Fort N.O.C.'s Security in Obscurity

penciling_in writes "Brock N. Meeks of MSNBC reports on his recent visit to VeriSign's secret location: 'The unassuming building that houses the "A" root sits in a cluster of three others; the architecture looks as if it were lifted directly from a free clip art library. No signs or markers give a hint that the Internet's most precious computer is inside humming happily away in a hermetically sealed room. This building complex could be any of a 100,000 mini office parks littering middle class America.' The report goes on to say: 'Access to the Network Operations Center, the "NORAD" of the Internet's traffic monitoring, requires the electronic badge and then a double biometric hand print scan.' And here are Karl Auerbach and Robert Alberti offering their interesting analysis of this report on CircleID."

Good for verisign..

[grub]

Sure, the .COM and .NET TLDs are safe from terrorists but one self-righteous bitch can take down goatse.cx

I'm still fuming about that.

Re:Good for verisign..

[DAldredge]

Why are you pissed?

Re:Good for verisign..

Thank goodness. Goatse.cx wasn't funny the first time.

Re:Good for verisign..

Just a little thing called "freedom of speech". Censorship aggravates a lot of people here, apparently.

Re:Good for verisign..

freedom of speech doesnt apply to all countires.

never has. some countries have differnet rules.

what i wish would happen is that any idiot who EVER posted that url would be permantly kicked off the internet.

that would be wonderful.

Re:Good for verisign..

[PD]

He talks with that orifice? I'm impressed.

Re:Good for verisign..

Nothing to masturbate to tonight. Remember which web site you are on... there is so much homoerotic word play on slashdot, its sad. You guys need to just come out of the closet already.

Re:Good for verisign..

Here is a MIRROR

Re:Good for verisign..

Being slashdotted. What is it all about?

Is it good, or is it whack?

Re:Good for verisign..

[nucal]

Being slashdotted. What is it all about?

Is it good, or is it whack?

The goatse.cx domain has been suspended.

Re:Good for verisign..

[mobby_6kl]

Do the right thing, help the community by signing the petition here to bring back goatse.cx. Thank You.

Re:Good for verisign..

[juniorkindergarten]

I'm glad the goatse.cx is gone, but I had to laugh when I saw this on kuro5hin.org:

An ode to goatse (2.73 / 19) (#59)
by komet on Sun Jan 18th, 2004 at 05:25:25 AM EST
(my user id @ the domain of my homepage) http://4you.ch

To the tune of "American Pie" by Don McLean
I can still remember how that image used to burn my eyes
And I knew if I had my chance
I could hide a link in a rant
and maybe they'd be pissed off for a while.
But January made me shiver
with every link-troll I deliver
Bad links on the doorstep, I couldn't take one more step.
I can't remember if I cried
when I heard about his orphaned site
But something touched me deep inside
the day the goatse died.

So bye bye to the goatse site
Put his fingers up his asshole and his asshole was wide.
Yeah these old trolls were on Slashdot and K5
Singing this will be the day the Net dies
This will be the day the Net dies.

Re:Good for verisign..

[NDPTAL85]

How exactly does participating in the single most useless thing anyone can do, an online petition, help with ANYTHING!?

Re:Good for verisign..

[Prior+Restraint]

Shh! Don't tell them, maybe they'll think they've "done their part" and leave well enough alone.

Re:Good for verisign..

[grub]

Why are you pissed?

Why? Because a self-important turd who may have seen it once or twice decided "Ohh that's terrible!" and complained without appreciating the shock value or the humour of having been fooled into staring into that gaping thing.

Rhonda Clarke is no better than having Tipper Gore or Laura Bush deciding what's appropriate for the internet. She's a desk clerk with an unimportant job in an relatively unheard of part of the world yet with her one gripe she can take down what has become a virtual institution on the net.

Certainly it wasn't considered funny by all, but who is she to dictate what is and isn't funny? "But.. but.. Christmas Island can decide what's appropriate for their TLD!" Fine. Goatsecx may move on to other pastures for its home but it won't be the same.

Rhonda Clarke is a self-righteous cunt.

Re:Good for verisign..

Don't worry, I just made sure someone asks her why that pic is getting so much bandwidth.. :)

Re:Good for verisign..

Excellent. Thank you :)

Re:Good for verisign..

[Dread_ed]

Ok, who else was scared to death to click on the petetion link, wondering if someone had posted a redirect to a mirror of the original goatse.cx?

Re:Good for verisign..

[crimsonhead]

Try: http://www.goat.cx/

Hot swap clusters, online backups, remote site mirrors...
The goat is alive!

goes from we're safe to who do we sue ..

[junkymailbox]

so .. if i (being a researcher and a nerd) was annoyed by this so called internet interruption .. i would also like to know "who" "we" should sue.

A hidden danger.

[jjp5421]

This could actually be dangerous. Whenever I hide something I seem to inevitably lose it...

Re:A hidden danger.

[bluewee]

hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is.

Re:A hidden danger.

[hellraizr]

the ip's not 127.0.0.1 is it?

Re:A hidden danger.

[The_K4]

You mean like this?

Re:A hidden danger.

hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is.

If you are going to steal a quote from bash.org, at least give credit for it. Especially when it is the highest rated quote on the site and many people are likely to have seen it and are going to call you out for it.

Re:A hidden danger.

[ianmassey]

stealing quotes from bash.org, the top 50 at that, to get slashmodded up. tsk tsk.

Re:A hidden danger.

[wwest4]

i don't know what's funnier - that the server was sealed behind drywall Poe style or that they needed Novell's help to trace an ethernet cable.

Re:A hidden danger.

hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is.

Wow! Your post looks just like this one! What are the odds of that!

Re:A hidden danger.

No kidding. Aren't these the guys that host the ibiblio.org sourceforge mirror?

Re:A hidden danger.

Guess it wasn't running windows : although missing for four years, hasn't missed a packet in all that time

Re:A hidden danger.

Like this?

Re:A hidden danger.

[jtnishi]

Reminds me of one of the most popular bash.org quotes:

<erno> hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is.

Is this really a secret?

Isn't this "secret location" in Palo Alto? Seems to me there are probably thousands of people (e.g. telco employees) that know where it is...

Re:Is this really a secret?

[eric76]

If you really wanted to hide it, disguise the building as a whore house next door to a police station.

The hookers and the johns could really be Verisign employees running the root server.

In case a real customer showed up and was unfazed by the police station next door, tell him that most of the girls are at the doctors office for their tuberculosis test and the rest are being treated for various venereal diseases.

Or you could disguise it as a crack house. The neighbors would assume that everyone running around with machine guns were drug smugglers.

Or just disguise it as a police station. When someone comes in seeking assistance, tell them "We don't handle those kind of cases any more."

Re:Is this really a secret?

no - you're thinking of the F server which is (in part) in the basement of place where one of the main Linux developers works

Re:Is this really a secret?

Or we could disguise it as your Mom's house. Oh wait, then all the guys would come there.

Re:Is this really a secret?

[Zeinfeld]

Isn't this "secret location" in Palo Alto? Seems to me there are probably thousands of people (e.g. telco employees) that know where it is...

Nope, VeriSign was never in Palo Alto. It was dotCom era, rents in Palo Alto were way high by that time. VeriSign started in Redwood Shores and then moved to Mountain View. These days they own the old Netscape campus.

The operations center is another matter, those are in unmarked buildings at several locations. If you look at some of the displays of root server locations you will see blobs in the San Francisco and Washington D.C. areas. Well duhh! Who would have guessed that the DNS servers would be so close physically to MAE West and MAE East?

The Circle ID stories are both slashdotted. So we can't hear if Karl and co are saying 'nah, we don't need high bandwidth roots capable of a good slashdotting' which if they were would be somewhat ironic.

The point that the article does not really mention is that at the moment running the DNS roots is done on a voluntary basis. ICANN is getting a free ride here. After the DDoS event in 2002 it was clear that 1) the roots were a major target 2) There was a big difference in the quality of service.

Given the importance of the roots shouldn't we actually invest something so the people running them can afford to do the job well? VeriSign can afford to run its systems the way it does because it has revenue from other sources. How do you justify the cost of a high end four way server to be dedicated to root ops if you are a non-profit? ICANN could at least pay for hardware and bandwidth.

Re:Is this really a secret?

[Tackhead]

> If you really wanted to hide it, disguise the building as a whore house next door to a police station.
>
> The hookers and the johns could really be Verisign employees running the root server.
>
>In case a real customer showed up and was unfazed by the police station next door, tell him that most of the girls are at the doctors office for their tuberculosis test and the rest are being treated for various venereal diseases.

The problem here is that the dot-com boom threw a lot of geeks out on the street to live with the bums.

Which is to say that there are, in any major city, several dozen people who know all too well that real crack whores going in for tuberculosis checkups and treatment are vastly healthier, more attractive, more intelligent, and more courteous than Verisign employees.

The illusion you suggest wouldn't last 10 minutes.

Re:Is this really a secret?

[Darken_Everseek]

I seem to recall a /. story a few months back (too lazy to search, sorry) about a grad student who used various publicly available resources to come up with a -very- detailed map of the US information infrastructure as a thesis. If you could get your hands on that, it'd probably be a simple matter to find out exactly where the "Secret Location" is. Of course, iirc, his thesis was classified; so getting a copy of it might not be so easy either.

Re:Is this really a secret?

[Darken_Everseek]

Sorry to reply to my own post, but the link to the article is here:

Classified Dissertation

Re:Is this really a secret?

[gnu-generation-one]

"Or you could disguise it as a crack house."

Judging from nanog emails, that would be the first place network operators would look for Verisign executives...

Re:Is this really a secret?

This facility is in Loudon County. More specifically in Sterling, VA directly off Route 7 between Cascades Pkwy and Route 28.

A blind person couldn't miss the three, 4-story office buildings clustered together with a clock on the face overlooking the Olive Garden and Sweetwater restaurants.

Now...let's talk about the OTHER dirty secret -- MAE East... (ok, maybe we'll save that for another post).

"A" is in Dulles, VA

[havaloc]

Although the article says that the location is a secret, a link from the article to www.root-servers.org happily tells you that server A is in Dulles.

Re:"A" is in Dulles, VA

[junkymailbox]

now you've done it .. the terrorist will infiltrate the facility and map the goat everywhere!

Re:"A" is in Dulles, VA

$ host goatse.cx
Host goatse.cx not found: 3(NXDOMAIN)

Oh, damn. Sorry.

Re:"A" is in Dulles, VA

[jamus]

That one in Dulles is a decoy. The real one is in my closet.

Re:"A" is in Dulles, VA

Yeah the server is in Dulles but you have to activate SkyNet from the military base in California.

Re:"A" is in Dulles, VA

[Wingchild]

now you've done it .. the terrorist will infiltrate the facility and map the goat everywhere!

Nah. Remember the old adage: Security through obscurity, isn't.

Re: "A" is in Dulles, VA

[Black+Parrot]

Oh, great. Now we have to kill everybody that reads Slashdot.

Re:"A" is in Dulles, VA

http://www.iana.org/root-whois/com.htm

The address in that whois is actually where the A root resides. Not a terribly big secret, even though the building is unmarked.

Re: "A" is in Dulles, VA

[El]

How come Homer and Krusty look like clones? Haven't you ever heard Matt Groening's explanation of this? The original joke in the first "Krusty" episode was that Bart had no respect at all for his father Homer, and yet he worshipped this television personality that looked exactly like his father... guess the irony was too subtle for most people.

Re:"A" is in Dulles, VA

In your closet? Then what do I have in my pants?

Re:"A" is in Dulles, VA

An aerial photo can be found using that address. It's from 1988, but it could still be the main building in that area.

Re:"A" is in Dulles, VA

[eyegor]

I interviewed at the Dulles site a couple of years ago and got a tour of the data center as well as the NOC. Security is reasonably tight, but it ain't Fort Knox. It was kind of a trip seeing "the" servers.

Re:"A" is in Dulles, VA

Possible Address:

VeriSign Network Operations Center
21345 Ridgetop Circle
Sterling, VA 20166

Re: "A" is in Dulles, VA

I guess the physical similiarity between Homer and Krusty is too subtle. I'm looking at photos of both of them and apart from the vague appearance that all Simpson's characters share, I can't see any point of similarity.

Re:"A" is in Dulles, VA

That is an _old_ picture. The dirt trails in the top left quarter are where the parking lot is now. The actual building would be just off the top left corner - the western-most of three identical buildings around a lake.

The area in that picture is all buildings now.

So, I guess

[ericdano]

So I guess CmdTaco and CowboyNeal will never get in there........thank god!

I can't imagine having all my domain requests going to Slashdot.org......I'd have sensory overload!

Re:So, I guess

[Shriek]

Actually, since we don't see much of them are you sure they aren't trapped in there most of the time?

sigh

[jap]

Sigh. Deep Sigh.

There's more than the 'A' root server. Taking "it" down leaves a whole hurd of other root servers alive. Located all around the world.

The above linked articles are full of that which promoteth growth.

Re:sigh

[jayhawk88]

Which the article actually states.

Re:sigh

[93+Escort+Wagon]

"There's more than the 'A' root server. Taking "it" down leaves a whole hurd of other root servers alive."

Shouldn't that be "a whole GNU/hurd"?

Re:sigh

[jap]

No it doesn't. It talks about 3 "A" servers being available and predicts the death of the net if those three fail.

In reality, it's got 12 other friends with the creative names B,C, ..., M, which are also serving the root-zone for the whole world.

Try dig -t ns . on any decent machine.

Re:sigh

[jap]

Wohoops - the MSN article does tell the right things. The second linked story is wrong. My fault for skipping that first link ;)

Re:sigh

[Zeinfeld]

No it doesn't. It talks about 3 "A" servers being available and predicts the death of the net if those three fail. In reality, it's got 12 other friends with the creative names B,C, ..., M, which are also serving the root-zone for the whole world.

In theory the B..M roots are fed from the A root so if they loose their update for 24 hours or so they could start shutting down. In practice the admins would soon clue up and they would just republish the last good update file they had received.

The problem comes with a bunch of pathological issues to do with what deployed DNS servers do if they cannot see root. It is not at all pretty.

Re:sigh

[Captain_Jackass]

Looking at the SOA, it's a week before "." expires and B through M stop answering with authority for the root zone.

Re:sigh

[gclef]

Close, but still slightly wrong. "A" is not the master for the others. "A" and all the others are actually slaves off of a "hidden master." The hidden master only accepts connections from the root servers, which makes the system just that little bit harder to attack (rather than just having to DoS A to take down everything, you have to find the master, then DoS it, and hope that they don't move it in the meantime).

Re:sigh

[Durin_Deathless]

Ahhh....no. The root name servers are actually usable.

SiteFinder

[Sparky77]

This is also the building that has the big red button labeled "Hijack Internet Traffic"

Re:SiteFinder

[sharkey]

Been around for awhile.

Re:SiteFinder

[lithron]

I pushed that button 16 times, and still haven't gotten a response from the web server. I think you /.'d it. :-(

Cool...

[Shoten]

It's cool to see someone write about the building you used to work in! I worked in this building, a bit more than 2 years ago. I was in Network Solutions' consulting arm, whose DC office was in that building, two floors under the NOC. The security really is as spectacular (and low-key) as you'd expect. You would NOT believe the camera surveillance they have facing outwards...you can see some of it, but you can't see some of them at all. And the cameras themselves are startlingly cool...there's a small strip mall across a major highway from the facility, with a clear line of sight. One of the security guys showed me how far the zoom worked, as he zoomed in on a guy smoking in front of a bookstore in the strip mall...about half a mile away. It was still a clear picture.

When 9/11 happened, we were not allowed back into the building for a couple of days, but all they had to stand up as barriers were road cones. Luckily, they're finally moving to a location that isn't just obscure and secure, but armored, as I hear their Mountain View, CA location is.

Re:Cool...

[Dr+Reducto]

So is this "center" in DC?

Re:Cool...

Are you referring to the new Broadrun facility, next to AOL? The staffed security there is pathetic. Some unarmed 90-year old woman. Not to mention, you can drive a truck straight through the front window, over the cubicles, and into the IDC itself.

Why one place?

Are we talking about the .com/.net verisign DNS or the main root DNS. DNS is distributed. If one goes down, there are more to take its place. With the root DNS (gtld-servers.net), there are many servers located in many different places. It would be impossible to bring them all down. If we're talking about the .com/.net DNS, why have one central location? Couldn't multiple DNS servers mirror each other... some in obscure locations, others in highly protected facilities?

Re:Why one place?

[karl.auerbach]

Many of the root server operators have deployed mirrors of their machines using "anycast".

Anycast is a way of using routing information so that a single IP address appears at many locations on the net. Packets flowing to an anycast IP address tend to go to the nearest instance of such an address.

Physical security isn't the risk that the roots face - the issue is damaged connectivity to those 13 addresses on which those root machines are to be found.

As I mentioned in my note on Circle-ID, the biggest risk isn't to root servers but rather to the set of servers that deliver .com, .net, .org, and .in-addr.arpa. The roots are heavily cached and easily replicated. It isn't quite so easy to handle a loss of connectivity to the big top level domain servers.

I've suggested a "DNS on a CDROM" (which I guess should be updated to "DNS on a DVD") in which all the stuff needed to get a local but limited DNS running in cases when a community has been cut off from the main body of DNS services.

Re:Why one place?

As I mentioned in my note on Circle-ID, the biggest risk isn't to root servers but rather to the set of servers that deliver .com, .net, .org, and .in-addr.arpa. The roots are heavily cached and easily replicated. It isn't quite so easy to handle a loss of connectivity to the big top level domain servers.

Yes Karl, and can you guess where they would be located? The exact same machine room as the root.

Your CircleID article does make a good point about the fact that taking out the A-Root is not as serious as other failures. I am not sure what the value would be of providing a comprehensive list of the most serious failures possible to Brock Meeks to report.

There are of course contingency plans possible even if a system fails. But the whole point of contingency planning is to avoid ever getting into the situation where you have to use it.

As for your private root server list, I don't think that the rest of the world would be unduly worried if Karl Auerbach was disconnected from the net for a few months. There would be rather more concern if AOL was disconnected from a country code domain. The point about critical infrastructure is not how reliable it is, it is who is reliant on you.

The principle risk with root DNS is not actually complete failure, it is the injection of false data. Distributing the system in the ad-hoc manner you propose would solve one vulnerability by introducing another that is much worse and is currently almost non-existent.

Another important risk that you do not appear to have taken sufficient notice of is the risk of reputation attack. Terrorists did not destroy the WTC because they thought it would destroy the world financial system, they realised that that the infrastructure was not dependent on a single building. But the propaganda value of the attack was significant.

The point of armor plating is to deal with people who are in many cases obsessional bordering on mental illness. You may not see the point in destroying the A-Root Karl, but you are not the sort of person I expect to be strapping a bunch of explosives to themselves. Trying to understand what drives the likes of a McVeigh or Al Zawahiri is futile, they simply operate from completely different belief systems.

Re:Why one place?

[karl.auerbach]

You raise a number of really good points.

Let's see if I can deal with at least some of 'em.

First, regarding use of data on a CD/DVD to recover locally - this is for use when a community is cut off, as happened here in Santa Cruz in 1989 when we have a medium sized earthquke. There were enough folks here with enough gear that we could rebuild a local, usable net to assist with recovery even though the links over the mountain to the rest of the world took a while to be restorred. In that situation the folks who risked any bad information that might be introduced were those who knowingly changed the hints addresses, and if they knew enough to do that they also probably knew enough to clear things out (i.e. reboot named) when they changed the hints file back to the global values.

I've actually experienced the introduction of bad DNS data. Before ICANN permitted its version of .biz there was already an operational .biz. I had some machines that were using the ICANN version and some using the pre-existing version. And yes, there were some confusions. The point to draw is not that the idea is thereby necessarily bad, but rather that consistency is important. But DNS never operates with perfect consistency - for example for years Taiwan (.tw) was operating with its own roots that were hacked into the system in a really strange way. I was the only one who noticed. (The situation was corrected last year after we [ICANN] pointed it out to them - it turned out that it was an experiment that they forgot to turn off.)

As for the location of the big TLD servers (such as those for .com). Well, the folks at Verisign, much as we like to dislike 'em, are smart and have more than a lot of "clue". Yes, for a while two root servers sat in the same room, but things like that are past history. No, I do not know the actual locations (I intentionally chose not to use my position at ICANN to try to learn that information), but I can assure you that the concept of physical separation has become an article of faith. And with the increasing use of anycast, replica servers are getting easier to deploy.

As for the reputation value of an attack - yup, some perverse folks would feel their reputations enhanced if they brought down DNS. And for that reason I feel that all the armor plating is good. But we need to recognize the gaps in that armor, which are things like routing or mindless belief that there must be one catholic system of DNS root servers. And we have to remember that a lot of bad things are caused by mother nature and Murphy's law rather than folks who have abandoned reasoned discourse and moved to techno-mayhem.

In the case of a nuclear attack?

[Sean80]

OK so I have to admit I don't understand the technology here any more. Back in the day, they say the Internet was built to withstand a nuclear assault. With phrases like "the Internet's most important computer," how can this be true?

If this building were destroyed by a nuclear weapon, what would be the impact on the Internet?

Re:In the case of a nuclear attack?

[Kenja]

Because there are several "almost as important" computers in other locations ready to take over should the "most important" one go down.

Re:In the case of a nuclear attack?

[gordyf]

Not much. There's a bunch of other root servers scattered around the world; this just happens to be the first one.

Re:In the case of a nuclear attack?

More importantly, what would happen if it were struck by a nucular weapon?

Re:In the case of a nuclear attack?

[Smitty825]

The internet is designed to withstand broken routes, etc. However, if all of the nameservers go down, then you'll have to remember IP addresses!

If this building went down, then you wouldn't notice anything. IIRC, (and the article says so, I belive), all DNS info is cached at your local ISP. That's why it takes a few days to propagate across the any IP address changes to your domain...

Re:In the case of a nuclear attack?

[Wingchild]

Back in the day, they say the Internet was built to withstand a nuclear assault.

DARPA was running a research project to build a networking system capable of intelligent self re-routing in the case of points of failure, so that a single network outage couldn't prevent traffic from flowing through. The extended concept for ARPANet was that if a major segment of the network vanished it might still be possible for data to be routed, hence the `it can get nuked and still survive` quotes people toss around.

Most unfortunately the internet itself is not always as robust; if certain routers are knocked out, large segments of the networks behind them stay unreachable for long periods of time, mainly because of serious network mismanagement on the part of the people who really ought to know better.

One can also never understimate the power and prevalence of Backhoe Fade.

Re:In the case of a nuclear attack?

DNS runs on top of the internet. Yes, it is distributed, and taking out the root server won't prevent people form resolving hostnames - but this issue is separate from the robustness of the internet in general, which comes from its interconnectedness and multiple ways to route packets from one place to another.

Re:In the case of a nuclear attack?

[chimpo13]

If this building were destroyed by a nuclear weapon, what would be the impact on the Internet?

Oh, there's lots of things that would happen:

Mutants would crawl the Earth, CHUDs would be in the sewers, thalidomide babies would get super strong ESP and take over satellites to tell us they don't like cigarrettes and brandy, we'd have to go back to pr0n in the magazine form (but bukkake would thankfully disappear), and the Omega Man would kill zombies. There's plenty of others, but I don't want to give away the ending (but it sounds like oylent-say een-gray is eople-pay).

Re:In the case of a nuclear attack?

[genner]

The intenet can survive without DNS just rember this address http://66.35.250.150 I keep this handy as my companies ISP's DNS servers are nortiously buggy.

Re:In the case of a nuclear attack?

If this building were destroyed by a nuclear weapon, what would be the impact on the Internet?

I wouldn't care so much about the Internet at that point, as I'd be part of the fallout raining down.

Other than that, Mae-East would likely be severly crippled/destroyed and ISPs the world over would come under a telephonic DOS attack from "gamers" complaining about their ping times and latency.

Re:In the case of a nuclear attack?

RTFA asshat

Re:In the case of a nuclear attack?

[NDPTAL85]

Whats wrong with bukkake?

if its any consolation

[JeanBaptiste]

you brought their server to a crawl by posting that...

and im not sure which is worse to look at... the goatse man, or rhonda...

Re:if its any consolation

[DarkHelmet]

and im not sure which is worse to look at... the goatse man, or rhonda...

At least Bob Goatse has to cover up in public and doesn't "open wide" for a lot of people.

What were they expecting?

[funwithBSD]

The temple from Tron?

Approch, Program, and speak to your User...

Re:What were they expecting?

[petabyte]

That wasn't a temple; it was an IO tower ... I thought that was clear ...

Re:What were they expecting?

It was a structure for communicating with a higher level being... whatever you want to call it.

LINUX Analogy

[YukioMishima]

This story is news, but I kept expecting some point of contention in the article, rather than some musings on decorating schemes that were compared to clip art.

I found my point here:

The root server operators "have no contract with anyone, no guarantee of level of service, they could turn [the root servers] off tomorrow with no consequences at all because they are doing it out of the kindness of their heart," said Internet consultant Ambler. "ICANN needs contracts with the root server operators that specify minimum levels of service and minimum levels of security and the root servers need to be paid for that," he said.

Why is it so confusing to imagine that (a) People do like to do things out of the "kindness" of their collective hearts, and (b) security is not always "secured" by either contracts or money? I understand the legal protections associated with contracts, but I think there's a chance that the root server operator system, as it stands, could alternatively be viewed as something successful - something, much like the open source software movement, that works, not because of contracts or restrictive covenants, but because people enjoy contributing to something useful for their own and others' use.

Re:LINUX Analogy

[Wingchild]

Why is it so confusing to imagine that (a) People do like to do things out of the "kindness" of their collective hearts, and (b) security is not always "secured" by either contracts or money?

Because unlike software, bandwidth is never free.

Re:LINUX Analogy

[Clinoti]

Yeah, I saw this as more of a PR spin for both VeriSign and the Federal Government.

I mean it's great and all that they have all that protection for the system/server but aren't all the other ones just sitting in Labs and Universities without the implied armed guards and jersey barriers? If they secured the entire network I'd be pretty proud, but isn't the internet set up *just* with that kind of scenerio in mind?

Perhaps I am the confused one.

Re:LINUX Analogy

[Zed2K]

"Why is it so confusing to imagine that (a) People do like to do things out of the "kindness" of their collective hearts"

Probably because if something like this goes down, there is no one that will step up and accept responsibility. But if they were all under contract then there would be someone responsible for the failures. Its not just some project anymore, it is the heart and lungs of the entire system and it needs to give guarantees.

Re:LINUX Analogy

[karl.auerbach]

Microsoft - or SCO (if it had the cash) - could go out and try to buy all the root servers. There is nothing to stop the root operators from selling out.

Nor is there anything that prevents root server operators from giving preference to queries coming from paying IP addresses.

All of that is hypothetical, but without legally enforceable obligations, we're just hoping that nothing changes for the worse.

And things *do* change - for example, back in the 1980's SCO was a fun company here in Santa Cruz.

Re:LINUX Analogy

[mindstrm]

Responsilibity? what, someone to sue? HOW does that help?

If things go down, it doesn't matter if we have someone to point a finger at, or someone to take responsibility...it is an engineering problem, as long as we can find cause we can take steps to ensure the problem does not repeat.

Having someone be responsible for a mess doesn't make anything okay... putting enron execs in prison does not get back taxpayer money, or in any way solve the energy problems of california.

Sanctions against a root server operator will not make his root server more stable.

Re:LINUX Analogy

[Kent+Recal]

Where is your point?
As I see it they donate the bandwidth for free.
Just as free software developers donate their time.

Re:LINUX Analogy

[Kent+Recal]

"Guarantee" is a human concept.
The internet is an evolutionary concept.

Re:LINUX Analogy

[dfn5]

Why is it so confusing to imagine that (a) People do like to do things out of the "kindness" of their collective hearts

You think Verisign does anything out of the "kindness" of their heart? They do it so they can control some aspect of the Internet. Do you not remember SiteFinder?

Re:LINUX Analogy

[CausticWindow]

People didn't make Linux out of "the kindness in their heart". People made Linux, because they wanted a better os.

Kindness of the heart does not exist, even though fundamental christians tell you so.

Re:LINUX Analogy

[jelle]

"Why is it so confusing to imagine that (a) People do like to do things out of the "kindness" of their collective hearts, and (b) security is not always "secured" by either contracts or money?"

The people who worry about that are people who worry about maybe upsetting their current friends sometime in the future. Right now, they are friends, but what happens if in the future the different parties no longer share common goals for the DNS?

The relationship may be friendly today, but maybe not tomorrow, so they need a contract.

If a root server operator disagrees with ICANN, or maybe worse (for ICANN) if the majority of them disagree with ICANN then right now they can basically say 'screw ICANN' and do whatever they think is best. Which takes the power away from ICANN, so in order for the ICANN to protect their of position of power, they need to work with people that have the obligation to do what ICANN wants, by contract...

Translation: They don't trust the relationship to remain good between ICANN and the root server operators.

Be prepared that as soon as ICANN has the majority of root servers under contractual agreements, for the ICANN to do some (very) unpolular or bad things that will result in some heated postings here on this forum and many others.

Re:LINUX Analogy

[ebrandsberg]

While the truth is that the physical infrastructure is not free, bandwidth for setups like this can EASILY be free. Consider: What ISP doesn't want a good connection to the root nameservers? Answer: None. As such, they don't "charge" for the connections to connect it to their network. I seriously doubt that ANY isp is charging for the bandwidth to host any of the root nameservers. They may go so far as to pay for the circuits the bandwidth runs on too.

Re:LINUX Analogy

[gnu-generation-one]

"But in a contract situation, legal liability issues will inevitably crop up, Farber said, as would the issues of who do you sue and where do you sue."

Only in Verisign would the ability to sue someone be more important than a stable root-DNS server...

Re:LINUX Analogy

[finkployd]

Well, it does but when it happens you never hear about it. (someone mades a big deal of doing something out of the kindness of their hearts, they were really doing it for publicity or to impress people)

Finkployd

Re:LINUX Analogy

"Why is it so confusing to imagine that security is not always "secured" by either contracts or money?"

And out of all the people who run the core of the internet, how many of them believe that security would be increased by having Verisign more involved?

Right. So they chose that one person to interview for the article?

Re:LINUX Analogy

Because unlike software, bandwidth is never free.

Then software is never free either because it requires either bandwidth or shipping to get it. Whatever.

Re:LINUX Analogy

[dillon_rinker]

There is nothing to stop the root operators from selling out

This comment goes to the heart of the matter; I hope we never see it proven correct. I also hope for universal peace and brotherhood, and you can see what good THAT does me.

Remeber Google before Google-bombing? Remember USENET before spam? Remember the World Wide Web before popups? Remember email before viruses? Remember the internet before the Morris worm? Remember all those things that didn't need to be secured because we were all pure of heart? Yeah.

Re:LINUX Analogy

[FLEB]

-- Responsilibity? what, someone to sue? HOW does that help?

By putting well-earned money into the pockets of lawyers and their clients.

Re:LINUX Analogy

[FLEB]

Think of the pressure on VeriSign after their SiteFinder "innovation". If things get too hairy, someone (or some-ones, more likely) will come up with a new set of A-servers.

The only thing that makes them "A", is that they're where everyone looks first.

Re:LINUX Analogy

[Zed2K]

So according to you we should just remove personal responsibility entirely from everyones job. Ooops, I'm sorry hospital that your server crashed, but since firing me still won't get the job done I'm not going to be held responsible for what happened.

I guess all legal contracts should be null and void too. Afterall if someone can't pay the fines why bother to go after them and hold them responsible for breaking a contract. While were at it lets just make every single product free. After all there is no point in paying for anything since it should all be free, out of the goodness of our hearts.

What kind of world do YOU live in?

Re:LINUX Analogy

[Iamnoone]

As such, they [the ISPs] don't "charge" for the connections to connect it to their network.

The RFC (2870) says that root server owners should allow ISPs to connect if the ISP pays:

Root servers SHOULD have mechanisms in place to accept IP connectivity to the root server from any internet provider delivering connectivity at their own cost.

Re:LINUX Analogy

[mindstrm]

No, I do not think nobody should be responsible for anything... I just think that the idea that we have to have someone fingered in this case is pointless.

I'm also absolutely not against holding people responsible for their actions, or lack of action, but holding you responsible won't change the fact that you are incompetent.

Let's take the hypothetical situation of a mythical hospital server that, if improperly managed, will kill someone. Let's say you mismanage it, being drunk on the job and whatnot.

Now, having you held responsible doesn't help me, who's brother just died because of your mistake, and I probably won't be going after you, I will be going after the hospital, in who's care my brother was in getting his broken toe fixed. Whether or not the hospital's problem is shitty staff or bad engineering is their problem, not mine... just as if some nurse had given him the wrong injection.

The point is, playing the blame game for it's own sake doesn't help anything. Are we worried about the integrity of those running the root servers? Have they done a bad job? Do we feel that putting them all under the yoke of verisign or some other organisation will INCREASE their integrity?

MSNBC doesn't use spellcheck apparently

[ArmedLemming]

This was kind of amusing (From the top of the article):

By Brock N. Meeks
Cheif Washington correspondent
MSNBC
Updated: 8:52 p.m. ET Jan. 20, 2004

So Brock's the Cheif eh? :)

Re:MSNBC doesn't use spellcheck apparently

Hahaha, now the article says "reporter" not "Cheif"

guess even reporters read /. sometimes.

Thier editors ...

[ccvqc]

"By Brock N. Meeks
Cheif Washington correspondent
MSNBC"

No better than /.'s!

Re:Thier editors ...

[smoondog]

redundant, but funny ......

Very impressive

[Faust7]

the Network Operations Center, the "NORAD" of the Internet's traffic monitoring,

I'll say. Did you see that photo? It looks like something out of WarGames. God help us if those computers decide to play games.

Re:Very impressive

never worked in a NOC eh? I was actually disappointed by the picture. I hope that they turn the lights down a bit... or else that would be a pretty crappy place to work in.

nobody cared about security two years ago?

[kilbo]

"But Ambler nearly chokes on the word 'defense' noting that 'up until two years ago nobody gave a rat's ass for security of the root servers because if the Internet went down it would have been an annoyance to some researchers and nerds.'"

I guess amazon.com which went public in 1997 must have been frequented only be researches and nerds for the first 5 years of operation.

Re:nobody cared about security two years ago?

[nomadic]

I guess amazon.com which went public in 1997 must have been frequented only be researches and nerds for the first 5 years of operation.

Pretty much.

Re:nobody cared about security two years ago?

[SirWhoopass]

I guess amazon.com which went public in 1997 must have been frequented only be researches and nerds for the first 5 years of operation.

Well, let's see...

1997, loss of $31 million
1998, loss of $125 million
1999, losss of $719 million
2000, loss of over $1 billion
2001, loss of $567 million
2002, loss of $149 million

Yeah. I'd say the statement is more or less correct.

Surprised?

[Wingchild]

Digex, along with other major hosting and co-lo facilities, has had these kinds of systems in place for their datacenters for many a year. And yeah, most of them look like very non-descript office buildings - a great many I've seen are in warehouse-style industrial complexes, far off the beaten path of regular office space and retail properties.

You have to wonder if they're a little overboard, though; the military doesn't typically have checks that secure to get into specific rooms - not even TS/SCI environments. Though, to be fair, the military certainly has an edge on physical security.

I guess if you're really concerned about your data being physically secure, you could always co-lo out at Sealand, too.

Re:Surprised?

[nate1138]

Heh, The first link you provided (to cheyenne mountain) has a self-signed SSL cert. Of couse this prompted my browser to ask if I trusted cheyennemountain.af.mil, to which I promptly said "no".

Do you trust them?

Re:Surprised?

[Kent+Recal]

Funny, I stumbled over the same thing.
I clicked yes and got to see their impressive "blast doors".

From a practical standpoint it makes perfectly sense that their certificate is self-signed. I mean you wouldn't be able to validate it anyways when the rest of the planet has been nuked.

Re:Surprised?

[DerekLyons]

You have to wonder if they're a little overboard, though; the military doesn't typically have checks that secure to get into specific rooms - not even TS/SCI environments.

They go a little overboard because they have two things the military doesn't... Insurance companies they are answerable to and lawyers that advise them.

That being said; The barriers to entry depended on what kinds of TS/SCI are being gaurded. (SIOP or crypto material for example both have their own special handling, storage, and acess procedures. So did some intel material and some technical material.)

RAID - redundant array of (in)expensive datacenter

[junkymailbox]

Wow .. cool.. raid (ooggle)

I thought the internet was decentralized?

[Gizzmonic]

What's the deal here? I mean, isn't the Internet supposed to be decentralized? Who cares if the Internet server in some EZ-mini storage goes down? What's the worst that could possibly happen?

And if it really is that bad, then why aren't we working on making stuff more redundant? All I know is somebody needs to spend money on this, just like the power grid. It's not glamorous, so no politician will run with it, but I think we should have some kinda dialup internet tax to pay for it.

Oh, for the days of hosts.txt

[shoppa]

Back in the good old days, if you had a recent copy of hosts.txt all this was irrelevant :-). But it's been most of a decade since just anyone could download it.

Re:Oh, for the days of hosts.txt

Lmao true true!

"No signs or markers give a hint that the Internet's most precious computer is inside humming happily "

Ummmm, I'm confused, since when did name resolution become the most important part of the internet?! Don't worry I already scribbled 66.35.250.150 in case the server's get hit, and everyone's catched DNS server's suddenly go loco, I can still read my /. !!

Re:Oh, for the days of hosts.txt

[nighty5]

wow, and to think of the security implications of such a file with A records such as:

testserver
dev
firewall
router
secrethost
u nsecured

etc etc

That list CANNOT get into the open

I'm guessing they also have a laser grid blocking access to the overhead air conditioning duct, pressure plates that light up when the alarm goes off, temperature gauges etc....NONE OF IT WORKS. A few cables and a 686 thinking machine prototype is all it takes to sieze control...have we learned nothing?

Re:Ahhh... So Surveillance Is Easy

[wankledot]

Riiight. My machine frequently hits the A root machine for lookups.

Didja not read the article? Do you not know how DNS works? Are you being sarcastic? Paranoid? Stupid?

Visual Route

places it in Washington, DC

Anyone Know What Hardware/OS It's Running?

[TAZ6416]

I'd hate to think the internet depends on SCO UnixWare running on an old 486 ;) Jonathan

Re:Anyone Know What Hardware/OS It's Running?

[Theatetus]

I don't know about A, but C is a Dell PowerEdge running I think FreeBSD.

Root servers don't actually do all that much, they just have to be ready to do it 24/7.

Re:Anyone Know What Hardware/OS It's Running?

[scrytch]

Naw, everyone knows it runs Windows ME >:)

There was much unhappy buzz at Sun when they switched from Sun (presumably Solaris on Sparc) to IBM. My guess is AIX on a big PPC box, being that IBM was not a Linux company at the time and Linux didn't/doesn't exactly take advantage of that kind of hardware either.

Re:Anyone Know What Hardware/OS It's Running?

[4minus0]

I'm not sure if your question was serious or not but I was curious about the OS used for this.

The best I could do was this document referencing Y2K from ICANN's site.

From the page:

The root servers themselves all use some variant of the Unix operating system, however both the hardware base and the vendors' Unix variants are relatively diverse: of the 13 root servers, there are 7 different hardware platforms running 8 different operating system versions from 5 different vendors.

I would not be surprised if at least one of those systems is running something from SCO.

The page also mentions they all run BIND. I'd like to see a couple of those things running DJBDNS or any other high availablity DNS service for variety's sake. Pulling from my admittedly n00b-level knowledge of DNS, the DBs for the two packages are incompatible, apparently throwing that option out. Anyone with more experience with the two care to clarify why they run BIND only?

Re:Anyone Know What Hardware/OS It's Running?

[proberts]

They don't. One of them (K) is running NSD, which totally rocks.

http://www.nlnetlabs.nl/nsd/index.html

Paul

Re:Anyone Know What Hardware/OS It's Running?

[4minus0]

Cool, thanks for the link.

I'll check this out.

How much physical security is necessary?

[Wingchild]

I'd like to see some statistics on how many people attempt to invade/evade the physical security checks at Netsol's NOC that require and necessitate facilties on that level. The same goes for most any datacenter - your physical security is awesome, but why?

Aren't most attacks against servers launched over that intarweb thing?

I can't recall the last time someone tried to suicide bomb a root server. :)

Re:How much physical security is necessary?

[cmowire]

In Australia in the past year or two, some folks dressed up as maintenence workers and drove off with an allegedly important government server.

So it does happen.

I still have to test every 5-pin simplex lock for important rooms to make sure that it's not a simple combination, because when I had access to a datacenter, it was a damn simple lock.

Re:How much physical security is necessary?

[Ryan+Amos]

Answer: Because there are clients who want that kind of security, for whatever reason, and are willing to pay handsomely for it. You're also probably not going to knock the root servers offline with a DoS attack, seeing as they see so much traffic that a DoS probably wouldn't put a noticable dent in their usage.

Besides, I don't think they're worried about terrorists, but more of the Kevin Mitnick types who are willing to mix "social engineering" with computer hacking. Tell me there's not a hacker out there who wouldn't DREAM of having root to a root server. You could cause all KINDS of havoc if you could toy with DNS and IP records. Like rerouting all the requests for Amazon.com's order pages to one of your own and swiping the credit card #s. Or just run on your favorite irc server as "l33t@fuck.network-solutions.com". Or rerouting cmdrtaco.net to the former goatse.cx :) The possibilities are endless.

Re:How much physical security is necessary?

[missing000]

You're forgetting something here.

I bet you don't even know. The President reminded us again just a few days ago-

TERRORISTS ARE EVERYWHERE!

They are hiding around the corner right now, waiting until you least expect them. They are watching the root servers, planning a massive attack against .org first, and then, then they will bring down teh dotcom.

Yeah baby! Be scared! We have nothing to fear but wiry haired guys planning world domination via names with too many vowels in them.

Re:How much physical security is necessary?

Is there a red^Mdrug dealer^M^Mpedophile^Mterrorist under your bed?

Re:How much physical security is necessary?

I bet you don't even know. The President reminded us again just a few days ago- TERRORISTS ARE EVERYWHERE!

I once heard the VeriSign Chief Scientist speak on 9/11 and terrorism. The IRA had attempted to assasinate a member of his familly several years ago. So they had been preparing against terrorist attack long before 9/11.

Apparently they have contingency plans that start with the assumption of total loss of their data centers.

Re:How much physical security is necessary?

[Frizzle+Fry]

Tell me there's not a hacker out there who wouldn't DREAM of having root to a root server

There's not a hacker out there who wouldn't DREAM of having root to a root server.

Re:How much physical security is necessary?

There was one thing drilled into my head regarding computer security:

If they can touch the box, they can hack it.

This is true. You cannot build a computer system strong enough to resist physical attack. Unless you can keep people physically away from your server, all electronic safegaurds are useless.

Re:How much physical security is necessary?

[JohnsonWax]

I'd like to see some statistics on how many people attempt to invade/evade the physical security checks at Netsol's NOC that require and necessitate facilties on that level. The same goes for most any datacenter - your physical security is awesome, but why?

Because some resources are so important that even a single breach can be devastating. It's a tough thing to engineer around. For resources like that, you calculate the cost of failure, identify a reasonable relative cost to invest to prevent that failure, and invest it in anything and everything that will get you there.

Security comes in two forms - that which prevents (active) and that which deters (passive). Passive can be very effective, or so believed most of the world during the cold war.

Re:How much physical security is necessary?

Was that the same story about the guys in .au who stole some big IBM iron but couldn't get the disk drives out even after dropping it down a flight of stairs?

Re:How much physical security is necessary?

[rgmoore]

The same goes for most any datacenter - your physical security is awesome, but why?

Because it's much, much easier to do nefarious things to a computer with physical access. If somebody just want to shut you down, he can set off the fire supression system or start smashing machines with an axe. If he wants to steal data, he can plug in a firewire harddrive and start downloading data, or just walk off with your backup tapes. If he wants to hack your system, he can reboot with an untrusted medium (like a KNOPPIX CD) and put in backdoors. It's easy to stop all of these attacks with good physical security.

Besides, when you get down to it physical security isn't that expensive. A couple of handprint scanners are cheap when compared to a redundant power system for the whole datacenter. Security guards are paid a lot less than data security experts. All those costs pale in comparison to the price of having a warm spare ready to go on line if the primary fails, which many of these datacenters have. If you're going to go to that much trouble to keep your computers available, it would be really stupid to try to save a few bucks on physical security.

Re:How much physical security is necessary?

There's a drug dealer paedophile terrorist IN my bed! And it's me!

Re:How much physical security is necessary?

[PurpleFloyd]

While the security systems in many datacenters are probably excessive, physical security is there for three reasons:

• First, it is possible for someone, particularly with some technical knowledge and a lot of malice, to do serious damage. All the IT folk on Slashdot probably have horror stories about just what someone whose technical knowledge consists of "I can start Windows, so I must know everything" can do to a major system. For a worse scenario, imagine what would happen if an IT tech, angry about his/her job going to India, came in with an Etherkiller and plugged it into various servers, routers, and other important equipment. One person, with unsupervised access and the right tools, could easily do thousands or millions of dollars worth of damage in 15 minutes or so. While this might not be a common scenario, the risk is great enough that it's a good idea to protect against it.
• Second, there's legacy. If your datacenter was established back in the Dark Ages, it may well have been designed to house a timeshare system where one terminal had "root" powers. Obviously, in that case, physical access to the root console should be guarded as jealously as one would guard the root password to an important box today. Even if the system requiring this security is long gone from your datacenter, it's cheaper to leave the security equipment in place than to spend money to take it out.
• Finally, the higher-ups like to see a machine room with security like a bank vault; after all, they have probably invested millions into the machines (or are considering doing so), and they want to feel protected. While it's true that the money that went to a 2-ton vault door for the server room probably would be better spent hiring another admin to help keep the system in good shape and make sure all the patches are up-to-date, the people with the money would rather have the feeling of totally impregnable security than admit to themselves that nothing is ever totally secure. After all, they can't appreciate a well-configured firewall, but a massive door with biometric authorization and a 12-digit access code feels secure to just about anyone.

Re:How much physical security is necessary?

[missing000]

whoever called this flamebait, more power to ya.

Come on man, this was clearly humor. You rate this as flamebait, a long time after it was posted, for what reason?

Were there any flames? I don't think so. Grow up. (or call this a flame too. I don't care at all.)

Re:How much physical security is necessary?

[Shoten]

The issue (as often in risk management) here isn't likelihood of occurrence, but rather impact of event. While it's not common for there to be attempts to infiltrate, the cost of a successful attack would be huge, and to use the old formula, since (Probability of Loss * Cost of Loss) Cost of Preventive Measures, that's why they have the security. It's also hard to say how many attempts there might be if they DIDN'T have the security, seeing as how nobody knows where they are to attempt it in the first place.

Re:How much physical security is necessary?

[cmowire]

Not sure.

Re:Ahhh... So Surveillance Is Easy

[eric76]

Or, more to the point, who modded it as "Insightful"?

Backhoes don't respect biometric hand prints

[G4from128k]

I can only hope that their NOC has multiple fibers coming to the building and that those fibers aren't in the same trench.

The other potential source for a single-point of failure is the OS that the root server uses. If Verisign uses any kind of monoculture, they will not be as secure as we might hope. A hacker or botched OS patch could hose the thing.

Re:Backhoes don't respect biometric hand prints

[mblase]

A hacker or botched OS patch could hose the thing.

I think we can be reasonably certain that VeriSign (a) only runs as much of an OS on their root server as is absolutely necessary, and (b) only patches it when it's thoroughly tested and approved by people who know what they're working on.

The way you talk, it's like you think the employees use the server for gathering Unreal Tournament games after hours or something.

Re:Backhoes don't respect biometric hand prints

Systems like these have (a) more than one separate supplier with fiber going in different directions and (b) said underground connections are covered by armored steel for hundreds of yards moving away from the building, thus reducing substantially the probability of a single backhoe cutting all connections.

Re:Backhoes don't respect biometric hand prints

[lordrich]

it's like you think the employees use the server for gathering Unreal Tournament games after hours or something.

I wondered why my dns lookups were slow today!

Re:Backhoes don't respect biometric hand prints

[surprise_audit]

I can only hope that their NOC has multiple fibers coming to the building and that those fibers aren't in the same trench.

OK, all you cynics out there, why couldn't the NOC use a satellite uplink/downlink to replicate itself to its peers in the event that a backhoe takes out all the fibres?

What was that chill that just shot down my spine?

[klaricmn]

Did anyone else shudder when they read that someone employed by one of the Microsoft companies was allowed to view that site?

It instantly became less secure.

Re:Not so impressive

Bah! That's nothing. You need to traverse a gauntlet of obsolete motherboards, dead power supplies, empty CD cases and soda cans as well as a floor mined with tiny machine screws to get to my NOC. That's assuming you got past my wife at the front door.

Skumt att det luktar bajs under mina naglar

Undrar vad det kan bero pa?

From the article

[DRue]

My favorite quote:

In addition, the company runs both the .COM and .NET databases, making it one of the most powerful and influential forces in the Internet. As such, VeriSign's actions often end up being only slightly less controversial than the sport of dwarf tossing.

Why do people keep repeating that myth?

[Medievalist]

The design documentation of the Internet is globally available... wait for it.. on the Internet!

