The Root of All E-Mail

wiredog writes "A Washington Post story about the DNS, the VeriSign NOC, and some of the security therein." Especially interesting in light of the recent security lockdowns throughout much of the Western world. The havoc of losing the A root server would be bad, like Staypuft Marshmallow Man bad.

Next target for terrorists?

[Sims+Youth]

Surely, if one wanted to declare an "information war" on the United States, the DNS root servers would be the place to start. You'd take down the whole Internet in one fell swoop.

You'd think that the people with VeriSign would want a little redundancy in their DNS root system, but apparently this is what happens when you let one corporation monopolize critical national resources...

What the----

[daeley]

Obscurity is the first line of defense. The building is unmarked, its address unspecified in company literature and its managers tight-lipped about disclosing driving directions or identifying markings to strangers.

They are apparently okay with featuring the place in an article in the Washington Post, though. Sheesh.

Re:What the----

[TechnoGrl]

Obscurity is the first line of defense. The building is unmarked, its address unspecified in company literature and its managers tight-lipped about disclosing driving directions or identifying markings to strangers.

Gosh....then maybe they should take this ( http://www.verisign-grs.com/partner.html ) cocktail party invitation down from their web site?

VeriSign Registrar Partner Reception: A cocktail party to showcase VeriSign's Network Operations Center (NOC). VeriSign will provide tours of our NOC, complimentary beverages and heavy appetizers will be served.

Date: Friday, February 15th
Time: 7:30 p.m. - 9:30 p.m. ET
Location:
VeriSign Network Operations Center
21345 Ridgetop Circle
Sterling, VA 20166
Dress: Business Casual

Complimentary transportation will be provided by VeriSign. A bus will pick up guests in front of the Dulles Marriott at 7:00 pm ET. Return transportation will leave VeriSign facilities at 9:30pm ET.

R.S.V.P. to cbinko@verisign.com or Tel. +1-703-948-3877.

Re:What the----

[derch]

According to Yahoo Maps, the NOC you found is to the north of Sterling. According to sites listing the locations of the root nameservers (http://netmon.grnet.gr/stathost/rootns/), A ROOT is in Herndon. Herndon is south of Sterling.

There are other posts here which claim pretty much the same thing, including an AC poster saying he's in the know.

With the number of brick buildings in the northern Virginia area, the root's building is as obscure as a blonde woman in California.

Great Article

[jhaberman]

Reading about the physical security is interesting. I'm wondering why they wouldn't just contract out with the Government and move the operation to a secure military installation somewhere in the DC area. There are plenty of them around there. Granted, it seems that they have taken care of their current security needs, but it might be cheaper/easier to locate it in a protected area that is already guarded. I get the feeling that "Security through Obfuscation" (the actual building) might not be the best policy.

Still fascinating though.

Jason

This is what'll screw us all in the end

[Sims+Youth]

Obscurity is the first line of defense. The building is unmarked, its address unspecified in company literature and its managers tight-lipped about disclosing driving directions or identifying markings to strangers.

Security through obscurity will never solve anything when used as the first line of defense.

If you're going to build a place like this, someone unauthorized will eventually find out about it. Hell, just look at the security of the government's nuclear research labs and the whole Wen Ho Lee fiasco a few years back. And nuclear secrets are far more dangerous than a temporary internet slowdown.

If I was them, I'd quit worrying about how plain looking and unmarked the building is and start worrying about how hardended it was made. Ideally, they would place it inside a mountain so it would be immune to various airliners falling out of the sky. Also, it would have a myriad of redundant network links.

Secrets have never worked in security before, and they won't work now. If they want to protect the root servers, they'll have to base it on sound engineering, not the assumption that no one will ever find which building it's located in (any network engineer with a sense of adventure and a flashlight can prowl the sewers tracing data lines, anyway.).

Re:This is what'll screw us all in the end

[Reality+Master+101]

Security through obscurity will never solve anything when used as the first line of defense.

Dude, it's the first line of defense, not the ONLY line of defense. Read the article.

There is nothing wrong with security through obscurity as one facet of security. It's when it's the only security that it's a problem.

Re:This is what'll screw us all in the end

[babbage]

Security through obscurity will never solve anything when used as the first line of defense.

Oh, I don't know about that. Sure, it's bad when it's the only line of defence, but as a mere "first" line I think it's perfectly reasonable. (Just as it's a reasonable defence to, say, have your web server misidentify itself, or to have an unlisted phone number, or what have you.) As long as the layers of security behind this first one are robust, obscurity is perfectly reasonable as a front line defense.

If I was them...

No offence, but thank god you're not, buddy... :)

Secrets have never worked in security before

Oh baloney, they work all the time. Maybe you should consider putting down the standard /. party line and try putting some of this hyperbole into perspective. If secrets have never worked then why is the story of the Trojan Horse so famous? If secrets have never mattered then why is the element of surprise considered to be so tactically valuable? If secrets didn't matter to security then why did Nixon have those 18 minutes of blank tape, and why did Cheney turn in thousands of blank documents, and why do all governments bother classifying things as top secret?

