DNS - slaving the root zone

Jeremy Chadwick freebsd at jdc.parodius.com
Fri Feb 17 20:35:44 UTC 2012 

On Fri, Feb 17, 2012 at 02:41:57PM +0100, Damien Fleuriot wrote:
> Hello list, Jeremy, Doug,
> 
> 
> We're currently having a discussion on the FRnOG mailing list regarding
> the laughable announcement of an attack on the DNS root servers by
> Anonymous.
> 
> I've kinda hijacked the thread to ask whether people slave the root zone
> or not, and why if not.
> 
> 
> Active poster, renowned blogger and AFNIC worker Stephane Bortzmeyer
> pointed out that it might not be a good idea and submitted the following
> discussion from 2007 as reference:
> http://lists.freebsd.org/pipermail/freebsd-current/2007-August/075895.html
> 
> 
> Do you still believe slaving the root zone to be a bad idea ?

The important thread (IMO) is actually here:

https://lists.dns-oarc.net/pipermail/dns-operations/2007-July/thread.html#1804

These are the people you should be asking this question to given the
"announcement".  Folks like Paul Vixie and David Conrad.

Also, just a tip: given that at an old job I dealt with DoS and DDoS
attacks on our infrastructure on a near-daily basis (advice to public:
never run a public IRC server on a major network), I wouldn't be so
quick to dismiss the claim as "laughable".  Folks can bring up the
distribution of all the root servers, anycast, etc. all they want, but
nobody truly knows how "distributed" the DDoS will be.  Sit back and
think about that one for a little while, let it stew in your mind.

Rest assured, if what is being proposed turns out to be accomplished,
you will be quite surprised at how many large Fortune 500 companies and
financial organisations are impacted by it.  I can't go into details,
but I can assure you with utmost certainty that many of them rely on
Internet transit for very important transactions -- most of which use
DNS-based lookups for all sorts of things.  Given the state of IT in
general these days, chances are very few companies have thought ahead in
this case.  Though DNS may not simply break 100% (duh), failed lookups
and "oddities" occurring all over the place would be likely.  If you've
ever worked at a large corporation, you'll know how easy it is for
people to incorrectly assess reasons for outages -- it wouldn't surprise
me if it took said companies 24-48 hours to figure out what was truly
the root cause.

TL;DR -- don't be hasty when it comes to threats on the Internet on such
a large scale.  It's amazing the infrastructure we have today works at
all anyway.

-- 
| Jeremy Chadwick                              jdc at parodius.com |
| Parodius Networking                     http://www.parodius.com/ |
| UNIX Systems Administrator                 Mountain View, CA, US |
| Making life hard for others since 1977.             PGP 4BD6C0CB |

More information about the freebsd-questions mailing list