If you examine it, you will notice that
a) DNS is not part of the original design
b) as designed, it WON'T survive a nuke
c) nobody intended it to.

What it *was* designed for was a limited fault tolerance - based on the idea that phone companies suck and the guy that runs the next node is an idiot who can't be trusted to tie his own shoes.

Turns out they were right about those last two points, incidentally.

Re:Why do people keep repeating that myth?

Actually, as designed it probably would survive a nuke at any one location.

Re:Ahhh... So Surveillance Is Easy

[Al-Hala]

I'll bite.

The Domain Name System works by sending out a verified master list to other servers on a graduated time scale. This way no one, two, or twelve servers gets nailed with lookups from THE ENTIRE INTERNET....

Those Primary and Secondary DNS number you're asked to enter when doing network setups are for the partial copies stored on the (insert any number of levels) nth server from the master.

If it can't find the match on one of those, it'll ask others, until a timeout occurs.

There is nothing to stop you from setting up your own DNS, if you're willing to donate the time and hardware to the cause.

it only takes one

[holy_smoke]

individual to go "postal" and screw things up unfortunately. I subscribe to the "people enjoy contributing to something useful for their own and others' use" theory as well, but I also subscribe to the "people are sometimes unnervingly unpredictable for no apparent reason" theory as well; consequently I understand the need for more defined and structured contracts.

It only takes one bad apple...just one.

Hi, I'm stupid

[Gothmolly]

And I think that DNS is centralized.
And I think that more government interference with the Internet is Good.
And I believe FUD.
And that Al Gore is pretty technical guy.
And I use AOL on my 'puter.

Please send more informative articles like this. I use them to line the insides of my tinfoil hats.

Thank you very much.

Wrong

[naoiseo]

all you need to access it is a bomb, or, pretty much anything that explodes spectacularly.

Re:Wrong

Or I suspect it's no problem if your name happens to be John Ashcroft...

In 1997, someone at Network Solutions loaded a buggered file, and name resolution for about half the Net was lost in the US within a few hours.

Good

[Call+Me+Black+Cloud]

I'm glad it's down. Good on her for getting it done. Of course, the picture will live on elsewhere but at least she did what she could.

Just because you can post something doesn't mean you should post something. Redeeming value of that picture? None.

Yeah, baby, I'm using my real nick...unlike all the cowards who will doubtlessly reply.

Re:Good

Just because you can post something doesn't mean you should post something. Redeeming value of that picture? None.

Redeeming value of your opinion: None. I hereby want your post deleted.

Who made you in charge of what can be on the internet?

Re:Good

[gujo-odori]

Well, actually, s/he never claimed to be in charge of what's on the Internet, but merely expressed an opinion on the value and propriety of goatse.

There hasn't been much calm rhetoric over the suspension of goatse.cx, but (fool that I am), I'll try to create some here.

While goatse.cx was probably not in violation of the law (IANAL, of course), we all know that a major hobby of some people on some forums is to post links, often deliberately disguised, to goatse.cx so as to trick the uninitiated (or even the initiated) into clicking it. Probably most every one of us on /. who has seen goatse.cx didn't know, before clicking, what it was. And of course, if you don't check all URLs before clicking, you may see it again. Even if you check, it might be a redirect.

Clearly, then, they had grounds under Item 5 to suspend goatse.cx once they had a complaint. Tht is what their rules say, and they do have to go by them. Certainly, these rules were not created with the intent of destroying goatse.cx, although they do neatly fit that purpose.

The issue the registrant(s) of goatse.cx can use in their defense is that while people often post links to goatse.cx and they typically do not identify them as such, on what basis should the registrant(s) of goatse.cx be held accountable for the unauthorized actions of third parties who are not under the control of, or even known to, the registrant(s) of goatse.cx? Similarly, if someone should post a link to a porno site in a children's forum, it is not the site operator who is liable for that, it is the poster. If the site operator himself promotes a porn site to kids, that is actionable and the site should rightly be shutdown and the operator arrested. However, the operator is not responsible under the law for (potentially malicious) actions of others who post links to his site in an inappropriate forum.

Take that line of defense in trying to get goatse.cx reinstated.

On a side note, I'd like to know exactly where she clicked such a link, if in fact she did. The native range of goatse links is /. and K5, and she just doesn't seem like the type you'd find in either of those places. And of course, if you go to those places, you have to expect goatse :-)

Re:Good

[kayen_telva]

so if you don't like it, it should be taken down.
free expression be damned ?
I would hate to be your wife/husband/blow up doll !!

Re:Good

Well, actually, s/he never claimed to be in charge of what's on the Internet, but merely expressed an opinion on the value and propriety of goatse.

The opinion expressed seemed to support the censorship of goatse. Basically since s/he didn't see any "value" to goatse then s/he had no problem with that site being censored. Of course, the exact same censorship if applied to his/her favorite site would of naturally invoke a different response.

Re:Good

[Call+Me+Black+Cloud]

On a side note, I'd like to know exactly where she clicked such a link, if in fact she did. The native range of goatse links is /. and K5, and she just doesn't seem like the type you'd find in either of those places.

It's everywhere. After I got home from work tonight I sat at my wife's computer and started typing in google's URL. In the autocomplete bar I was surprised to see goatse.cx. I asked her about it and she didn't know what I was talking about. She generally hangs around in the parenting message boards at various sites (like about.com). She asked what it was so I brought up the goatse "mirror". She didn't thank me for that.

I have no doubt my wife does not visit slashdot or k5, but somewhere she came across that link...so it is possible.

Re:Good

[Call+Me+Black+Cloud]

The opinion expressed seemed to support the censorship of goatse. Basically since s/he didn't see any "value" to goatse then s/he had no problem with that site being censored. Of course, the exact same censorship if applied to his/her favorite site would of naturally invoke a different response.

So goatse was your favorite site? No wonder your a coward. Everyone has their standards and to me, that site had no value. Actually, I think it had negative value. I don't think the Internet should be the lowest common denominator, but that's just me. Heck, why are you sad? The picture hasn't changed...you can just save it to your computer and look at it whenever you want.

Re:Good

So goatse was your favorite site? No wonder your a coward.

You have astounding logic skills... idiot...

I don't think the Internet should be the lowest common denominator, but that's just me.

It should reflect whatever people would like to reflect on it. Some of us don't like censorship whereas you aparently don't have a problem with it if it is censoring something you don't approve of.

Heck, why are you sad? The picture hasn't changed...you can just save it to your computer and look at it whenever you want.

It's back, but it was away for a while due to some whiny censorship-happy net surfer.

Re:Good

If by "wife" you mean "9 year old boy/forced sex slave" then you could be correct in your post.

Re:Good

[Call+Me+Black+Cloud]

so if you don't like it, it should be taken down. free expression be damned ?

Where did I say any of those things? There are plenty of sites I don't like but I don't care if they're up or not. I'm all for free expression. But with freedom comes responsibility. Let's say all speed limits were abolished and you could drive as fast as you wanted anywhere and any time you wanted. Would that make it ok to blow past the local school at 75 when kids are about? Of course not. The point is this: just because it is legal to do something doesn't mean it should be done.

Re:Good

I believe this page describes what happened..

Re:Good

It's everywhere. After I got home from work tonight I sat at my wife's computer and started typing in google's URL. In the autocomplete bar I was surprised to see goatse.cx. I asked her about it and she didn't know what I was talking about.

I'd ask her again after pointing out that the stuff in the auto-complete bar contains links _typed in_, not links clicked on in a different page. As a quick check, hit the dropdown in your browser and see if it contains any of the many links from Slashdot that you might have used already this evening.

Re:Good

So goatse was your favorite site? No wonder your a coward. Everyone has their standards and to me, that site had no value. Actually, I think it had negative value. I don't think the Internet should be the lowest common denominator, but that's just me.

No, there are plenty of assholes like you running loose.

Heck, why are you sad? The picture hasn't changed...you can just save it to your computer and look at it whenever you want.

By your logic, then, I'd have to assume that such knowledge on your part means it's _your_ favorite site. Or did one of your kids tell you it's still there?

Re:Good

[gujo-odori]

Not that I really expected better than the way this thread has gone since my last post, but no one has mentioned at all the point that comes out in my description of how the owners of goatse.cx might pursue their appeal: that under the terms of service that are in effect now and were presumably in effect at the time they registered the domain, a clear violation of the terms of service appears to have occurred. Under those terms of service - which constitute a contract into which the registrants entered, the site may be taken down for violation. Therefore, their only shot at a defense is the Bart Simpson defense: "I didn't do it!" The clear implication of this is that whether you like goatse or hate goatse, from a TOS point of view, the registrants of goatse.cx were in violation and are merely being held accountable according to the TOS.

In other words, whether you support goatse or wish it would disappear up its own truly huge and grotesque anus, this is not really a censorship issue when you come down to it. It's a contract enforcement issue, and the registrants of goatse.cx have the short end of the stick because the onus is on them to argue that whatever link Rhonda followed to the image, they didn't post it and had no control over the person who did.

Someone will probably argue that I'm wrong and it is a censorship/free speech issue, and they would have me except for one thing: if I enter into a contract that says I may host/register a web site with registrar/hosting provider X, but that I may not violate a certain list of terms of service, I have to follow it. Let's say that one of the terms of service is that I may not post the goatse image or any variation thereof, and that doing so is grounds for termination of service. However, as soon as my site is up, I post the goatse image, the goatse Darl image, and any other goatse image I can get my hands on. In doing so, I am in breach of contract. A week later they catch me with the goatse images and pull the plug. Not because they are censors - they might even be goatse fans themselves - but because I violated my contract.

Some of you reading this think the departure of goatse is a good thing, and many others do not. I am taking no stand on the issue, but (perhaps futiley) trying to frame rational debate (yeah, yeah, I know, it's /. and I'm nuts :-).

However, let me show a very similar case, on which many of you might take the opposite stance. For a number of years, I was a sysadmin at an ISP. One of the hats I wore there was postmaster. Like most ISPs, we had a Terms of Service document and an Abuse Policy, that described in sufficient detail our terms of service, what we considered to be abuse of those terms, and what actions we reserved to resolve them.

Again, like most ISPs, one of the things we held to be a violation of our terms of service, punishable by termination of your service, was spamming. Whether you spammed through our outbound SMTP, whether you spammed through someone else's to which you had authorized access, whether you used an open relay elsewhere, or whether you used an entirely different network to spamvertise a site we hosted didn't matter. Spamming was a violation of our terms of service, and we could and would pull the plug if you were caught. And yes, we did once cancel the service of a long-time customer whose website was hosted with us and who spamvertised through other networks. The first time they were caught, they were given a clear "never again" order. The second time they were caught, they were told their business was no longer welcome, and their service was terminated. There were also a few (very few; our reputation went before us) spammers who would try it through dialup or DSL. Their accounts were terminated without notice as soon as we discovered them. If they had an active connection at the time, we dropped it with a sense of enjoyment.

Now, it is certainly an argument of spammers that those who cut them off are censors, and that

Re:Good

[Call+Me+Black+Cloud]

I'd ask her again after pointing out that the stuff in the auto-complete bar contains links _typed in_, not links clicked on in a different page.

Not true, as least on my browser (and hers - IE6). For example, I was tracking a UPS package. If I start typing "wwwa" (UPS tracking pages start with "wwwapps") I'll get the whole URL containing the tracking number and other parameters. I never typed all that out, and in fact the "wwwapps" pages are all redirects.

Re:Good

[sosegumu]

Philosophically, I guess the whole issue boils down to this: is there anything that *cannot* be posted or restricted on the internet?

If you say that there are *some* standards, then we can have a dialog about what those standards are and how (and by whom) they are decided.

If you're answer is that nothing can be censored, quite frankly, there's nothing left to discuss. I just can't see a world or ethical system that embraces a *total* freedom of information as its highest virtue at the cost of unnecessary pain and chaos. Obvious examples would be step-by-step instructions on building WMD, video images of your sister being gang-raped, etc...

This week, I was one of the uninitiated dolts who finally looked to see what this goatse.cx was all about. I know that I'm stupid for looking, but I have to tell you that I wish that I had never seen it. And out of curiosity, if you're one of the people spending time and effort trying to trick people into looking at it, why do you do that?

Re:Good

[Nevo]

Amen, brother!

Censorship for everyone! Ashcroft, Ashcroft, rah rah rah!

Nothing that isn't white, Protestant, college educated, and politically correct should be on the Internet! We'll have none of those free thinkers here! Anyone who disagrees should be shipped off to Guantanamo!

The internet is, to a degree. The web is not.

