From owner-freebsd-questions@FreeBSD.ORG Fri Feb 17 20:35:44 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65F59106566C for ; Fri, 17 Feb 2012 20:35:44 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta15.emeryville.ca.mail.comcast.net (qmta15.emeryville.ca.mail.comcast.net [76.96.27.228]) by mx1.freebsd.org (Postfix) with ESMTP id 49B7E8FC1B for ; Fri, 17 Feb 2012 20:35:44 +0000 (UTC) Received: from omta12.emeryville.ca.mail.comcast.net ([76.96.30.44]) by qmta15.emeryville.ca.mail.comcast.net with comcast id b7pq1i0010x6nqcAF8NaHJ; Fri, 17 Feb 2012 20:22:34 +0000 Received: from koitsu.dyndns.org ([67.180.84.87]) by omta12.emeryville.ca.mail.comcast.net with comcast id b8NY1i00P1t3BNj8Y8NZxh; Fri, 17 Feb 2012 20:22:34 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id CFDEF102C1E; Fri, 17 Feb 2012 12:22:32 -0800 (PST) Date: Fri, 17 Feb 2012 12:22:32 -0800 From: Jeremy Chadwick To: Damien Fleuriot Message-ID: <20120217202232.GA86762@icarus.home.lan> References: <4F3E5925.8020004@my.gd> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4F3E5925.8020004@my.gd> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: dougb@freebsd.org, "freebsd-questions@freebsd.org" Subject: Re: DNS - slaving the root zone X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2012 20:35:44 -0000 On Fri, Feb 17, 2012 at 02:41:57PM +0100, Damien Fleuriot wrote: > Hello list, Jeremy, Doug, > > > We're currently having a discussion on the FRnOG mailing list regarding > the laughable announcement of an attack on the DNS root servers by > Anonymous. > > I've kinda hijacked the thread to ask whether people slave the root zone > or not, and why if not. > > > Active poster, renowned blogger and AFNIC worker Stephane Bortzmeyer > pointed out that it might not be a good idea and submitted the following > discussion from 2007 as reference: > http://lists.freebsd.org/pipermail/freebsd-current/2007-August/075895.html > > > Do you still believe slaving the root zone to be a bad idea ? The important thread (IMO) is actually here: https://lists.dns-oarc.net/pipermail/dns-operations/2007-July/thread.html#1804 These are the people you should be asking this question to given the "announcement". Folks like Paul Vixie and David Conrad. Also, just a tip: given that at an old job I dealt with DoS and DDoS attacks on our infrastructure on a near-daily basis (advice to public: never run a public IRC server on a major network), I wouldn't be so quick to dismiss the claim as "laughable". Folks can bring up the distribution of all the root servers, anycast, etc. all they want, but nobody truly knows how "distributed" the DDoS will be. Sit back and think about that one for a little while, let it stew in your mind. Rest assured, if what is being proposed turns out to be accomplished, you will be quite surprised at how many large Fortune 500 companies and financial organisations are impacted by it. I can't go into details, but I can assure you with utmost certainty that many of them rely on Internet transit for very important transactions -- most of which use DNS-based lookups for all sorts of things. Given the state of IT in general these days, chances are very few companies have thought ahead in this case. Though DNS may not simply break 100% (duh), failed lookups and "oddities" occurring all over the place would be likely. If you've ever worked at a large corporation, you'll know how easy it is for people to incorrectly assess reasons for outages -- it wouldn't surprise me if it took said companies 24-48 hours to figure out what was truly the root cause. TL;DR -- don't be hasty when it comes to threats on the Internet on such a large scale. It's amazing the infrastructure we have today works at all anyway. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB |