Slashdot Mirror

← Back to Stories (view on slashdot.org)

ICANN, National Registrars Still Feuding

Posted by ryuzaki0 on from the icann-refuses-to-do-its-sole-job dept.

Damalloch writes: "The BBC website has this story about the EU's concern over ICANN's refusal to make guarantees about root server stability. Domain name registrars such as Nominet are threatening to withhold payment of ICAAN's fees unless something is done to reassure them. So far ICAAN has remained stubborn because of the huge lawsuit potential if a root server were to go down but with the possibility of having their income reduced, they might just be convinced to do something."

5 of 175 comments (clear)

  1. Well yes, but... by johnburton · · Score: 5, Interesting

    But if one server went down wouldn't the requests just go to the other root servers instead? Isn't that how DNS works?

    So presumably they've got decent machines and power supplies and connections for each server. And so the chance of one going down is quite low. The chance of enough of them going down at the same time to cause disaster has to be vanishingly small. If it's too big, add a few more servers.

    Unless they include the possibility of them being hacked I suppose. But then they could just use several different operating systems and name server software to hugely reduce the chances.

    I'm not sure I'm convinced that this is really the reason they won't give any guarantees, it seems like a reasonably safe thing to do to me.

    --
    Sig is taking a break!
    1. Re:Well yes, but... by RollingThunder · · Score: 5, Informative

      It would (go to another root) - but if these systems are already running close to capacity, then that may be enough to cause the next server to choke, crash, and the next server will fall even faster.

      It's a scenario much like the AT&T switch fiasco, where a seldom exercised chunk of code took out one server. Once one server was down, the others took more load, which, coupled with the fact part of the problem was a live switch receiving a "I'm back!" message while under heavy load, caused more switches to go. Cascade failure all the way.

      After reading the article, I'm actually rather surprised myself. These systems must chew a ton of bandwidth, but it seems ICANN doesn't pay for it? Not to mention that all but three are in the US - isn't that going to oversaturate the cross-oceanic links?

      I think I'm definately with the registrar organizations - ICANN should be having contracts in place to require certain things, rather than a wink and a nod and a handshake.

  2. Re:Run their own? by jbf · · Score: 4, Informative

    They'd need ISPs who run DNS servers for their clients to point to their root servers. This is somewhat nontrivial.

  3. That's not quite what happened with AT&T by MemeRot · · Score: 5, Informative

    A faulty version of software was released. And yes the fault was buried waaay down in a giant case or if/elseif statement. Normally no big deal, right? Just roll back. But they had things set up so that any machine connected to another would poll it for the version of software it had. If what it connected to had a newer version, it would download that and then hand it off to all its fellows. So by the time the bad code triggered and they realized they had a problem it had already spread virus-like across the whole network. Going back to the older version one one machine was futile because as soon as it booted up it would connect to other machines and download the flawed software.

    They had to eventually take their old version, give it a new, higher number, and then compile and release that. So that that 'feature' once again became a feature and not a bug. Many lessons to be learned.

  4. Some issues by Zeinfeld · · Score: 4, Insightful
    The point that folk seem to miss is that the root name server IP addresses are hard coded into the infrastructure. To change the root servers you have to either wait for everyone to redeploy BIND or get an address reassigned somehow. There is a hard limit of 13 servers that is set by the length of an ethernet packet, the size of the records and the need to guarantee that the packets don't fragment.

    Reassigning a root server address is hard because the operator likely has other machines in the address block whose numbers would also have to change.

    The EU concern is not irrational, it is pretty wierd that the root zone is essentially a volunteer effort given that the costs are not negligible and the responsibility immense.

    Against this however there is a major political issue at stake. The root operators are in effect the arbiters of the DNS. If ICANN gets too big for its boots they are a check on it.

    The other issue is that there are very few companies that could credibly manage the root zone on a contractual basis. It is one thing to run a server on a volunteer basis, quite another to provide a service guarantee.

    One thing that is in the pipe that may well change some of the concerns, in particular anycast addressing which allows multiple servers to sit on the same IP address. The packets are routed to the 'nearest' machine. That will allow the deploment of additional root servers. It will also address some of the denial of service concerns.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/