[raygundan]

The internet is somewhat decentralized, although I understand that some backbone consolidation over the years has left us with some weak spots.

DNS, however, is pretty centralized.

Ummm...it's not really that secret

[PenguinRadio]

I've had a few guys point it out to me before. Many DC / Dulles Toll Road-types know where it is.

Now, there are other buildings in DC that's are much more cool. Like the one on the Toll Road with green "windows" that are merely for appearances as the entire building is solid concrete. Or the stuff in Crystal City that is bathed in electronic white noise to prevent eavesdropping.

Re:Ummm...it's not really that secret

[aiken_d]

Solid concrete? So what do they use it for? Roller hockey on top of it or something?

Cheers
-b

Re:Ummm...it's not really that secret

To go one step further, though, those buildings in Crystal City aren't as cool as the Crystal City Restaurant :)

Re:Ummm...it's not really that secret

[EmagGeek]

On Fullterton Road in Springfield, there is a non-descript brick office building with thousands of BRAND NEW cars, all white, in the parking lots. The sign on the side of the building says "Smithsonian Institute Catalog Division." A quick look at all of the security cameras and razor wire lets you know this is not the catalog division of the Smithsonian Institute.

I believe this is where they "prepare" (install bugs, monitoring devices, etc) cars that are shipped overseas for use by domestic and foreign diplomats. Not sure, though...

Sod it.

[Dark+Lord+Seth]

Unless the NOC was ordered at this place, I'm not impressed.

Not a big deal if it dies

[Znonymous+Coward]

Internet's most precious computer is inside humming happily away in a hermetically...

Aren't 98% of all queries at the root level uncessary anyway?

Translation:

The slut at the strip bar ate my underwear. What the heck can I do about it dad?

Not too sure what this has to do with the original post, but it sure looks like a question slashdotters could answer!

Re:Translation:

Hehehe, good translation dude.

Re:Not so impressive

Bah! That's nothing. You need to traverse a gauntlet of obsolete motherboards, dead power supplies, empty CD cases and soda cans as well as a floor mined with tiny machine screws to get to my NOC. That's assuming you got past my wife at the front door.

Heh, probably true for most slashdotters only s/wife/mom/ and add something about a basement.

They gave the location away.

If you follow the root server link, it shows the A root location as "dulles, va".

Re:Ahhh... So Surveillance Is Easy

[The_K4]

On the count of 3 every one ping 198.41.0.4

Ready?
1...
2...
3.[End of Line].

Re:Security through obscurity? Wha?

Coming next week on "Open Source Speaks", detailed plans to your local federal penitentiary, including but not limited to blueprints, schematics for locks, and guard schedules.\

a properly secured facility, that would all be immaterial not do much for breaking out.

so idiocy remains supreme even though you are busy patting yourself on the back for coming up with SUCH a "clever" slam.

twits

mod points?

Wow did the whole user moderation thing fail on this article. Raise your hand if you haven't setup a DNS server before. If your hand is raised, leave the room, don't post, I don't care how you think it works.

bullshit, its all fake

the biometrics are easily gotten around through the ceiling tiles and floor. verisign's safe where the root keys for signing certs lived was kept in a room with an outside window in california and the combo to the safe written on a sticky note on the wall that was covered up anytime rich visitors came by.

Big Deal

[lordrich]

So they're safe from us. Big deal. Are we safe from them?

Re:Big Deal

[__past__]

You can always just use different root servers, either one of the 12 others in root-servers.net or a completely different DNS hierarchy.

Technically, they are not very powerful at all - they can't do anything which you couldn't work around by tweaking a configuration file or two. The only problem is that not many people know that, and that tweaking a configuration file or two on billions of systems is a minor logistical problem, so you fixes are effectively only possible for those who care enough.

Guess I just never thought much about it

[krygny]

Interesting article. Since the Cold War is over, and Al Quaida live in caves there's some great fodder for Tom Clancy.

This is a blatent troll:

I would like to ask our friends as the Beale Cypher Association to please take a look at this.

Particularly those of you in Virginia. If ya know what I mean. <WINK>

another curveball

[freddyfred89]

Did anyone else notice that the byline is designed to obscure the true identity of the author? Here is the byline:

By Brock N. Meeks
Cheif Washington correspondent
MSNBC

Its hard to work out this puzzle, because the truth is well-hidden, but I think I've cracked it. I'm willing to bet that this was written by MSNBC's Chief Washington correspondent.

When bylines have typos, I'm pretty sure its a sign that the republic is falling ...

It's not in the States...

It's been outsourced and housed some where in India...

MODERATORS ON CRACK (again)

how in the hell is that a troll?

Seen on the sidewalk the next day... Oh Shit

[PetoskeyGuy]

ROOT-A
--\ /--
)(
--/ \--
20 MBs

Not exactly a dupe....

[stoolpigeon]

but here is the /. thread on this facility from March, 2002. http://slashdot.org/article.pl?sid=02/03/29/144922 8&mode=thread&tid=95

To be honest it is kind of embarassing that I immediately thought- "I just saw something just like this on slashdot not long ago" to find out it was almost 2 years ago. I didn't look at the new article close enough to see if there were any big differences over the years. To be honest the articles are spooky similar. Hmmmmm.

Woah

[chunkwhite86]

All this high tech biometric stuff is almost as cool as these badgers. Woah...

Almost.

Obscurity?

[mek2600]

Well, there goes that obscurity thing.

I hope they pay the secretaries well

More than $40/hour, which isn't much in DC.

Social engineering works best with underpaid, oversexed, or unappreciated (perception is as important as reality) employees.

Although, in reality, you don't have much of a life or house in DC with less than 100k/year.

Which is why you post on /. on Friday evening.

Fallibility of testing and monocultures.

[G4from128k]

I think we can be reasonably certain that VeriSign (a) only runs as much of an OS on their root server as is absolutely necessary, and (b) only patches it when it's thoroughly tested and approved by people who know what they're working on.

I agree that Verisign is extremely careful in exactly the ways that you suggest. But I also remember the MCI Frame Relay outage of 1999 and Therac-25 Accidents. The point is that any regime of tests and analyses will only eliminate a percentage (admittedly a high percentage) of the potential fault conditions. And if you realize that Verisign is up against the combined smarts of intentional and unintentional black hats, then you realize that it is inevitable that someone outside the trusted circle will discover and use an exploit before Verisign and the internet community can find the fault and plug it.

What I meant by avoiding monoculture is that any mission critical system would do well to avoid a single implementation of a protocol, encryption algorithm, or OS. Instead, the system should employ more than one independent approach with discrepancy detection. That way, a foe would need to simultaneously spoof or hack a system in multiple ways to create an undetectable exploit.

Nothing is foolproof, but systems that rely on a single chain of logic, algorithm, or code are especially fool hardy.

How do I get access to the NOC if...

[kalieaire]

I am a one armed man; i'd have a hook for my other arm?

Perhaps they'll embed an rfid tag inside me pirate's booty. arrrrggggggggggg!

o/~Yo ho, yo ho, a pirate's life for me
We pillage, we plunder, we rifle, and loot
Drink up, me 'earties, yo ho
We kidnap and ravage and don't give a hoot
Drink up me 'earties, yo ho

o/~Yo ho, yo ho, a pirate's life for me

Really tight security...

[Lexic0n]

Visitors are "tagged and bagged" and made to sign de facto non-disclosure agreements before being lead to an elevator.

"Tagged and bagged"? Really? Visitors are killed, inventoried, and their remains placed into a body bag? And then they're asked to sign an NDA?

That really is tight security!

Fiber back up.....

[RY]

The redundant link to the outside has been found!
What do you think is used if a backhoe cuts the fiber!

That's not really a satellite antenna on the roof it is a " 802.11 dish "

Wrong Architecture = More Fragile

[billstewart]

Anycast is a good approach for some kinds of problems, but fundamentally the A Root and the other rootservers are a more fragile environment than they should be because they're not using the hierarchichal nature of the DNS system appropriately. Last year's DDoS attack on them demonstrated some of this vulnerability. The Root Servers have three main jobs:

• Distributing the database to major servers (at least one machine from each of the 13 often-virtual root servers, plus the master DNS servers at the Tier 1 ISPs, the CCTLD servers, and some small number of other sites
• Answering DNS queries from the major servers
• Answering DNS queries from any random machine on the Internet

The system becomes performance-critical to lots of people because too many machines send queries to the root servers (or the .com and .net servers) instead of querying their ISP's DNS server, and too many small ISPs are also querying the root servers instead of their upstream's DNS server. DNS scales well because most information can live near the bottom of the net, and almost all queries can be resolved locally or nearby without have to go ask Jon Postel's ghost for the authoritative answer.

The root zone itself is probably under 10KB of data that doesn't change every day - if you provide a separate server for zone transfers and let 1000 other DNS servers have access to it (firewalled to prevent any other IP traffic), that's about half an hour on a 56kbps modem. Remember that all it's doing is answering good questions like "Where are .com's name servers?" "Where are .za's name servers", bad questions like "Where are .example,com's name servers?", "Where is 10.in-addr.arpa?" and ugly questions like "Where is Ping of Death?". Let the major servers handle most of the work, absorb the ugly packets and do some queries for bad packets, and let the general public query those anycast machines - they should be querying their ISPs' servers, or their upstreams', which cache the real information, and even when their queries aren't bogus, they shouldn't be blocking the internet-stability-critical traffic.

The .net, .com, and .org domains are a similar problem, except of course they aren't served by the root servers. The zones are much bigger, a few gigabytes size, but probably only 10% of it changes in any given month, or 99.9999% of the existing domains, which ought to be enough to call the Internet stable, using about 1 Mbps (10GB * 1%/day * 8 bits/byte / 24*60*60 ), and again, keep the public query traffic separate from the zone transfer traffic, and maybe offer a third set of DNS servers to answer queries from the big ISPs to handle things like newly created domain names. The reason to keep that kind of query traffic separate is to avoid attacks like "query bogus00001.com" "query bogus00002.com" ... etc.

Obvious flame-attracting discussion points:

• What about the Alternate Roots? They argued that there's no excuse for ICANN/versign/etc. to own the TLD space and PROFIT from selling names like *.sex. Fine - they can use my ideas for free :-)
• DJB likes rsync+ssh better. He might be right, but I'm trying to look at the small incremental change approach.
• This makes nic.big-ISP.net a much bigger target! It's already a target. They can apply the same approach recursively, plus their users can still query the roots, and they probably have a somewhat distributed architecture already.
• But the Internet is supposed to be any-to-any and this sounds like hierarchical corporate hegemony! Alas, too late for that, and if a 56kbps line can handle 1000 root zone transfers in half an hour, a T1 line should be able to handle 50,000 ok. Meanwhile, even covering the top 100 ISPs covers most of the Internet's users for stability.

NSA running the show

"From our perspective, I think that clearly we are the leader in that particular area, that we provide more back-ups than anyone else does," says Ken Silva, vice president of Network Security for VeriSign. "The advantage of us running the root servers that we run is that we do invest in this infrastructure," said Silva, a 20 year veteran of the nation's top spy agency, the National Security Agency.

seems like there's nothing to stop the government from censoring a website it really doesn't like with a spook so close to the "A" root server.

Re:NSA running the show

[cpghost]

seems like there's nothing to stop the government from censoring a website it really doesn't like with a spook so close to the "A" root server.

• It's not the job of the NSA to censor websites.
• The NSA has better things to do like inventing new codes and breaking foreign codes. Monitoring communications links is their main concern, but this is mainly for traffic analysis (and capture of encrypted data), not for local law enforcement, which is handled by the FBI and other agencies.
• To capture traffic, the NSA doesn't have to monitor the DNS root. That's quite boring traffic, because all the DNS server sees is a query for, gTLD and ccTLD servers. These are widely known, and there is no need to sniff all those queries at the source.
• Traffic is more easily captured at major CIXen, and other backbone interconnection points. This has nothing to do with DNS. It acts at the IP level. Does the NSA monitor MayWest, MayEast or other major interconnects? Probable. Do they monitor international links? Very likely. Do they monitor satellite links? Almost certainly yes.

