[LINK] Top five reasons for Australia to Get a Root-Server.
Tom Koltai
tomk at unwired.com.au
Tue Oct 13 12:37:58 AEDT 2009
> -----Original Message-----
> From: Kim Davies [mailto:kim at cynosure.com.au]
> Sent: Tuesday, 13 October 2009 10:21 AM
> To: Tom Koltai
> Cc: link at anu.edu.au
> Subject: Re: [LINK] Top five reasons for Australia to Get a
> Root-Server.
>
>
> Quoting Tom Koltai on Tuesday October 13, 2009:
> | >
> | > While I find this highly unlikely, please share your
> | > empirical evidence and it will be addressed immediately. I am
> | > in a position to do so.
> |
> | It's a big job Kim. I have worked around the problem by using a
> | Maryland US based proxy DNS. Mainly because I got fed up with the
> | "page not found 404's" when I knew they were there.
>
> You have just proven that it has nothing to do with the DNS,
> let alone the root servers. DNS alterations will never give
> you a 404 message, or a "page not found" error, because 404
> is at the HTTP layer and requires a successful TCP connection
> be established with a web server. If the root zone was
> tampered to remove a delegation you would get a "Host not
> found" error.
Actually, you are correct. Host not found is definitely what I was
referring too. I don't know why I said 404's.
>
> | But here's a simple example - destination Akamai Whitehouse:
> |
> | Tracing route to e2561.g.akamaiedge.net [118.215.34.135]
<snip>
>
> What does this have to do with the root servers? Absolutely
> nothing. I have no idea what you are trying to illustrate
> except perhaps that Akamai has mirrors of the Whitehouse
> website in different places, and that you are surprised from
> different ISPs your traceroute goes to different mirrors.
>
I would have thought that all Australian routes would be travelling on
one of the four links out of the country.
For the Optus Looking glass to say- there is no ICMP route is initially
a routing error that somewhere along the chain must rely on a root
server.
If Optus are taking their root-server data from Singtel who then in turn
are recovering it form the Japanese based M Server, that would suggest
there is a serious disconnect in Australian routing. Not merely because
Optus and Telstra don't peer, because they do.
However, it may well be that Optus routing policy is dictated by
Singapore.
> | Actually anycasting of multiple IP numbers to multiple different
> | hosts.
>
Here I was actually referring to an attack method and not a defence
method.
> I am not sure if you know what anycast is, but it is
> precisely not using "multiple IP numbers", rather the
> contrary.
And yes, Ausnet Services was using this method for cache resolution in
two continents in 1995.
>Anycast was particularly attractive for adding more
> root server locations because there is a DNS technical limit
> that stops the creation of an "N", "O", "P"... root server.
> Anycast allowed the same IP address to be used at multiple sites.
>
> http://en.wikipedia.org/wiki/Anycast
>
> | If there is no difference between A to M and the clones of the
> | f-servers and k-servers, then why are BCDEGHJ still in
> America. (Note
> | I omitted the A and the F)
>
> So what about "J" being present in Sydney is considered
> "still in America"? Are you saying the operators of "J"
> should stop providing service in America?
>
I didn't know the "J" was replicated in Sydney. I really thought we were
on the F.
So I learned something.
> Perhaps what you are really asking is why are US-based
> organisations running these root server networks. Well, the
> answer is historical. The root server operators were assigned
> in a time when the Internet was rather US-centric and there
> has been no compelling reasons to kick out any of the
> operators because after almost 30 years, the DNS root server
> ecosystem has operated practically flawlessly.
>
> | If the anycast clones are just as good, why don't the originals get
> | redistributed and replaced with anycast clones?
>
> I don't get what you are saying... There is no difference
> between "originals" and "anycast clones". What is the
> distinction you are making? If an IP address is anycasted it
> is not as though some instances are anycasted, and some are not.
I beg to differ.
> | The key to the U.S. government's influence is a master list of
> | top-level domains that the California-based Internet
> Corporation for
> | Assigned Names and Numbers distributes to root servers, which guide
> | traffic to each one of those top-level domains. The U.S. Commerce
> | Department has final approval of the list.
>
> This comment refers to the contents of the root zone, not the
> root servers. I hope you realise they are two different things.
Yes and no.
> | Kim, one final question, can you categorically tell me that
> with the
> | anycast f-server you have any control over spam, phishing
> or malware
> | via email distribution?
>
> I have no control over those things, and nothing one could do
> in the root zone would impact them. Unless you want to delete
> an entire top-level domain to curb spam (I guess if you
> removed ".COM" or ".AU" you'd get less spam.)
>
OK I'm out of my depth. My experiments with caching the "J" root server
in Portland and Sydney in 1995 led me to a different understanding. (And
it was only 45 MB.)
Possibly technology has moved on to the point where Root Servers are not
the final arbiters of whether a spammer can deliver an email to
thousands of addresses.
> | I would posit that with our own root server, Australia
> would be able
> | to instigate a far more rigorous defence against these attacks.
> | Specifically if the new server was authoritative for all
> APNIC address
> | space.
>
> This makes no sense. Now I get a feeling you must be trying
> to pull a leg - you aren't equating IP addresses with
> top-level domains?
Again, I may have an older outdated understanding of how the technology
works.
> And for what its worth, APNIC already funds a number of root
> server instances throughout the Asia-Pacific.
> kim
>
Thanks. I should do more reading.
Tom
_______________________________________
No viruses found in this outgoing message
Scanned by iolo AntiVirus 1.5.6.4
http://www.iolo.com
More information about the Link
mailing list