[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers
drc at virtualized.org
Fri May 23 17:06:13 UTC 2008
[I had promised myself and others I wouldn't post on this topic
further. I am breaking that promise because I believe Daniel is
trying to obfuscate a sucking chest wound in the Internet architecture
with platitudes and handwaving. I'm weary of it. This will be my
last post as I will be filtering out this subject line in the future.]
On May 23, 2008, at 1:15 AM, Daniel Karrenberg wrote:
> We have independent, clearly defined, open and transparent
> governance processes for this.
Can you provide me with the URL where these processes clearly defined?
> addition to this blatant example it is important to realise, that any
> DNS name server operator is rightfully held accountable for the
> of service at the network layer address of its service.
Could you point me to your published service level guarantees? How
about the mechanisms, including penalties, that would encourage you to
remedy the situation in the event that RIPE-NCC does not live up to
those service metrics? How about your policies or statements about
not modifying root zone data as it is presented to the root servers?
A statement about non-discriminatory access (e.g., refusing to serve
requests from a particular community)? How would, say, a TLD operator
who had operational issues because a root server failed to update
their zone in a timely manner (which has occurred on several occasions
when I was at IANA) go about getting compensated for lost business or
> my erception of your line of reasining is that centralised control by
> ICANN may look more convenient to you and that you support the efforts
> of ICANN to implement such control through contracts or through ICANN
> having authority over the IP addresses of the root name servers.
I will point out again that no where have I stated that I believe
ICANN should have contracts or centralized control (in fact have
suggested the opposite). This is a very tired old red herring.
If you actually read what I wrote, I am arguing that the IP addresses
for the root servers be fixed by the IETF (not ICANN). I specifically
did not raise the topic of how an organization would be disassociated
or (re-)associated with one of the IETF-defined "golden" root server
address as I pointed out that is a layer-9 issue. I did not say that
ICANN would even have a role in that disassociation/(re-)association
The reaction from individuals within the root server community to this
suggestion is treating it as a threat or to attack me personally as
being on a "warpath" or engaging in "dismissive derisive sarcasm". As
I said, this is not unexpected -- historically, any attempt to change
the status quo in a monopolistic system results in remonstrations that
everything is working fine the way it is (despite evidence to the
contrary), complaints of ulterior motives, FUD-spreading, etc. Seen
it in the telco world and other businesses, it isn't too surprising to
see it here.
> Let us not take things our of proportion. DNS (root) name service has
> been reliable and highly available for decades.
Indeed, and I'm sure we're all quite thankful (honestly) that the root
server operators, by and large, have done a reasonable job since there
is nothing that actually requires them to do so. Of course, this
wasn't always the case and every now and then there are issues, but by
and large, things work OK. At least for now.
"Past behavior does not guarantee future performance."
> Both operation and governance have evolved successfully.
I would agree that operation has evolved. Heck, I remember when the
root servers weren't anycast (and your arguments that everything was
fine back then too). I would be very interested in seeing how you
might justify the statement that "governance has evolved
successfully." You appear to be saying "the root server operators
work fine, except when they don't and everything is open, transparent
and accountable, except when it isn't. So everything is good and
nothing needs to change." I find this sad.
In any event, when I responded to this thread, I was under no illusion
that anything would actually change. Even if the IETF were to come
out with a "golden" root server address RFC, I am certain you and
others would refuse to abide by it, coming up with some platitude-
filled rationalization. And there is nothing short of US government
intervention that could actually be guaranteed to do anything about
Now that's irony.
More information about the dns-operations