How could government censor a website by having access to the "A" root server? Difficult, to say the least, but possible:

• Since root servers only point to gTLD, ccTLD servers, not to web sites, government would need to duplicate those servers, and then point root to them, instead of the current servers. On the duplicated DNS servers, they could e.g. censor websites by deleting their entries.
• Changing a single root server's links is not enough. Because all DNS roots get their data from "A", that is the server that will need to be modified.
• Duplicating all gTLD and ccTLD servers requires considerable resources. Not only the CPU and bandwidth needs to be provided, those servers must synchronize with the official (original) servers very frequently (at least twice daily), so that registries can add/delete/update domains. This requires administrative changes in the original servers (they must allow zone transfers!), all of them not always under the control of the US Government (no ccTLD server, save .us, is under their control!). Government could use proxies, which relay queries to the original servers, after filtering them, but this won't go unnoticed by the original server's admins! ("Hey, all our traffic comes now from a few proxies! What's that? Diplomatic trouble!")
• While the required resources are enormous, governments do have them, if they really choose to go this way. But spending hundreds of millions of dollars just to be able to censor a few websites, is even for governments a silly thing to do. They'd rather order registrars (or the registry) to edit the official gTLD servers (and they'll have to be diplomatic, if they want to censor websites from foreign ccTLD servers anyway).

So, in principle, yes. Anyone who controls "A", can also, in principle, manipulate the whole DNS system, and censor websites.

But let's remember that there's nothing inherently important with "A". We choose to give "A" the status of the root dns server. If we don't like to use this root, we could always switch to an alternate root. Of course, migrating millions of computers, most of them poorly administered Windows machines, to an alternate, non-censored root (should this censorship ever happen) won't happen, so the government could still censor the Net...

so true

[my+sig+is+bigger+tha]

i love what you are saying. not only does it not make anything better, even in the terms of the system, it costs taxpayers more to keep people in prison, and it scapesgoats the "criminals," which frequently means that actual solutions (and fixes) aren't explored.

Re:Ahhh... So Surveillance Is Easy

no no no... it isn't a router... It is dns and you are pinging the ip address and if you have read the other 30,000 posts you would know that the internet would ge fine.

Thumbs Both Ways

[serutan]

Thumbs down to MSNBC for spooning up a dripping dose of Verisign PR.
Thumbs up to consultant Christopher Ambler for getting them to print "rat's ass."

"From our perspective, I think that clearly we are the leader in that particular area..." says Ken Silva... He believes that none of the other root server operators can match VeriSign's investment. etc, etc, etc. Abruptly he pulls his hand away, like a small child sensing the heat radiating from a stove burner. "Can you pull that door closed? I didn't hear it click," How many times did he rehearse that bit of security-is-our-middle-name theatrics?

I know where it is!

[incom]

Reply to this if want to make a $$$ offer.

posting from root developer maillist

[omega9]

[DNS-Root-Developers] Need help setting up with 2.6.0_test3 and alsa on A root.

Dewie Cheatem dcheatem at verisign.com
Mon Jan 05 06:27:14 EST 2004

• Previous message: [DNS-Root-Developers] Need help with new kernel on H Root. I maked dep dude, what happened?
  
• Next message: [DNS-Root-Developers] Found a beta of gcc3.4 for B Root. Will report success later.
  
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
  

---
Hey guys. I've just reinstalled the A Root with Lindows and thought I'd try putting a new kernel in. A buddy burned the 2.6 source tree to cd for me so that's what I'm using. Everything seems to be going ok, but I'm not used to setting up alsa and I can't get any sound. I've unmuted all the channels but I still can't hear anything, at least not my Sade cd. Oh, also, distccd keeps segfaulting on this box. I don't know why!! If you've got any thoughts on this let me know too. I've got a shelll script that restarts it every 5 minutes in the mean time.

Thanks in Advance!

Dewie Cheatem
A Root
Verisign

Re:posting from root developer maillist

[babbage]

Dewie Cheatem

And Howe!

98% of Root Server Queries are Unnecessary

[billstewart]

According to an October 2002 study, 98% of queries to the F Root Server (and therefore probably to the other root servers) are unnecessary. Either they're duplicates (75%) or they're for bogus TLDs (.localhost, .elvis, .corp, etc.) or they're in-addr.arpa queries for RFC1918 addresses, or they're some other bogus query, and they should have been served out of cache or handled by some ISP's DNS instead of bothering the roots. Maybe the A Root has some important functions, but they aren't what it spends its time on. And 50% of the queries come from about 220 servers - they should either be caching responses, or be shuffled off to some server that handles them (I guess anycast will help with this...) as well as cleaning up their act if they're broken, which some of them are.

Re:98% of Root Server Queries are Unnecessary

[addaon]

Um, if the root servers shouldn't handle a request for .elvis, who the heck should? I mean, that's there purpose... to inform a requestor if a given tld exists, and if so, where. You can't cache non-existence, since things change.

Re:98% of Root Server Queries are Unnecessary

[Iamnoone]

You can't cache non-existence, since things change.

Actually, the RFC's say you can and this one explains it more fully: RFC 2308

A large proportion of DNS traffic on the Internet could be eliminated if all resolvers implemented negative caching. With this in mind negative caching should no longer be seen as an optional part of a DNS resolver.

Re:98% of Root Server Queries are Unnecessary

[kju]

Guess what: Most resolvers DO negative caching. But you can only cache, if you have first asked for a result, and therefore there is a NEED to ask the root servers about bogus tlds.

A few signatures from the petition

[yourmom16]

6389. Joshua Gaines goatse.cx is like the Grand Canyon of the internet, you can't just destroy the Grand Canyon

6377. Jasin Natael moves like these are more disgusting than the pictures of the goatse man himself

6373. Andrew Chinnici Goatse taught me the meaning of true love

we miss the internet creator, goatse made me who i am, we want goatse back

6303. R(ed) You can't get rid of Goatse! I mean, that was the best morph I've ever seen!!..Wait..what do you mean it's real!

6296. Reverse Experience This is no laughing matter. It's about saving someones ass!

6273. l33t goatse fan i miss goatse.cx soo much, i used to visit the site every night, now i am forced to watch Z3LL do his impersonations of what goatse used to do :'(

6241. kurt goatse.cx is to the internet what the grand canyon is to the tourism industry. it's deep, cavernous domain is meant for the world to see! bring it back, and tell those whiny religious right-wingers to stick it up their own ass for once. leave the goatse guy alone!!!

6209. tuxlearner if Bush still exists, why not Goatse ?

6208. Will Loveless Goatse.cx was like a father to me, thanks for killing him.

6195. The Big One i lost my virginity to GOATSE!!!!!!

6107. Alexei Zakharov Goatse.cx was good, wholesome family entertainment and should be restored immediately. Furthermore, it was an internet institution. Forum newbies the world over are being deprived of this rite-of-passage. Bring back Goatse!

6019. Ron I used to have an email forward on goatse.cx and now thanks to a selfish woman who feels her opinion must be imposed on everyone, I now lack that forward forever. Also, There was even a disclaimer added when people started complaining about it. The administrator did whatever he could to stop people from posting the link to message boards. NIC.CX should have no authority, just like any other registrar, to cancel accounts subjectively.

6001. driver8 goatse.cx is like a historical internet landmark and must be preserved for future generations!

5947. Jani Nurminen When there is goatse.cx, we can rest assured that the Internet has not been fully commercialized. Do not take it away.

5902. James Yarrison Goatse is an embodiment of the best and worst of the internet. Nothing is worse than being tricked into going there, and nothing is better than tricking someone into going there. It served a valuable purpose: to drive home the message that, on the internet, one must be very careful who one trusts, and where one does and doesn't got, but without the potential dangers of viruses or popups. To take the site down is to deny humanity not only of a valuable resource, but of a part of our collective history. People the world over have been fooled by Goatse, and to tear it down is to tear away the sense of community it gives.

5845. Geno4120 please return it! we miss the mascot of the intarweb :(

5821. Eric Raymonds Goatse man's ass was the homeland of 2 million Palestinian refugees, where will they go?

5759. Jack Goatse was not just a shock site to scare n00bs with.... It was a symbol of free speech for all to behold and to be disgusted or be driven to laughter when viewed.

3862. adam ray the man opend his ass for us, we can at least open our hearts

721. meaghan q! sinclair if the basketball doesn't fit, you must acquit

39. PJ J. KIWI HOW DARE YOU TAKE AWAY MY LASER STRIKE TEAMS MASCOT! GOATSE UNITED WILL LIVE ON FOREVER.

38. Karl Kennington I love goatse more than sunshine. Please bring it back!

I've been there

[rs79]

Back in the good old days when her serene highness the Dalai Lauren worked there and Dave Holtzman was still VP I took the e-ticket tour. The facility is in a nondescript industrial mall a few miles from the NSI mothership.

"oh, you'll want to see this"

"what is it"

"A-ROOT"

"THAT tiny little thing?"

"Yup. Go ahead and touch it, everybody that comes here wants to do that. See where the paint has worn off the case?".

"Uh, ok"

"You use this thing Dave"

"Nah, I download the root zone from you".

"Cool, for that you can buy me lunch".

"Good idea. Thai okay?"

NSI was fun once and there's lots of good stories. When the FNCAC made the NSF tell NSI to start charging for domain names none of the freaks working at NSI could believe you could charge for this and lots of checks were just pinned up to a bulletin board in a "wait and see" holding pattern for a few months. There weren't so many domains back then.

Karl Aurbach also downloads the root zone from me and you should too. Or use OpenNIC's root or even *cough*ICANNs*cough* (ftp://internic.net/domain/root.zone.gz, or any root.zone you want but if you know what's good for you you won't rely any anybody but yourself to serve up the root zone so your computer can find pointers to the various TLD servers: primary the root for yourself and don't worry about DOS attacks on other peoples computers taking your machine off the air.

That really was the dumbest part of the change from hosts.txt to the DNS - it changed the paradigm from your computer knowing where everything was to making your computer rely on the "." zone to be able to find the computers that know where all names can be found and there's really no reason for it.

Certainly it does not scale for everybody to grab a copy of the root from one place, and Dan Bernstein has suggested a cryptographically signed root be distributed via usenet. To this end I've created news:alt.root.orsc and will begin doing just that this quarter.

Root server DDOS was October 2002

[billstewart]

The Root Server DDOS was October 20-22, 2002. It wasn't totally successful at shutting them down, but it made a serious dent in several of the systems for a while. We still don't know who did it, whether it was some craX0r k1dd13 looking for bragging rights or the Department of Homeland Security trying to get more funding or trying to get official bureaucratic authority over the root servers. And a measurement shortly before that event found that 98% of the queries to the root servers are bogus (repeats, bogus TLDs like .localhost, reverse-DNS lookups for RFC1918 addrs, etc.)

Most of the anycast deployment has been since then, and Verisign has put out lots of PR about how they're less vulnerable, but the real critical issues are making sure the Tier 1 ISPs get some kind of secure feed to the data so the root servers are less important.

(Oh, and I *could* tell you what the Department of Homeland Insecurity was *really* trying to do, but then I'd have to DDOS you and null-route your address space.)

DNS on a CDROM/DVD

[rs79]

That isn't the problem. It's having enough computer to be able to load the com zone without falling over. A few years ago I tried this with as big of a Sun machine I had access to and BIND. It thrashed for an hour then cakked.

I'd like to hear if anybody has tried loading the come zone on a PC running DJBDNS. By my seat of the pants reckoning it ought to work.

Re:DNS on a CDROM/DVD

[karl.auerbach]

Wait until you try to load a DNSSEC signed zone of .com size - you'll recollect with fondness those days when the unsigned zone used to load in mere hours.

The mongo servers of the mongo zones (.com/.net/.org/.de) are moving towards being based on databases and do not need to go through a full reload when the zone contents are changed.

The root zone, however, is so small that it reloads in the blink of an eye.

Re: IRA Terrorists

Well, obviously the US needs to help the UK go find the sources of their funding and the political authorities who let them operate, the way the UK helped us with Afghanistan and the Taliban. That means bombing BOSTON, blowing up its Irish bars, and hauling all those Kennedys down to Gitmo!

Here's the problem

[rs79]

Back in 98 or so the guys who ran the root at nordu.net would go away on holidays for a month and were incommunicado, so NSI wanted contracts with them all to spell out exactly what each side had to do. This was well before ICANN.

Earlier than this you can find Manning's comments that "there are problems with the current setup [the root server administrators]". GIYF.

So download the root zone and primary it

[rs79]

It's not a big file. Certainly smaller than the last hosts.txt.

It's here: ftp://internic.net/domain/root.zone.gz

Of course if you're feeling really frisky you could use this one: ftp://open-rsc.org/pub/db.root

Were Suns, now IBM

[rs79]

Holtsman pointed out to Sun they were "the dot in dot com" and they used it in their marketing.

When it came time to buy new servers they didn't have enough of a clue to offer NSI a decent price break, and IBM offered them 13 servers.

