[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200309181600.h8IG0uOQ021761@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Petition against VeriSlime's DNS abuse
On Thu, 18 Sep 2003 09:01:27 EDT, "Jonathan A. Zdziarski" said:
> * Establish a new set of root servers and top level registry
> * Publish a new root server list over 80% of ISPs will likely use,
> resulting in Verisign's root servers to become obsolete
> * Provide the legal and financial backing it will take to
> accomplish this
The financial backing is non-trivial. You're going to need some pretty
serious big iron, and some pretty bad-ass bandwidth. Remember - there's
13 root server addresses - and most of them are anycast, meaning there's
actually like 5-10 identical copies all over the place. So be ready to
pay for 20-30 machines that have *real* reliability - you don't want to
be trying this with a Dell 2U rackmount.
http://www.caida.org/~kkeys/dns/2002-08-14/2002-08-14-queries.png
That's normal traffic. 5K queries/second per server. That's a 10-minute average,
so statistically you're going to have short bursts of MUCH higher that you need
to handle to keep the latency down.
Did I mention that you need to have enough muscle to survive a DDoS attack?
"Filter it all at the upstream" isn't a viable defense when you're a root nameserver,
since if you don't answer, things start to suck.
Oh.. and you'll need trusted and experienced people, and be willing to pay them.
And this is overlooking the fact that it isn't the root servers that are the problem.
Those have been rock solid and remarkably controversy free. In fact, the root
is *SO* solid that in close to 20 years, the *biggest* controversy was that Postel
switched the primary one night without written permission - by feeding a different
root server the same exact config file and letting it propagate it rather than the
usual server that did the propagation.
Your culprits are elsewhere:
Don't like the selection of top-level domains? Talk to ICANN.
Don't like how a TLD is run? Talk to ICANN and the administrator of that TLD.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030918/15035835/attachment.bin
Powered by blists - more mailing lists