it was a guy working for LINX, the London INternet eXchange.
There's good reason for this, as late as the early 1990s, Europe was still thinking that X.500 was the way forward, and a large amount of resources from universities, telcos and local standards agencies was devoted to "interoperability" testing of X.500 directory services. What really happened was the standards lagged the implementations so badly that vendors and implementors went ahead and did their own thing, creating, as anyone who has dealt with X.500, a nightmare for inter -vendor interoperability. That created the space in which the InterNet and DNS / BIND could flourish. FWIW, LDAP is a (nor precisely, so please don't flame me, too large a subject for absolute accuracy here) derivative of X.400, itself a cut down form of X.500. Novell's eDirectory, which runs some of the largest sites (CNN.com, AOL messenger services) is itself a souped up LDAP implementation.
You can find a brief overview of X.500 and what the "authorities" in Europe were up to as late as 1990 and beyond in this history of X.500
I'm British born myself, but this all seems to me to be Euro - Whining. Particularly the UK's Nominet making an issue of this is absolutely BS. Nominet has, IMO, very sharp practises. If you "buy" a domain in the UK (domain.co.uk) via an ISP, Nominet maintains a "tag" linking your domain to the "provding" ISP, until another ISP takes it over. Domains _never_ go back into circulation when they expire. Nominet refuses, on the whole, unless you threaten or cajoule them with considerable effort, to "release" your domain because it states it will not get involved in contractual disputes between you and your ISP. Most UK ISPs make contracts which lock you in to your services and charge a considerable and hefty severance fee, usually buried in the small print. You _can_ get a "Neutral Tag" applied to a UK domain, if you pay GBP £80 for two years, which fee goes back to the ISPs who are members of Nominet, which is a for profit company, limited by guarantee, a rare form of UK company which offers very lax statutory reporting. Even though you _can_ do all this, I've had several clients now who've complained to Nominet, e.g. when their ISP is TU and no longer provides service, and Nominet tells them anyway that they can only deal with an ISP who is a member of Nominet. Obviously that's BS. But you can't register a domain in the UK for
Sorry for that rant against Nominet, but it's Crocodile Tears time again and minus several million points for the Brits, as per usual.
Please follow the links above, investigate yourself . . .
Ah, so you want to exclude this new system from controlling
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Reassigning a root server address is hard because the operator likely has other machines in the address block whose numbers would also have to change.
The EU concern is not irrational, it is pretty wierd that the root zone is essentially a volunteer effort given that the costs are not negligible and the responsibility immense.
Against this however there is a major political issue at stake. The root operators are in effect the arbiters of the DNS. If ICANN gets too big for its boots they are a check on it.
The other issue is that there are very few companies that could credibly manage the root zone on a contractual basis. It is one thing to run a server on a volunteer basis, quite another to provide a service guarantee.
One thing that is in the pipe that may well change some of the concerns, in particular anycast addressing which allows multiple servers to sit on the same IP address. The packets are routed to the 'nearest' machine. That will allow the deploment of additional root servers. It will also address some of the denial of service concerns.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/