[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

Edward Lewis Ed.Lewis at neustar.biz
Wed May 21 18:08:01 UTC 2008

At 17:06 +0200 5/21/08, Stephane Bortzmeyer wrote:

>AFAIK, there is no process to do so. Simon Waters said "Presumably
>ICANN will drop them from the root zone" which is, at this time, pure
>supposition. Among the difficulties: what level of brokeness should a

Ok, I'll bite in a sarcastic tense - we have already seen the 
effectiveness of dropping the (old) L root address from the hints 
file.  I.e., "drop them from the root zone" isn't an effective 
punishment while we have devices that have static root hints.

>root name server exhibits before being deleted? Not replying at all
>(not a big problem in practice)? Replying NXDOMAIN to every request
>(*that* would be vicious)?

"Vicious" would be replying with data incoherent with the other 
(ICANN) root servers.  NXDOMAINs would probably be rewritten by an 
ISP anyway.

Dropping into "old man" mode:

For a long while, a strength of the root server system was that it 
had no head, no central control, no responsibility, nothing tying all 
pieces together.  No one could take it over, no one could dismantle 
it.  The disorganized manner gave it reliability.

I've had a career in bureaucracies.  Bureaucracies have their 
failings - they are centrally managed, faceless, and lack agility. 
But there is a reason for their existence.  They maintain continuity, 
operate under public scrutiny and, with the exception of human abuse, 
can impart fair treatment.  They are the underpinning of the "rule of 

My acceptance of the status quo with regards to the root server 
system is somewhat uneasy because of the lack of bureaucracy.  Forget 
the chance that any of today's operators become rogue, do we know we 
can trust the next generation, and the next?  Root ops are hardly a 
group of a coherent opinion, what happens when the friction is sharp 

Perhaps we are coming to a point where the status quo root server 
system ought to be rethought.  Perhaps formalizing the relationships 
is due.  While the root server operators behave in a public trust, 
they do so in a veiled society.  As far as I know, meetings are not 
open, they have no reviews of policies.  While there are no problems 
at hand, there is no reason to question the situation, but once there 
is a problem someone will wonder who held the reins?

Edward Lewis                                                +1-571-434-5468

Never confuse activity with progress.  Activity pays more.

More information about the dns-operations mailing list