[dns-operations] FreeBSD and the slaving of the root zone

Kurt Erik Lindqvist kurtis at kurtis.pp.se
Thu Aug 2 08:23:28 UTC 2007 

For the record, I don't consider myself very 'DNS-capable', I might  
be the CEO of a company that do have a lot of people who are DNS- 
capable though. However, I do know something about operations in  
general...

On 1 aug 2007, at 04.45, Doug Barton wrote:
>
> First, yes I am the one responsible for this change in the default
> named.conf for FreeBSD 7 (soon to be 7.0-RELEASE) and 6-STABLE (soon
> to be 6.3-RELEASE). Second I'd like to address David's point about it
> being rude to do so without prior coordination. If I have offended the
> operators of B, C, F, G or K (or any of the others for that matter) I
> apologize. That was certainly not my intention. If the operators of
> those servers ask to have them removed I will do so at once.

On a side note I will offer the observation that even firmware  
manufacturers now contact ntp-server operators before introducing the  
servers in the code...

> There is another element of this that is not mentioned in the paper
> but was alluded to in this thread by Jason Fesler (and others). Namely
> the overall benefit of having one server slave the root zone and then
> in turn slave it out to a network of resolvers. Whether the benefits
> to a local resolver outweigh the costs is an open question, but I can
> say that it has a lot of benefits on a busy network like Yahoo!'s
> since I was the one who set this up when I was the DNS Administrator
> there. Nice to hear that they are still seeing some benefit from it.

If this is the second most important reason for the change, I would  
like to point out that this requires more intervention and set-up  
than your change of default configuration, and the change you have  
committed as a new default is probably a minor issue in building this  
set-up.

> It's probably also worthwhile to put what this change means in a
> larger context. This change is in the default named.conf, but named is
> off by default in FreeBSD. Users have to take an affirmative step to
> enable it, and they are of course able to make changes to named.conf
> as they see fit. I included the instructions in the comments on how to
> change back to a hint zone if they would prefer. And while I'd like to
> think that there are probably "millions" of FreeBSD users out there,
> only those who enable named and use the default conf file (or at least
> this part of it) will actually be slaving the zones.

I think you hold users, even of FreeBSD, at a very high regard. I  
think that most people will either upgrade from an existing system  
and just copy their rc.conf files over and get this new 'feature'  
wether they want it or not. As Paul points out, firewall rules or  
other reasons might very well give them a stale zone and they might  
(most likely) never notice.

> Before addressing the details I'd also like to point out that just on
> this list, where there are plenty of people who have more knowledge
> and experience than I do, the opinions are pretty sharply divided. To
> me that indicates that the "right" answer probably needs more
> discussion and experience to illuminate itself. So let's take a shot
> at it ..

So do you believe that that disagreement is encouragement to changing  
the default configuration to be contradictory to the default  
configuration as the software package ships? Personally I would not  
change default configurations when redistributing software at all,  
but hey that is just me...

> Yes, it is theoretically possible that all 5 roots that are currently
> offering AXFR would stop, but I don't see that as likely. I certainly
> pay pretty close attention to these things, as do many others in the
> FreeBSD community whose names y'all might not know. Also, if you
> accept the premise that the poor innocent users who will be bamboozled
> by this change will be so by virtue of the fact that they are blindly
> accepting config file changes in the base, then it follows that for
> those that upgrade, the problem is self correcting. For those that
> don't, I particularly like David Conrad's quote about the problem
> being, "self-immolating, thus self-remedying."

Interesting view on use-ability. If this is truly the view of the  
FreeBSD developers - I'll start looking else-where....

> I won't presume to be the last word on the effects of DDoS attacks on
> the root, others here are more qualified, and have already spoken. I
> will say however that it is an inevitable fact of life that attacks
> will become more sophisticated, more overwhelming, and more successful
> as time goes on. It is, and always has been, an arms race. Therefore
> solutions that take away a point of vulnerability deserve serious
> discussion. It's also worth pointing out that these attacks have not
> had much impact on the 'net as a whole, they are devastating to those
> who are actually affected by them.

As was pointed out elsewhere in this thread, your change will  
introduce more vulnerabilities to attacks than they will help  
mitigate. IMHO you have less servers to retrieve the zone information  
from and prefix hijacking will potentially have a larger impact.

> Along this line I think Peter Dambier had excellent things to say
> about authoritative zones not being subject to cache poisoning, and
> local networks with erratic connectivity. If I can expand on the last
> bit (and sadly introduce some layer 9 issues), one of the things that
> you hear regularly in the WSIS context are leaders of emerging nations
> insisting that they must have a "root server" in their country.
> Misunderstandings about what that means aside, encouraging people who
> might have bad connectivity to the "outside world" but good
> connectivity locally to reduce their dependence on that outside world
> is probably a good thing, and might even stave off some of the
> political drama.

So this change was done as statement in the Internet governance  
discussions or not? The above paragraph leaves me seriously puzzled.  
Introducing 'rough' root-servers leads to more operational problems,  
and already have. I fail to see why this should be encouraged,  
although the change introduced by you is slightly better than just  
hijacking the prefixes. Further, having been involved in the  
Internetgovernance discussions, I don't think the issue of latency  
have ever been given as the reason for having local root-servers.  
Political reasons their have been plenty off, so I assume you  are  
saying this is a political statement. I fht FreeBSD developers are  
interested in making political statements I would appreciate if they  
didn't do so with my production operating system.

> I personally don't want to deal much with the privacy question since I
> think that's too far off topic for this list. However thinking again
> about citizens in those emerging nations, the root server operators
> will not be the only ones who might be interested in those queries;
> even if we all agree that the root ops capturing, and they and others
> analyzing that traffic is a good idea.

I fail to see why DNS queries would reveal something that the actual  
*traffic* to that destination wouldn't....along the same reasoning we  
should all get our own copies of the Google database....

> I think it's also worth noting that part of the heat (as well as the
> light) surrounding this topic involves a clash between "older" and
> "newer" Internet cultures, where "older" means "more centralized" and
> "newer" means "more locally autonomous."

Honestly I fail to see that.

> One of the questions that I don't know how to answer is that of
> whether the "crap" traffic is an overwhelming problem (and therefore
> worth trying to mitigate) or not. My read of the root operator
> community is that on a good day they are fairly schizophrenic, both
> individually (in some cases) and collectively (in many cases). :) That
> is to say, back when AS112 was created the crap traffic to the roots
> was considered to be a problem overwhelming enough to warrant throwing
> non-trivial resources at.

We have also added a lot of capacity with anycast for various reasons  
since then. That is not the same as saying I don't think the AS112  
project adds value, it does. But as was already pointed out, DDoSes  
seems to dwarf the crap traffic.

- kurtis -

More information about the dns-operations mailing list