Slashdot Mirror
The Root of All E-Mail
wiredog writes "A Washington Post story about the DNS, the VeriSign NOC, and some of the security therein." Especially interesting in light of the recent security lockdowns throughout much of the Western world. The havoc of losing the A root server would be bad, like Staypuft Marshmallow Man bad.
read the article, massive redundancy in that you have to take 8 of 13 down before you really cause havoc. looks like the single A can be mirrored from any of the subs if it was toasted. since they're distributed geographically, it's not all doom and gloom
"Obscurity is the first line of defense. The building is unmarked, its address unspecified in company literature and its managers tight-lipped about disclosing driving directions or identifying markings to strangers."
Hmmm....
VeriSign Network Operations Center
21345 Ridgetop Circle
Sterling, VA 20166
I don't think security is *quite* as tight as they say. Course, if A root where to go down, I wouldn't know the difference betweent that and the crappy windows DNS servers here....
Hemos said...
Especially interesting in light of the recent security lockdowns throughout much of the Western world. The havoc of losing the A root server would be bad, like Staypuft Marshmallow Man bad.
Absolute proof that the Slashdot editors don't even bother to read the articles, and just depend on their wrong understanding of things.
From the article...
"The DNS is built so that eight or more of the world's 13 master root servers would have to fail before ordinary Internet users started to see slowdowns, according to John Crain, manager of technical operations for the Internet Corporation for Assigned Names and Numbers (ICANN).
ICANN manages the DNS and sets policies for registry operators and domain name retailers.
"Theoretically, if 'A' were to disappear, we could pick it up from one of the other servers," Crain said. "Moving the place where the zone is picked up is very simple."
In other words, don't panic. The A server is just the highest profile target.
Sometimes it's best to just let stupid people be stupid.
The slashdot post is misleadingly sensationalist (I know, shocking!)
The article states that 8 of the 13 root servers (which are located throughout the US) would have to fail simultaneously before internet users would even notice something was wrong. I think that qualifies as "a little redundancy"...
Liberal (adj.): Free from bigotry; open to progress; tolerant of others.
Actually, the article states that the redundancy does exist, and that the A root server is not really a target; 8 or more of the 13 master servers located around the world would have to be taken out before internet users would even begin to notice.
You need to read RFC 2870.
--
Mod up a post Rob doesn't like and you'll never mod again
I have a world map with root-servers pointed on it, looks like the area in which the A server is (Virginia, Maryland) hosts not one but six (A, C, D, G, H and J) servers, some of which (like H, run by US Army) are probably veeery well defended...
I found a link to the same pic on the net:
cs.ucla.edu
...or maybe just nuke the whole area and you take down 6 of them
Vacuum cleaners suck. Kings rule.
NOCOL : http://www.netplex-tech.com/software/nocol/ usually.
it takes data from router SNMP and displays it graphically.
i would imagine some custom work goes on for converting it into a wall mounted display.
some companies must be doing minor custom work on it as consultants.
DNS is already distributed. You're friendly neighborhood ISP caches the most often used DNS info, and 80% of internet traffic is resolved there. Only a small portion of traffic has to be escalated to a root server. That's why, as the article said, 8 of the 13 root servers would have to be taken out simultaneously for users to notice any slowdown. An attack on the A root server would be more symbolic than actually damaging. Even if it was done by the Stay-Puffed Marshmellow Man.
Don't forget that Friday is Hawaiian shirt day.
Here is a map to VeriSign's Network Operations Center (NOC).
The root hasn't been in Herndon for awhile now. NSI moved their headquarters to Sterling shortly after the VeriSign buyout. The only part of VRSN/NSI that's still in Herndon is the call center.
At the intersection of VA Route 7 and Gallows Road (International Drive, depending on which side you're coming from)
Three Step Plan:
1. Take over the world.
2. Get a lot of cookies.
3. Eat the cookies.
Once upon a time, the MAE NAPs were certainly a big choke point. A few years ago, you could have blown up two nondescript buildings across the street from each other in Tyson's Corner, VA (MAE-East 1 and 2) and a tall building on Market Street in San Jose (MAE West) and pretty much taken down the Internet.
However, that's not so much the case today. The fact is that most traffic (in the US at least) goes between the Big Three (UUNET/WorldCom, Sprint and Cable & Wireless), or at least it could go because most networks have an upstream multihomed connection to one or more of the big three. And those guys have plenty of private interconnections, some of which are outside of the NAPs.
Networks have also shifted away from the old MAE model (FDDI connections into these huge mother-f***er DEC gigaswitches housed in the MAE buildings) and towards ATM-based NAPs, where you just get a virtual circuit in a "cloud" in the area. The weakness of the FDDI-gigaswitches model that caused people to move away from them was not the security aspect, but rather that they were a huge pain to upgrade and became a huge sinkhole for packet loss when they were overburdened (e.g., MAE-East in late 1997).
Of course, the MAEs still are important - there's a hell of a lot of fiber running through there, and taking it out would require everyone to route around it, causing a HUGE temporary disruption - but they're not the tremendous choke point/security risk that they once were.
"95% of all Slashdot
"DNS resolution would stop"
Uhm...what?!? I don't think so...even if all 13 root servers died, DNS resolution would -not- stop. The world's DNS servers rely on the root servers for updates, not for connectivity...if the root servers died, the hierarchically lower servers would keep on truckin', and simply wouldn't be updated until someone promoted a new server to root status.
[Your] friendly neighborhood ISP caches the most often used DNS info, and 80% of internet traffic is resolved there...That's why, as the article said, 8 of the 13...
Actually, the reason you'd have to take out 8 of the 13 has nothing to do with caching. It's because the root DNS servers MUST be able to handle three times the peak traffic of any one server at any time; that is, normal traffic, with all servers operating, MUST never exceed 1/3 capacity of the server in question. This is part of RFC 2870, the RFC that specifies operational details for the root servers. The RFC specifies this level of capacity to provide for redundancy; that capacity means that we can lose 2/3 of the servers without overloading the remaining boxen. 8 is just a shade less than 2/3 of 13, so that's where we get the number.
(Grammar correction mine.)
"Make it ten--I am only a poor corrupt official."
--Captain Louis Renault (Claude Rains), Casablanca