Re:Were Suns, now IBM

[metamatic]

So IBM is now the dot in .com.

Sun is the colon in http:.

$150 million, $0 of which went to the doors

[slagdogg]

At the beginning of the article:

... VeriSign isn't shy about touting the $150 million it has invested in various security measures.

A bit later ...

"Can you pull that door closed? I didn't hear it click," he asks of the person standing nearest to the first door.

"Click."

Sheesh, for $150 million you'd think a robot would double check the door for them.

Re:$150 million, $0 of which went to the doors

Robot? What do you think this is - the Pentagon with it's $3000 toilet seats?

How about a Door closer from Home Depot (Internet/Catalog SKU: 908065)... Just $149.95...

Typical of security though, and The Princess said it best "The more you tighten your grip, the more [doors] will slip through your fingers..."

Re:$150 million, $0 of which went to the doors

[evilviper]

Sheesh, for $150 million you'd think a robot would double check the door for them.

I'd be happy with a 10cent LED, or a tiny line of code that wouldn't open the second door until the first one was closed.

BitTorrent and hosts.txt

[billstewart]

The Root Zone is really small - a few global TLDs, a couple hundred CCTLDs. It's about 10KB. Even if they added DNSSEC to the whole root zone it'd be under a meg. Might as well get a copy.

The equivalent for .com is obviously much bigger - I think there are ~35 million names (maybe that includes .net). But that's still about 5GB of highly compressible data - probably about 1GB if you sort it appropriately first. That's about the size of a Linux distribution - use BitTorrent. That's about 3 hours on a T1 line, and most of the people who need it are ISPs anyway (so it's about 10 minutes on a T3.) Probably doesn't change by more than 20% a month, or 1% a day.

Re:BitTorrent and hosts.txt

[SamBeckett]

if it changes 1% a day then the overall change
is

1.01^30 (for a thirty day month)

Which = 1.3478blahblahblah, so does it change 1% a day or 20% a month, or what???

Re:BitTorrent and hosts.txt

[evilviper]

But that's still about 5GB of highly compressible data - probably about 1GB if you sort it appropriately first. That's about the size of a Linux distribution - use BitTorrent. That's about 3 hours on a T1 line, and most of the people who need it are ISPs anyway (so it's about 10 minutes on a T3.) Probably doesn't change by more than 20% a month, or 1% a day.

The question is simply: Why don't any DNS servers save this data?

Because of a suggestion of mine quite some time ago here on slashdot, MaraDNS will try to update an expired record, but if it can't it'll continue to use the old, cached record. This is a very good scheme for the most popular sites (good enough if the main servers go down for a moderate period of time; perhaps a few days) however, it doesn't yet save that data to disk, so when you restart the server the data needs to be collected from scratch, and only holds as many cached records as can be put in ram.

If caching to disk was implimented, even only moderately popular DNS severs would have a nearly-complete copy of all TLDs, and could continue on, using only that saved information, even if the Root/.Com/.Net DNS servers were offline for months at a time. Some of it would become out-of-date, but only a small portion of it would fail to work.

It would be like a dynamic hosts.txt file.

Re:BitTorrent and hosts.txt

The changes are small. But no one provides a diff/patch file they just have the whole thing.
Domain Counts

Daily Changes (last 24hrs)
Active | Deleted | On-Hold | New | Deleted | Transfered | TLD
26,365,081 | 14,870,072 | 346,746 | 41,938 | 18,769 | 25,823 .COM
4,371,932 | 2,850,938 | 63,376 | 6,284 | 3,293 | 3,814 .NET
2,788,070 | 1,706,901 | 33,401 | 3,934 | 2,526 | 2,243 .ORG
1,088,545 | 249,234 | 1,274 | 1,734 | 1,021 | 557 .INFO
922,483 | 235,428 | 1,021 | 2,003 | 1,098 | 700 .BIZ
739,098 | 23,161 | 490 | 978 | 239 | 403 .US
36,275,209 | 19,935,269 | 446,308 | 56,871 | 26,946 | 33,540 Total
Last Updated 1/24/2004

From whois.sc
But "change" as far as overall domains status is concerned is a many-state thing. The shades of change --- pending, change of registrar, change of owner are reflected in a separate file with the whois data. These guys, among others, have products and services that enumerate all the changes for people in the formerly-lucrative domain squatting marketplace: droplists.net

ftp://127.0.0.1/hosts.txt

[billstewart]

Actually, there's a rather nice hosts.txt at www.mvps.org.

All the IP addresses are 127.0.0.1, and the domain names are a collection of spammers, popup sites, banner dealers, etc., most of whom you'd rather not talk to. (Of course, that works better if you've got a web server that rejects everything, or sends back blank 1x1 GIFs.)

who designed this system

[cinnamon+colbert]

What moron designs a system without triple redundant background ? Or,if you dont have it initally, what kind of morons let this conditon persist ? You geeks dont seriously expect me to beleive that loss of a single computer would actually effect anyting for more then a few milliseconds ? I think the whole thing is not so subtle pumping for verisign - look at us spending Mbucks on this free but super critical service...if the internet actually cared if A got hit by a bomb, then a LOT of people, in govt and academia and biz have a LOT of explaining to do..

Strength in numbers.

"There is nothing to stop you from setting up your own DNS, if you're willing to donate the time and hardware to the cause."

Actually in this era of "appliance computing". Why shouldn't people with DSL or Cable have "Root" servers in their modems? If everything said in this "/." discussion is true, and HDs are big enough, and small enough? Then that would be the ultimate in distributed architecture. Throw in content caching (cross-link with other local caches) and the load on the Internet would drop quite a bit, and the Internet would be more robust.

The root servers must be protected!

[seebs]

I love the attitude. "Only WE have the right to wreck the DNS system completely!"

Re:The root servers must be protected!

[Iamnoone]

I love the attitude. "Only WE have the right to wreck the DNS system completely!"

Exactly, if they are lobbying via this article to start paying people to run root servers, I want them to pay some people I trust. I want them to pay the eff, OpenNic, ORSC, and some other people who don't trust each other rather than a happy bunch of golfing buddies who all seem to reside in nondescript buildings in the spooksville area around Washington. Then I want them to take a small portion of that mountain of money they are making off of us and pay someone to work with the admins of the 220 systems that send out 50% of the (mostly bad) queries to the root servers in the first place. Everyone wants to skin people alive who run open mail relays, but the idiots who overload the dns system due to incorrect configurations deserve some wrath, too. Reduce traffic and improve response time for connections, Verisign et al could give back rather than just put up self-serving crap like sitefinder.

I love to grouse about these idiots as much as the next /.er, but I fear if we are not more demanding that they and ICANN work towards making the root and tld system work better, then jelle will be proven correct in his/her prediction.

Re:The internet is, to a degree. The web is not.

DNS, however, is pretty centralized.

Despite whatever misinformation VeriSign is blowing, DNS is realatively decentralized. The A-root is no more important than B, C, D, E, or F.

Not only is VeriSign becoming more and more adept at using the media to create the image that they own the internet, it seems that more and more tech writers have never cracked an RFC, or seem to know where to look this shit up.

(BTW, that would be here. Or in your/usr/share/doc/RFC if you're running Debian and have installed the apprpriate doc-rfc packages.)

Go fuck yourself.

[Ayanami+Rei]

Seriously.

Mod me sideways, but it's the truth. You and Rhonda should get together and figure out how to take down some other sites you don't agree with.

It takes a seriously bland personality such as yours (and Rhonda's) to not find any redeeming value in goatse. Just the sheer cultural significance of it (especially on slashdot) is enough to make it a talking point, and to attempt to remove it is to end an era. ...An era of personal responsibility and knowledgability about the public nature of the internet.

Why don't you do the rest of us a favor and just get off it if that's your attitude?

I know where that is!

[Ayanami+Rei]

Although I've never taken a close look at it. It's right across the street from the shopping center with the "Regal Cinemas" is... there's a Marriot and a Sweet Water Tavern/Olive Garden on the street leading up to the business park. We go there all the time.

Sigh. Now I'm going to have prowl around out front and get security all worried. ::runs off::

Re:Good? Nope, a troll...

[doomdog]

What a loser....

Case in point:

[Ayanami+Rei]

Fire in the baltimore train tunnel that took out a major east-coast Internet trunk.

It snagged and snarled traffic for the weekend, but the routes were mostly fixed by the beginning of the next week.

Re:Go f* yourself.

DNFTT. Anyone who thinks goatse had "redeeming value" ... well ...

Besides, tricking minors into visiting that site would be a felony, anyhow; you trolls should be glad you haven't been sent to prison...

It's the USGS mapping building.

[Ayanami+Rei]

They take in satellite data and make detailed maps. I remember after Sept 11 they put in all those really heavy barriers and fences.

Two more good ones for you.

[Ayanami+Rei]

On Sunset Hills by Reston Town Center, (just north of the toll road) just before you get to the new Microsoft/Siebel/Oracle buildings intersection, there is a low brown building with no signs out front.

It belongs to a certain 3-letter agency. I'll leave it up to your imagination.

There's always a cop car with purposefully confusing jurisidiction markings patrolling the street out front. You can speed right on by if you see him, because they're actually Federal Marshals, IIRC.

Also near Dulles airport: Take Rt. 28 south until you reach Willard Blvd. (by the Dulles Expo Center). On your right is a large complex also with fake green windows. It's an enormous building set way back in that property. I think it's the same agency (anyone want to correct me?)

Re:Two more good ones for you.

No, no, they're on Sunrise Valley, south of the Toll Road. With a lot of other things out in Dulles, Manassas, and Gainesville. Ah, wait, sorry, you said three-letter agency. I thought you were talking about AOL.

The complex in Reston north of Sunset Hills and just east of Town Center Parkway is CIA; allegedly it was the office of development and engineering, but I have heard -- from admittedly random sources -- that a lot of CIA's HR activities are there, too. For years, CIA job applicants were instructed to send their resumes to a PO box in Reston, so that makes sense.

The big green building in Chantilly off Rt. 28 is NRO, the National Reconnaissance Office, which controls the spy satellites etc. The NRO is and isn't part of the CIA. Depending on how you choose to look at it, it's either independent or not.

In any case, this stuff is hardly secret; the NRO has a sign out front (Rt. 28 actually looks onto the back of the building), and their address is on their website.

I find it hilarious you self-censored the Re: line

[Ayanami+Rei]

And you had the nerve to post AC.

What a tool.

Because you don't want a first time

[Sycraft-fu]

It is really bad to do security by a "what we needed to stop the last time" approach. Much better, when you know what you protect is valuable, to have good security straight off and never have to have it broken.

Cash Prize

For whoever locates "A" first.

TerraServer Re:"A" is in Dulles, VA

[mrmeval]

And a look from above.
http://terraserver.microsoft.com/addressim age.aspx ?t=1&s=10&Lon=-77.41223707&Lat=39.03094526&Alon=-7 7.41223707&Alat=39.03094526&w=1&opt=0&ref=A%7c2134 5+Ridgetop+Cir%2c+Sterling%2c+VA+20166

Wow.

[mindstrm]

Pretty extremist you are.. we are talking about DNS here.... not hospitals or contract law.

By the way, if you mismanage a server at the hospital and it kills someone, the hospital is held accountable, whether they choose to make you be is up to them.

Holding people responsible is a tool, not a solution. Making that server your responsbility might make you pay more attention, or taek your job more seriously, but it won't fix design flaws or make you less stupid.

Re:The internet is, to a degree. The web is not.

[raygundan]

An exellent point. Although DNS still has to have a "root," and is by nature centralized-- there can still be plenty of redundancy. Centralization doesn't necessarily mean "reliance on a single box."

Thanks for the clarification!!

rates of change

[billstewart]

It's not a smooth linear or exponential thing - it's random and bursty. That's why I padded the numbers up.

Oh, right, the NRO.

[Ayanami+Rei]

I remember seeing the sign now... sigh I feel like an idiot.

And it's Sunrise Valley...
NORTH
of the Toll Road. I fucking live there man, don't tell me. If I get the names switched, forgive me. I never have to remember them (other than the fact I always mix them up when giving directions)
I used to pass by that stupid CIA building every day to work. I also can't tell you how many times I slowed down when I saw that cop, only to realize it was "that guy" and blow by him.

Re:Ahhh... So Surveillance Is Easy

[The_K4]

No, but that's the ip address of the actual root machine, not a random address. SO it would respond to the ping....it's kinda like a DDoS attack....i guess it wasn't that funny.....

One nuke in any of three places does the job.

Incorrect! Look again. One nuke over Herndon, VA. (for example) would wreck it.