If you're in a position of just stupendously overwhelming strength -- like say if the US were to invade Bermuda tomorrow -- then no I don't suppose you need to be all that secretive about things. For everyone else, in every other situation, secrets can have an important role to play. Even if trolls would suggest otherwise.

Alternic, anyone?

This is a good reason why non-centralized services are a good idea--they don't need that level of 'eggs-in-one-basket' security.

Huh?

I thought the Internet was designed to survive nuclear war. I guess the fine print must read "as long as the bombs don't fall on certain bottleneck locations".

You call that physical security?

What? No guards with shotguns? No dogs? No mines?

Geez. They're a bunch of wimps.

Marshmallow Man??

[HamNRye]

Hmmm, the article seems to make a BIG point out of the fact that losing the A root would be non-catastrophic. Indeed, they mention that 8 of 13 roots would have to be down before the average user would notice the slowdown. It's nice to know the users here aren't the only ones who like to post without reading the article.

But the article further goes to mention how important the Internet is to our economy. Is this true?? I don't really think of the internet as critical infrastructure.

If the Net went down tomorrow, and was down for a week, would this really affect the economy in a signifigant way?? (Well, aside from the panic of investors...)

I understand that more and more comapnies are using the Net in a part of their workflows, but I don't think the internet provides and unique service that couldn't be done without.

E-mail: Use the phones.
Web: Read a book

Any data that is transferred could just as easily go by modem.

The internet serves as a convenience in many ways, but I dont think this almost 10 year old (less in the corporate mind) bit of infrastructure has become crucial to us yet. It has really been just the last few years that anybody started doing anything with the net at all, and mostly that has been VPN and changing communication methods. (i.e. Use the net instead of UUCP and a modem.)

So, my question is, what kind of critical services would be missing if the net suddenly went away. Sorry, I do not consider e-mail a critical service.

~Hammy
nothing4sale.org

Re:Marshmallow Man??

[hab136]

>But the article further goes to mention how important the Internet is to our economy. Is this true?? I don't really think of the internet as critical infrastructure.

Many, many companies have replaced dedicated T1's with VPNs (or just SSL sessions) over the internet. My employer (unnnamed, large [several billion in assets] bank) is one of them. Yes, important financial stuff.

To put it briefly, we'd be really hurting if the internet was down more than a day, and *really* screwed if it was down for any extended amount of time. It takes a long time to get Ma Bell to provision new circuits.. 2 weeks for a "rush" job.

physical security vs electronic security

[Indy1]

I know with code, protocols, and other "virtual" items, security through obscurity is a poor solution. But with a physical campus, is obscurity a bad idea? Granted, it shouldnt be the only defence. Its not like you can open source the building and have a million developers check for flaws in the security method ? :)

anyways, just food for thought.

Overrated

[photon317]

As briefly noted in the Post article, the DNS infrastructure, like most essential net technology, pretty much doesn't have any single points of failure. It's immune to local physical attacks or natural disasters. The article is just a sensationalist trip into a modern high security datacenter full of Ooh-ing and Aah-ing, and doesn't have much relevance at all to the security or stability of the 'net.

Only one machine? Hardware failure?

[Ryu2]

I was thinking at least round-robin DNS cluster but it seems like A root server is just one box. I'd worry about hardware failure more than terrorism if it was just ONE machine running the zone. What kind of hardware does the A server run on anyways?

Hrmm Interesting...

[matth]

So.. let me get this straight. Verisgn realizes that they basically "run" the internet and as a result they don't care if they blow customers off. I'm sure I'm not the only one who has had major issues with Verisgn. Even writing to them for a simple answer to a simple question about how often domain names are flushed from their database results in them coming back to me with a request for more information. I ask them

"> How often do you guys "flush" your database so
that expired domain names
> become public again? There are some domain names (even ones I've owned
> but not renewed that after a year are still in the database)."

and they say:

"Please know we genuinely want to help you in this matter.
In order for us to assist you please send the following to:
customerservice@networksolutions.com

a) A detailed description of your concern or question
b) The domain name
c) account number (if applicable)
d) Any NIC tracking numbers you may have received. These
appear in the subject line of the header of all messages
sent from VeriSign (example: NIC-010409.3ee1)"

What Ever! I included more then enough information in my e-mail. Perhaps the fact that Verisng is "god" of internet domains and NSI is the reason they haven't expired domains that have expired since 1 - 1 1/2 years ago!!!?!?

Not too important

[halftrack]

If someone should be able to knock out all these root servers, zone-files and the major DNS's in the world the net would still excist. In the days to follow such a thing hackers would start running DNS-servers, searching logs and reconstruct the domains. Following weeks governments world wide would have reconstructed the net on more solid bandwidth.

Forget the NOC

[MeNeXT]

Go after the local tel-co CO.

In any security situation all you would need to find is the weakest link. It doesn't matter how well that building is protected it needs to comunicate with the world and therfore this issue is more complex than it sounds.